revolutionising public sector administration through identity management
DESCRIPTION
Revolutionising Public Sector Administration Through Identity Management. Simon Perry VP Security Management EMEA. IAM Defined. - PowerPoint PPT PresentationTRANSCRIPT
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Revolutionising Public Sector Administration Through Identity
Management
Simon Perry
VP Security Management EMEA
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IAM Defined
- Identity and Access Management is the set of processes and the supporting infrastructure for the creation, management and use of digital identities and enforcement of business policies
- It enables you to answer the following:
Who’s there? What can they do?
How do you manage them?
What dothey need?
– Authentication management
– Access control
– User management
– Delegated administration
– Workflow
– Account, resource provisioning
– Account, resource de-provisioning
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Federation and Trust
Applications
Web Services
Web Sites
Operating Systems
Enterprise
Single Sign-On
Password Management
Provisioning
ID Administration
Identity Virtualization
Directory
IAM Components
Au
dit
ing
an
d R
epo
rtin
g
Sec
uri
ty I
nfo
rma
tio
n M
anag
em
ent
and
Co
mp
lian
ce
Access Management
Identity Management
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity Management Maturity
Password
Management
Password
Management
4 - Business-Driven
1 - Active
2 - Efficient
3 - Responsive
Consolidated
Identity
Management
Integrated
Role
&
Entitlements
Management
Federated
Identity
Management
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What is Identity Federation?
A mechanism that establishes a linkage or portability (across security domains) of digital
identities to provide seamless application access across the Internet
•Clearly this is largely a security issue•Standards must play a large role•Naturally dependent on identity & access management
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Case Study – Private SectorFederation at Large Insurance Company
www.Insurance.com
Corporate Customer
Corporate Credit Card Provider
Corporate Travel department
End-Points
Corporate Customer
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What is Identity Federation?
- Identity federation
- Using standard browsers
- Using XML documents through Web services flows
- “Browser-federation” .vs. “Identity-based Web Services”- Both depend on linking or porting of identities across domains
- Browser-based federation
- End-user visits web sites hosted by business partners
- Web services-based federation
- Business partners communicate through XML documents used to obtain application services that depend on indentity
- Focus on browser-based federation in this session
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What is Identity Federation?Identity-Based Web Services
Partner APartner A
Web ServiceConsumers
InternetInternet
XML/SOAP document
Partner BPartner B
Web Service B
Web Service Container
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Why Federate?Browser-Based- Customer convenience
- Improved user experience & eased application access with cross domain and cross service SSO
- Support online delivery channel for public sector services
- Competitive differentiation
- Federated SSO as a differentiated feature of your service offerings
- Reduced costs
- Leveraging identity management practices of partner
- Identity proofing
- Credential issuance
- Forgotten/lost credentials
- Reduced password related Helpdesk costs
- Increased usage of lower cost Web applications
- Avoidance of federated SSO technology “one-offs”
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Why Federate?Browser-Based
- Enhanced security
- Leveraging of “stronger” regularly used & better proofed credentials
- Credential explosion is inherently insecure
- Identity Provider controls user credential & thus access to Service Provider application
- Former users immediately lose access to federated applications since they must come through the IdP
- Use of enterprise class security building blocks
- SAML, SSL, Web access management, PKI, digital signatures…
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Who is Federating?
- Government agencies worldwide for eGovernment
- Ireland, Norway, Austria, New Zealand, USA…
- Eased citizen access to government services
- B->B
- Health management, employee benefits, pension providers, travel services, web conferencing, payroll services, insurance, specific ASPs, & many others…
- B->E (link internal portals around world)
- Internal federation for large, geographically distributed organizations
- B->C (consumer information services)
- Via wireless phones & cable TV to premium content
- Early stage projects
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
USER
HTTPS
ARCHIVE
3
IINT
EG
RA
TIO
N M
OD
ULE
INT
EG
RA
TIO
N M
OD
ULE
1
Minside.no
2 SECURITY SERVER
ARCHIVE INTERFACE
PKI A
PKI B
PKI C
PKI D
HTTPS
WEB SERVICE
INT
EG
RA
TIO
N M
OD
ULE
1
Altinn.no HTTPS
User Case StudyNorwegian eGovernment Portal
• Expected user population of 1.5 million• Up to 1400 government services• Up to 30 million transaction per year
SAML
SAML
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Browser-Based Federation Example
www.Company.com
Corporate Customer #1
Web Training
eTrust SiteMinderWith
Federation
Web Travel
Corporate Customer #2
ASP Service #2
Pension Manager
ASP Service #1
Corporate Customer #3
For Employees
Outsourcing
Business Customers
SA
ML
1
.1
SAML 1.0 WS-Fed
SA
ML
2
.0
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Golden Rules of Federation
- Consider Federation opportunities inside your business
- Federation initiatives should be business led
- Federate with your best (or most trusted) partners first
- Remember to address the legal & contractual issues
- Don’t get paralysed by federation standards evolution
- Pick a vendor with a federation pedigree and one with a commitment to support the evolving standards
- Federation should be part of your IAM architecture & strategy
- Connect your Web services security & IAM strategy
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity Federation Requirements
- Define a technical framework built on industry standards
- Data format, message structure, & protocols
- Independent of specific technologies/implementations
- Enable business partners to exchange user information in a secure way
- Protect the privacy of users within a federation
- Keep user identity information secret
- Allow each company to manage identities of their users without relying on a centralized third-party
- Provide way to establish trust among federation participants
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Business Considerations
- New partnering model
- SP or IdP – which role better supports the goals of the business
- Legal & contractual
- Trust - Relying on identity proofing & security practices of partners
- Security audit rights
- What attributes are in SAML assertion? – Privacy implications
- Ensuring quality user experience across domains
- Finding the right (first) federation partners
- State of your current identity management systems/processes
- Coordination of internal resources (IT, Security, Legal, Management, Business, Marketing)
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Technical Considerations
- Is the current overall state of security capability a suitable foundation - Which standard / version to use?- How will federation partner be enabled?- Artifact or Post profile?- Is this a many-to-1 or 1-1 federation?- How to disambiguate the user?- How to activate/provision federated accounts?- Stronger authentication needed?- What attributes are in SAML assertion?- How long will SAML assertion live?- How to do standards version control with partners?- How to ensure minimum system-wide performance?- User volume projections?- Error & Fraud scenarios
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Key Standards & Specifications- Security Assertion Markup Language (SAML)
- Standard managed by OASIS- CA key contributor
- Provides for the sharing of security information between domains- Using XML security tickets (assertions) & protocols
- Protocol & ticket together enable federation- Cross-domain/cross-company SSO
- Liberty Alliance- Alliance of many sponsor companies
- Including CA- ID-FF – Portion of Liberty that enables browser-based federations
- Leverages SAML assertion (ticket)- Officially merged with SAML with SAML 2.0
- WS-Federation- Microsoft has plans for ADFS implementing WS-Federation in late
2005- CA is part of Microsoft ADFS beta program- ADFS support on roadmap
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Glossary of Terms- Identity Provider (IP)
- Site that conducts authentication, re-directs user, & produces security ticket for the user session
- Service Provider (SP)- Site that provides desired application(s), receives browser re-direct, &
consumes security ticket to create a user session
- Security Ticket- XML document that includes information about the identity provider & user
- SAML, Liberty-Id-FF, WS-Federation- Key identity federation specifications/standards
- Account-to-account linking- Linking of an individual user account at IP & SP- Accounts connected using some uniquely shared user identifier- Contrasts with many-to-1 federations
- Activation/Provisioning- The process of enabling user account(s) to be federated
Questions?