1

Ajay DaryananiMiddleware Engineer, RedIRIS / Red.es

Kopaonik, 13th March 2007

Introduction to Identity Management Systems

1

2

Outline

1. Reasons for IdM

2. IdM Roadmap

3. Definitions

4. Components and features

5. Tools and protocols

2

3

Peter Steiner. The New Yorker, 5th July 1993

3

4

Outline

1. Reasons for IdM

2. IdM Roadmap

3. Definitions

4. Components and features

5. Tools and protocols

4

5

Reasons for IdM: User’s view

• Users WANT to:

Check their reports Use the email Register for a course Borrow a book from the library Use university’s Internet connection Read the documentation of a course …

5

6

Reasons for IdM: User’s view

• … and they WANT all this:

Easily Safely Quickly In a flexible way Remotely Personalized any more?

6

7

Reasons for IdM: Admin’s view

• System administrators HAVE to:

Provide advanced services to their customers Safely Quickly Within the budget In a flexible way Improving corporative image … and according to national laws!

7

8

Reasons for IdM: Admin’s view

• …and for this, they HAVE to:

Manage hundreds/thousands of entries Manage several services Map users to services (1..N, 1..M) Use standards Include all possible use cases Understand and apply the law … without losing their private lifes :-D

8

9

Outline

1. Reasons for IdM

2. IdM Roadmap

3. Definitions

4. Components and features

5. Tools and protocols

9

10

IdM Roadmap: First steps

• The simplest case

- Few users

- One application

- Solutions:

- DB

- Whitelist

- BasicAuth

10

11

IdM Roadmap: Childhood

• Growing up a bit

- Several users

- One/more applications

- May require different access roles (admin, student, professor)

- Solution: directories

11

12

IdM Roadmap: Maturity

• And more…

- Several users

- Several applications

- Same login for all services: Unified Login

- Avoiding re-authentication: Single Sign-On

12

13

IdM Roadmap: Going beyond

• And more… (out of scope of this workshop)

- Several users / apps

- Several domains

- Example: different universities, same country

- Solution: federations

13

14

IdM Roadmap: The last border (?)

• And even more… (far beyond this workshop)

- Several users / apps / domains

- Several federations

- Example: different countries

- Solution: “con-federations”

14

15

Outline

1. Reasons for IdM

2. IdM Roadmap

3. Definitions

4. Components and features

5. Tools and protocols

15

16

Definitions: (Digital) Identity

• Represents the digital personality of a subject

• Subject represents a user (human/machine)

• Personality is defined by means of attributes

• MUST be unique for a given domain• MUST preserve user privacy!• It’s your key for accessing the digital world

16

17

Definitions: (Digital) Credentials

• Identity is proved through credentials• Examples:

Real life: Birth certificateFingerprint

Digital life:PasswordX.509 certificate

17

18

Definitions: Attribute

• Models a characteristic of the subject’s personality

• It is often viewed as a name/value(s) pair• Valid attribute names (and values) are defined in

a schema• Used for access control, personal information,

privacy, …• Example:

namespace: urn:mace:terena:org:schac Attribute name: schacsn1 Attribute value: Daryanani

18

19

Definitions: Authentication

• Process of proving that a subject is who he claims to be

• It verifies user identity • Conveyed by means of credentials…• … and obtaining authentication token(s)• Example of tokens:

Real life: ID cardPassport

Digital life:CookieKerberos ticket

19

20

Definitions: Authorization

• Process of deciding if a user A is entitled to access service B

• 3 main profiles: Authentication = authorization Identity + attributes Negotiation on attributes to be exchanged

• Authorization can be simple… Profile 1 If (group = X) then accept

• Or as complex as you want

20

21

Definitions: Unified Login

• System that allows using the same identity for several services

• Does not imply unified authentication• Example: Using same username/password for

webmail and Intranet• Improves usability• Eases identity management• Targeted mainly for intra-domain services

21

22

Definitions: SSO

• Single Sign-On (SSO) is the process of authenticating once for all the accessible services

• Can also be interpreted as the mechanism for not reauthenticating Between sessions on same application Between different applications

• Authentication status is usually maintained through cookies (in web environment)

22

23

Outline

1. Reasons for IdM

2. IdM Roadmap

3. Definitions

4. Components and features

5. Tools and protocols

23

24

Components: Simple picture

Borrowed from: JISC (UK)

24

25

Components: Complex picture

Borrowed from: JISC (UK)

25

26

Components: Identity Management Architecture

Borrowed from: Enterprise directory implementation Roadmap, NMI (US)

26

27

Components: Metadirectory

• Used to synchronize information from different data sources

• Provides unified view of records maintained at data sources

• Feeds the directory/directories• Other features

Control flow of information Data transformation Data correlation Person identification

27

28

Components: Directory

• Centralized information repository Deep hierarchy Optimized for read access Can provide different views of the same

information

• Directories need Schema Attribute values Identifiers

28

29

Components: Data Sources

• Repositories where data is actually written• An institution may have several sources

Alumni Payroll Departamental DBs

• Relational databases are an example of data sources Offer better write/update perfomance (vs.

directories)

29

30

Components: Provisioning

• Its the process of managing an identity• Includes

Adding an account Modifying Suspending Resuming

• De-provisioning implies ending the lifecycle of an identity

• Resources can also be provisioned

30

31

Components: Trust

• Do not trust anyone…• … until it proves to be trustworthy!• Should be maintained between a user and

his identity holder• But also between your identity holder and

identity consumers• Implies:

Dependance on the trusted party Reliability of the trusted party Risk!!!

31

32

Components: Management Interfaces

• Administrators also have needs!• Provide means for information

homogeneization Component from different parties are not

always meant for cooperating with others Administrators may need tailored functionality IdM can be overwhelming :-D

• Allow users to manage (partially) their data => self-service

32

33

Components: Diagnostics

• What if something fails?• IdM comprises different data sources and

interaction between them• Useful mechanisms for diagnostics are auditing

and logging• IdMs lack features on diagnostics

Although some propietary solutions include diagnostic tools

Recommendations:Log, log, log!!!Create custom management interfacesDo a good design

33

34

Components: Security and usability

• IdMs enhance security For identities

ARPsData protection rules

For applicationsTrustCryptography

• De-provision• But users are humans (and make mistakes:

phishing!)• IdMs improve user experience and satisfaction

34

35

Components: AAIs

• Authentication and Authorization Infrastructures (AAIs)

• All we have seen up to now is now viewed as an IdP (Identity Provider) …

• As an opposition to an SP (Service Provider)

• New actor: Attribute Authorities• AAIs include communication protocols and

profiles to connect these components Usually include SSO, federation capabilities…

35

36

Components: AAIs

• No user registration and user data maintenance at resource needed

• Single login process for the users• Enlarged user communities for resources• Efficient implementation of inter-

institutional access

36

37

Outline

1. Reasons for IdM

2. IdM Roadmap

3. Definitions

4. Components and features

5. Tools and protocols

37

38

Tools and protocols: Provisioning

• Resource provisioning is the provisioning of identities to systems and services where the identity has access to use

• SPML Open standard protocol for the integration and

interoperation of service provisioning requests It’s an OASIS standard http://www.oasis-open.org/ http://www.openspml.org/

38

39

Tools and protocols: Trust

• Public Key Infrastructures (PKIs)• Certificates are based on public key• Enables for a digital certificate identifying an individual or

an organization to be: Issued Revoked Validated

• Composed of: Root CA Certificate Authority (CA) Registration Authority (RA) Directory to store user certificates Certificate revocation lists (CRLs)

39

40

Tools and protocols: Feds and more

• Software for building federations Shibboleth: http://shibboleth.internet2.edu/ PAPI: http://papi.rediris.es A-Select: http://a-select.surfnet.nl Liberty Alliance protocols

http://www.projectliberty.org/

• Federation interoperability software eduGAIN

http://www.terena.nl/activities/eurocamp/april06/slides/day2/eduGAIN.ppt

40

41

Tools and protocols: IdM suites

• Sun Microsystems http://www.sun.com/software/products/identity/

offerings.jsp

• Oracle http://www.oracle.com/products/middleware/identity-

management/identity-management.html

• IBM http://www-306.ibm.com/software/sw-bycategory/

• Novell http://www.novell.com/solutions/securityandidentity/

41

42

IdM References

• The Open Group: Identity Management http://www.opengroup.org/projects/idm/uploads/

40/9784/idm_wp.pdf• Identifiers, Authentication, and Directories: Best

Practices for Higher Education http://middleware.internet2.edu/internet2-mi-best-

practices-00.html

• Wikipedia http://en.wikipedia.org/wiki/Identity_management

• … and Google, of course

42

43Edificio BroncePlaza Manuel Gómez Moreno s/n28020 Madrid. España

Tel.: 91 212 76 20 / 25Fax: 91 212 76 35www.red.es

43