revolutionising public sector administration through identity management

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Revolutionising Public Sector Administration Through Identity

Management

Simon Perry

VP Security Management EMEA


IAM Defined

- Identity and Access Management is the set of processes and the supporting infrastructure for the creation, management and use of digital identities and enforcement of business policies

- It enables you to answer the following:

Who’s there? What can they do?

How do you manage them?

What dothey need?

– Authentication management

– Access control

– User management

– Delegated administration

– Workflow

– Account, resource provisioning

– Account, resource de-provisioning


Federation and Trust

Applications

Web Services

Web Sites

Operating Systems

Enterprise

Single Sign-On

Password Management

Provisioning

ID Administration

Identity Virtualization

Directory

IAM Components

Au

dit

ing

an

d R

epo

rtin

g

Sec

uri

ty I

nfo

rma

tio

n M

anag

em

ent

and

Co

mp

lian

ce

Access Management

Identity Management


Identity Management Maturity

Password

Management

Password

Management

4 - Business-Driven

1 - Active

2 - Efficient

3 - Responsive

Consolidated

Identity

Management

Integrated

Role

&

Entitlements

Management

Federated

Identity

Management


What is Identity Federation?

A mechanism that establishes a linkage or portability (across security domains) of digital

identities to provide seamless application access across the Internet

•Clearly this is largely a security issue•Standards must play a large role•Naturally dependent on identity & access management


Case Study – Private SectorFederation at Large Insurance Company

www.Insurance.com

Corporate Customer

Corporate Credit Card Provider

Corporate Travel department

End-Points

Corporate Customer


What is Identity Federation?

- Identity federation

- Using standard browsers

- Using XML documents through Web services flows

- “Browser-federation” .vs. “Identity-based Web Services”- Both depend on linking or porting of identities across domains

- Browser-based federation

- End-user visits web sites hosted by business partners

- Web services-based federation

- Business partners communicate through XML documents used to obtain application services that depend on indentity

- Focus on browser-based federation in this session


What is Identity Federation?Identity-Based Web Services

Partner APartner A

Web ServiceConsumers

InternetInternet

XML/SOAP document

Partner BPartner B

Web Service B

Web Service Container


Why Federate?Browser-Based- Customer convenience

- Improved user experience & eased application access with cross domain and cross service SSO

- Support online delivery channel for public sector services

- Competitive differentiation

- Federated SSO as a differentiated feature of your service offerings

- Reduced costs

- Leveraging identity management practices of partner

- Identity proofing

- Credential issuance

- Forgotten/lost credentials

- Reduced password related Helpdesk costs

- Increased usage of lower cost Web applications

- Avoidance of federated SSO technology “one-offs”


Why Federate?Browser-Based

- Enhanced security

- Leveraging of “stronger” regularly used & better proofed credentials

- Credential explosion is inherently insecure

- Identity Provider controls user credential & thus access to Service Provider application

- Former users immediately lose access to federated applications since they must come through the IdP

- Use of enterprise class security building blocks

- SAML, SSL, Web access management, PKI, digital signatures…


Who is Federating?

- Government agencies worldwide for eGovernment

- Ireland, Norway, Austria, New Zealand, USA…

- Eased citizen access to government services

- B->B

- Health management, employee benefits, pension providers, travel services, web conferencing, payroll services, insurance, specific ASPs, & many others…

- B->E (link internal portals around world)

- Internal federation for large, geographically distributed organizations

- B->C (consumer information services)

- Via wireless phones & cable TV to premium content

- Early stage projects


USER

HTTPS

ARCHIVE

3

IINT

EG

RA

TIO

N M

OD

ULE

INT

EG

RA

TIO

N M

OD

ULE

1

Minside.no

2 SECURITY SERVER

ARCHIVE INTERFACE

PKI A

PKI B

PKI C

PKI D

HTTPS

WEB SERVICE

INT

EG

RA

TIO

N M

OD

ULE

1

Altinn.no HTTPS

User Case StudyNorwegian eGovernment Portal

• Expected user population of 1.5 million• Up to 1400 government services• Up to 30 million transaction per year

SAML

SAML


Browser-Based Federation Example

www.Company.com

Corporate Customer #1

Web Training

eTrust SiteMinderWith

Federation

Web Travel


ASP Service #2

Pension Manager

ASP Service #1


For Employees

Outsourcing

Business Customers

SA

ML

1

.1

SAML 1.0 WS-Fed

SA

ML

2

.0


Golden Rules of Federation

- Consider Federation opportunities inside your business

- Federation initiatives should be business led

- Federate with your best (or most trusted) partners first

- Remember to address the legal & contractual issues

- Don’t get paralysed by federation standards evolution

- Pick a vendor with a federation pedigree and one with a commitment to support the evolving standards

- Federation should be part of your IAM architecture & strategy

- Connect your Web services security & IAM strategy


Identity Federation Requirements

- Define a technical framework built on industry standards

- Data format, message structure, & protocols

- Independent of specific technologies/implementations

- Enable business partners to exchange user information in a secure way

- Protect the privacy of users within a federation

- Keep user identity information secret

- Allow each company to manage identities of their users without relying on a centralized third-party

- Provide way to establish trust among federation participants


Business Considerations

- New partnering model

- SP or IdP – which role better supports the goals of the business

- Legal & contractual

- Trust - Relying on identity proofing & security practices of partners

- Security audit rights

- What attributes are in SAML assertion? – Privacy implications

- Ensuring quality user experience across domains

- Finding the right (first) federation partners

- State of your current identity management systems/processes

- Coordination of internal resources (IT, Security, Legal, Management, Business, Marketing)


Technical Considerations

- Is the current overall state of security capability a suitable foundation - Which standard / version to use?- How will federation partner be enabled?- Artifact or Post profile?- Is this a many-to-1 or 1-1 federation?- How to disambiguate the user?- How to activate/provision federated accounts?- Stronger authentication needed?- What attributes are in SAML assertion?- How long will SAML assertion live?- How to do standards version control with partners?- How to ensure minimum system-wide performance?- User volume projections?- Error & Fraud scenarios


Key Standards & Specifications- Security Assertion Markup Language (SAML)

- Standard managed by OASIS- CA key contributor

- Provides for the sharing of security information between domains- Using XML security tickets (assertions) & protocols

- Protocol & ticket together enable federation- Cross-domain/cross-company SSO

- Liberty Alliance- Alliance of many sponsor companies

- Including CA- ID-FF – Portion of Liberty that enables browser-based federations

- Leverages SAML assertion (ticket)- Officially merged with SAML with SAML 2.0

- WS-Federation- Microsoft has plans for ADFS implementing WS-Federation in late

2005- CA is part of Microsoft ADFS beta program- ADFS support on roadmap


Glossary of Terms- Identity Provider (IP)

- Site that conducts authentication, re-directs user, & produces security ticket for the user session

- Service Provider (SP)- Site that provides desired application(s), receives browser re-direct, &

consumes security ticket to create a user session

- Security Ticket- XML document that includes information about the identity provider & user

- SAML, Liberty-Id-FF, WS-Federation- Key identity federation specifications/standards

- Account-to-account linking- Linking of an individual user account at IP & SP- Accounts connected using some uniquely shared user identifier- Contrasts with many-to-1 federations

- Activation/Provisioning- The process of enabling user account(s) to be federated

Questions?

revolutionising public sector administration through identity management

Documents