From UseCases to Specifications Fulup Ar Foll Liberty Technical - - PowerPoint PPT Presentation

from usecases to specifications
SMART_READER_LITE
LIVE PREVIEW

From UseCases to Specifications Fulup Ar Foll Liberty Technical - - PowerPoint PPT Presentation

Aug 02, 2023 151 likes •368 views

From UseCases to Specifications Fulup Ar Foll Liberty Technical Expert Group Master Architect, Global Software Practice Sun Microsystems Why Identity Related Services ? Identity-enabling: Exposes identity details to other services

slide-1
SLIDE 1

From UseCases to Specifications

Fulup Ar Foll Liberty Technical Expert Group

Master Architect, Global Software Practice Sun Microsystems

slide-2
SLIDE 2

2 Liberty Paris Workshop 23:23:20

  • Identity-enabling: Exposes identity details to
  • ther services
  • Identity-enabled: Offers personalization when

given access to identity details

  • Basic: Performed without regard to who’s doing

the asking or using the results

Why Identity Related Services ?

slide-3
SLIDE 3

3 Liberty Paris Workshop 23:23:20

What's About Federation

  • Federation of providers (CoT), a group of entities providing

services who signed agreement, in order to make life of shared customers/users (Principal) more simple.

accept Principal identity authentication to be done once per session (SSO) and by a shared authority (IDP)

Accept to provide service knowing only an “avatar” of principal identity (Opaque Handle/Federation Key). This non significant pointer on principal identity allowing service provider (SP) to know that “it is him” without knowing “who he is”.

  • Federation: a weak link that allow to map a principal avatar identity

used by a service provider to the effective principal identity know only from the authority of authentication (IDP).

  • Federated Identity: The data/attributes at the service provider

attached to a principal identity avatar.

slide-4
SLIDE 4

4 Liberty Paris Workshop 23:23:20

SAML v.1.1 ID-FF v.1.1 Shib v.1.0/1.1 SAML v.2.0 SAML v.1.0 Phase 1 ID-FF v.1.2 SAML v.2.0 use/testing

OASIS SSTC Liberty Alliance Internet2 Shibboleth

July 2002 January 2003 November 2003 April 2005 November 2002 September 2003 March 2005 July/August 2003

Shib v.1.2

April 2004 OASIS Contribution OASIS Contribution

OASIS SAML v2 Overview: The Road to

Convergence

slide-5
SLIDE 5

5 Liberty Paris Workshop 23:23:21

Why Choosing Liberty ?

✗ Fit your requirements:

Free & Open standard, Privacy, Security, Interoperability

✗ An industrial reality:

Certified products, Already proven in production

✗ You're not in a position of choosing:

Costumer chooses for you !!!

Kravspesifikasjon for PKI i offentlig sektor Versjon 1.02 , Januar 2005 Krav 10.5.1 Autentisering Det skal tilbys en ”Identity Provider” i henhold til Liberty Alliance

  • spesifikasjoner. Løsningen skal
  • beskrives. Det skal angis hvilke versjoner
  • g overordnede funksjoner som støttes.

Requirements Spec. for PKI in Public Sector Version 1.02 , January 2005 Requirement 10.5.1 Autentication It shall be offered an ”Identity Provider” according to Liberty Alliance specifications. The solution shalll be described. It shall be indicated which versions and which high level functions are supported.

slide-6
SLIDE 6

6 Liberty Paris Workshop 23:23:21

OASIS SAML 2.0 Concepts

Profiles

Combining protocols, bindings, and assertions to support a defined use case

Bindings

Mapping SAML protocols onto standard messaging

  • r communication protocols

Metadata

IdP and SP configuration data

Authn Context

Detailed data on types and strengths

  • f authentication

Protocols

Request/response pairs for obtaining assertions and doing ID management

Assertions

Authentication, attribute, and entitlement information

slide-7
SLIDE 7

7 Liberty Paris Workshop 23:23:21

Global Liberty Architecture

Circle Of Trust Principal Identity Provider Service Provider

  • Authentification
  • Federation
  • Discovery service
  • Policies/Authorization
  • customer
  • employé
  • game user
  • ....

Identity Services

  • web content
  • games
  • merchant site
  • ....
  • Massaging
  • Ticketting
  • ....
  • Geolocation
  • Personnal Profile
  • ....

Liberty ID-FF/SAML-2.0 Liberty ID-WSF Not Specified by Liberty

Legacy/existing Infrastructure Other CoTs

  • Auth. Pts
  • Auth. Pts
slide-8
SLIDE 8

8 Liberty Paris Workshop 23:23:22

Liberty Technical Framework

  • ID-FF (Identity Federation Framework)
  • Federation/Defederation
  • SSO (single & simplified Sign On) / SLO (single logout)
  • Authentication context & Attributes
  • Metadata
  • ID-WSF (Identity Web Service Framework)
  • Authentication Service
  • Discovery Service
  • DST (Data Service Template)
  • Interaction Service
  • ID-SIS (Identity Service Interface)
  • Personal profile, Geoloc, Presence, Contact Book, ...
slide-9
SLIDE 9

9 Liberty Paris Workshop 23:23:22

Basic CoT (outsourcing of services)

IDP DS Outsourced app Identities Customers PP Payment

A C B E F D E' G

Service Provider(s) Authentication Authority CoT

slide-10
SLIDE 10

10 Liberty Paris Workshop 23:23:22

CoT/CoT (proxy authentication)

CoT 1 CoT 2 ex: Wireless CoT ex: FixNet operator Customers Wireless Identities Services Services FixNet/DSL Identities

Local Service Request Alien Service Request SelfContained Authentication Proxy Authentication Business Agreement

slide-11
SLIDE 11

11 Liberty Paris Workshop 23:23:23

Shared CoT (global shared Services)

Operator « XyZ » Germany Operator « XyZ » France German Customers German CoT French Customers French CoT German Identities German Services French Services French Identities « XyZ » Global Common Services Global CoT Global Identities Common Services

Proxy Autentication Global Service Request Extented to Global CoTs

slide-12
SLIDE 12

12 Liberty Paris Workshop 23:23:23

Access Control

SP is responsible for securing access. For each SP, identify data needed for access control decisions and where it will come from.

  • For individual consumers may come from user.
  • For outsourcing scenario, data needed may be split

between SP and IDP.

  • Attributes can be sent in a bulk feed.
  • SP application can use SAML
  • Can use provisioning/sync solution between SP and IDP to

better leverage capabilities of an access management type

  • f product.
slide-13
SLIDE 13

13 Liberty Paris Workshop 23:23:24

Support

How to support someone you don't know ? For each SP and IDP, identify potential user issues, and how support will be provided by SP and IDP.

  • User cannot login, can't access app, data wrong,...
  • Identify how users will report a problem
  • Identify first responder, escalation paths
  • Identify how each responder will
  • Be able to identify user's account
  • Be able to contact user later to ask more questions
  • Gets tricky if user has different ID at SP and IDP
  • User likely to forget SP ID when accounts federated
slide-14
SLIDE 14

14 Liberty Paris Workshop 23:23:24

Logout

Local and/or Global logout both possible

  • Bigger issue than it initially seems
  • Providing just one may cause issues
  • Users do local logout, leave global session, walk

away from browser

  • Users might avoid use of global logout thinking

they have more work to do.

  • Best to support both, educate users on

differences

  • If you must do just one, choose global logout
slide-15
SLIDE 15

15 Liberty Paris Workshop 23:23:24

SSO expectations

Sign Sign One & Simplified Sign One

  • Set expectation appropriately
  • Logins to hardware devices
  • Logins to networks (VPNs etc)
  • Logins to applications
  • Different levels of authentication (i.e. single

versus dual factor)

  • “Simplified Sign On” may be better term
slide-16
SLIDE 16

16 Liberty Paris Workshop 23:23:24

Monitoring

  • Obvious
  • Monitor HW, OS on all component servers (app,

authN service, authZ service, storage)

  • Proactive
  • Monitor CPU, number of connections, response

time and set acceptability threshold values for each.

  • Possible Glitch
  • Monitor federated login with synthetic
  • transactions. IDP may be best positioned to do

so if access to IDP is restricted.

slide-17
SLIDE 17

17 Liberty Paris Workshop 23:23:24

Business Agreements

  • Many other legal documents typically exist
  • Sales contracts, Purchase Orders, Statements of

Work, Service Level Agreements, Contract approvals, Consulting Services agreements etc.

  • Liberty-related agreements need to relate to other

agreements

  • Add Liberty-specific terms to existing SOW/SLA

templates

  • Liberty compliance, adding/removing COT members,

joining other COTs, federation, authN levels, session timeouts, adding/removing users, policy enforcement

slide-18
SLIDE 18

18 Liberty Paris Workshop 23:23:24

Production Deployment

  • There is a world of difference between doing this in

a lab and the real world. Deploy and test as early as possible in the 'real' environment.

  • Hardened environments
  • Firewalls & firewall rules
  • Network & Load balancers
  • Router ACLs
  • Certificates
  • DNS and mappings
slide-19
SLIDE 19

19 Liberty Paris Workshop 23:23:24

Liberty Summary

✗ A free standard focusing on:

✗ Privacy ✗ Security ✗ Interoperability

✗ An industrial reality:

✗ Certified to latest spec products available ✗ Already proven in production

✗ Return of experience available

✗ Deployment paper ✗ Consulting services

slide-20
SLIDE 20

20 Liberty Paris Workshop 23:23:24

fulup@sun.com

The End