Liberty Alliance Project Open Standards for Network Identity
Liberty Alliance Project Open Standards for Network Identity Will open standards increase e. Commerce? Bill Smith Director, Liberty Alliance Technology Sun Microsystems
Permissions The author has graciously given permission to reproduce his presentation at the XML 2002 Conference in Baltimore, Maryland. If copied, changes should not be made and appropriate citation of the author’s work should be given. Instructional media + magic, inc. , December 2002 1
Identity Physical Height, Weight, Gender Experiential Education, Travel, Dining Preferential Food, Clothing, Shelter 1 1
Identity Physical Height, Weight, Gender Blood Type, Fingerprint, DNA Experiential Education, Travel, Dining Stock Purchases, Mortgage Balance, Drug Use Preferential Food, Clothing, Shelter Religion, Political affiliation, Club Memberships 1 1
Identity Some information needed to determine who I am is widely available – I distribute it A larger set of information is unavailable – I restrict access to trusted relationships Most of this information is in digital form 1 1
Identity Control who has access to what information Choose who to trust, what to give, when to change Trust relationships take time to establish 1 1
Digital Identity Much of the information about me is in digital form, accessible via the Web It is kept by “trusted brokers” High-quality services are provided I can access and update 1 1
Digital Identity Much of the information about me is in digital form, accessible via the Web It is kept by “trusted brokers” High-quality services are provided I can access and update What's the problem? . . . 1 1
Digital Islands I have multiple Digital IDs Information is duplicated and difficult to synchronize Better services are possible 1 1
Digital Islands • Multiple, disconnected identities scattered across isolated Internet sites • • • • User Name: Bill Smith Email: bsmith 48@freemail. com PIN: wcs@foobar. com Credit card number Social security number Drivers license Passport Entertainment preferences Notification preferences Employee authorization Business calendar Dining preferences Education history Medical history Financial assets… 1 1
Digital Islands – the problem • Multiple, disconnected identities scattered across isolated Internet sites • • Inconvenient and frustrating for users Distributed identityservices are difficult to develop and deploy Continual reauthentication to disparate systems 1 1
Network Identity – the solution A method to link the Digital Islands Provide a logical single identity Preserve and enhance existing trust relationships Provide choice and opportunity for better services 1 1
Network Identity – it’s simple A Network Identity is a user’s overall global set of attributes constituted from their various accounts 1 1
Network Identity – not so fast Digital Islands Disparate Systems Lack of communication, interoperability Conflicting Interests Technology suppliers, Technology consumers Service providers, fixed vs. mobile Consumer Demands Better services, Improved convenience Respect Privacy 1 1
Network Identity – practical solutions Broad scope Web itself Fixed, wireless, desktop, cell phone, PDA, car. . . Complexity Technology, Business, Consumer Service providers Reality Digital Islands exist Trust relationships well-established 1 1
A Business Consortium Solving A Business Problem Over 130 for-profit, not-for-profit and government organizations, representing a billion customers, are currently Alliance members * Only a sample of Liberty members 1
Liberty’s commercial investment in network identity and the collaboration of its diverse array of member companies can bring a lot to this space. The group’s combined experience, their collective ability to drive usage and the fact that they’re not trying to promote a product but a solution to a problem will help in their success. Dan Blum Burton Group 1
Mission of the Liberty Alliance Establish an open standard for federated network identity through open technical specifications that will: • Support a broad range of identity-based products and services Allow for consumer choice of identity provider(s) and the ability to link accounts through account federation • Provide the convenience of simplified sign-on, when using any network of connected services and devices • • Enable organizations to realize new revenue and cost saving opportunities Allow organizations to economically leverage relationships with customers, business partners, and employees Improve ease of use for e-commerce 1 1
Management Structure Management Board • Consists of 16 founding sponsors • Responsible for overall governance and maintenance • Final voting authority for specifications and other output Public Policy Expert Group • Advise on privacy, security, and other public policy issues • Liaison to privacy groups and government agencies Technology Expert Group • Develops technical architecture and engineering requirements • Develops technical specifications • Interoperability Marketing Expert Group • Develops marketing requirements and use cases • Responsible for membership, press relations, and marketing communications • Adoption 1
Why is Federated Important? Centralized Model • Network identity and user information in single repository • Centralized control • Single point of failure • Links similar systems Central Provider Open Federated Model • Network identity and user information in various locations • No centralized control • No single point of failure • Links similar and disparate systems Provider Provider 1
Solution Analogous to ATM Networks Separate Cards with Each Bank A ATM Card Bank B ATM Card Bank C ATM Card Linked Cards within Bank Networks Bank ATM Network A Bank ATM Network B Bank ATM Network C Seamless Access Across all Networks Bank A ATM Card Bank B ATM Card Bank C ATM Card Bank ATM Network A Bank ATM Network B Bank ATM Network C 1
Solution Analogous to ATM Networks Separate Cards with Each Bank Linked Cards within Bank Networks Seamless Access Across all Networks Bank ATM Network A Bank A ATM Card Bank ATM Network B Bank B ATM Card Bank C ATM Card Individual Accounts with Many Web Sites Bank ATM Network A Bank B ATM Card Bank ATM Network C Bank C ATM Card Bank ATM Network C Federated Accounts within Trust Domain Linkage of Trust Domains. com Bank ATM Network B . com . com 1
Examples of Trust Domains B 2 E – Employee Intranet B 2 C – Travel Industry Car Rental Airline Health Insurance Dental Insurance B 2 B - Automotive Debt Commercial Banking Suppliers Equity Clearing House Employee Purchase Plans Company Intranet Livery B 2 B – Financial Services Treasury 3 d Party Providers Hotel Partner Airlines Cruise Line 401 k Credit Dealers Transport Agencies Manufacturers Fleet Financing 1
Specifications: A Phased Approach Drivers • • • Support rapid acceptance and deployment Phases build on each other Enable incremental adoption Version 1. 0 (Released 15 July 2002) Future Versions • Federated network identity • Opt-in account linking and simplified sign-on within an authentication domain created by business agreements • Security built across all the features and specifications • Permissions-based attribute sharing • Schema/protocols for core identity profile service • Simplified sign-on across authentication domains created in version 1. 0 by business agreements • Delegation of authority to federate identities/accounts 1
Version 1. 0 Specifications Builds on top of SAML to provide additional privacy and functionality Opt-in account linking – Users can link their accounts with different service providers within “circles of trust” Enhanced single sign-on for linked accounts – Once users’ accounts are federated, they log-in, authenticate at one linked account and navigate to another linked account, without having to log-in again Authentication context – Companies linking accounts communicate the type of authentication that should be used when the user logs-in Global log-out – Users can be automatically logged-out of all sites to which they have active sessions Multiple Client Support – browser, mobile device, and proxy 1
SAML in a Nutshell An XML-based framework for exchanging security information 1. XML schema and definition for security assertions 2. XML schema and definition for a request/response protocol 3. Rules on using assertions with standard transport and messaging frameworks (SOAP, Web Browsers). Bindings and Profiles An OASIS standard – Vendors and users are both involved – Codifies current system outputs rather than inventing new technology Excellent traction in the marketplace 1
Liberty Federation/ Account Linking Pre-existing accounts at various sites can be linked Pets. com Service Provider Joe. Smith Excite. com Identity Provider Joe 123 Books. com Service Provider Joe 1
Liberty Federation/ Account Linking Upon linking those accounts, the sites need to be able to have a frame of reference for the user Pets. com Service Provider Joe. Smith Excite. com Identity Provider Joe 123 Books. com Service Provider Joe 1
Liberty Federation/ Account Linking If account names are exchanged, sites can talk to each other without the user’s approval Pets. com Service Provider Joe. Smith Excite. com Joe 123@excite. com Identity Provider Joe 123 Joe. Smith@pets. com Joe@books. com Books. com Service Provider Joe 123@excite. com 1
Liberty Federation/ Account Linking If account names are exchanged, sites can talk to each other without the user’s approval Pets. com Service Provider Joe. Smith Excite. com Joe 123@excite. com Identity Provider Joe 123 Joe. Smith@pets. com Joe@books. com Books. com Service Provider Joe 123@excite. com 1
Liberty Federation/ Account Linking Instead, unique opaque handles resolvable only by the issuer should be exchanged Pets. com Service Provider Joe. Smith Excite. com Identity Provider Joe 123 <alias="mr 3 t. TJ 340 Im. N 2 ED" Security. Domain=“Pets. com" Name="d. Tv. Ii. Rc. Mlp. Cq. V 6 x. X" /> <alias=“xyr. Vd. S+xg 0/pz. Sgx" Security. Domain=“Books. com" Name="pfk 9 uz. UN 9 Jc. Wmk 4 RF" /> <alias="d. Tv. Ii. Rc. Mlp. Cq. V 6 x. X" Security. Domain="excite. com" Name="mr 3 t. TJ 340 Im. N 2 ED" /> Books. com Service Provider Joe <alias="pfk 9 uz. UN 9 Jc. Wmk 4 RF" Security. Domain="excite. com" Name="xyr. Vd. S+xg 0/pz. Sgx" /> 1
Liberty – Enhanced SSO Extends an authentication assertion to include the “context” • How did the user log in? Password? Smartcard? Etc. • When should the user be re-authenticated? • How did account registration occur? (in person, via web page) Extends the authentication request to allow for requesting a strength of authentication Necessary for real-world scenarios: not all services require the same level of authentication. 1
Liberty – Additional Features Simple session management • Provides “single-logout” functionality Identity federation management • Ability to terminate the federation • Ability to modify the opaque handle shared between authentication authority and relying party Identity network support • Specifies a protocol by which a website can “discover” what Identity Provider a user is using 1
Liberty Enabled-Products Coming Soon! 1
Liberty Version 2. 0 Permissions-Based Attribute Sharing • Enable businesses to share a principal's attributes according to their corporate policies, business agreements and local regulations, all while adhering to the principal's preferences and permissions Interoperability Specs for Core Identity Profile Service • Enables users to obtain secure, personalized services that are interoperable across different service providers Federation of Authentication Domains • Enables users to conveniently navigate and use SSO and share attributes with service providers who may be in different authentication domains. Version 2. 0 specifications expected early 2003 1
Liberty – the Initiative Established to address real business and technology issues Recognized as the focal point for Network Identity discussions and solutions Produced well-received specification Proceeding with phased approach to deliver on vision and mission 1 1
- Slides: 36