Liberty Specifications Tutorial
WWW.PROJECTLIBERTY.ORG
Alexandre Stervinou
Technical Consultant, RSA Security
astervinou@rsasecurity.com
1
Tutorial Outline
Introduction to Liberty Alliance
Overview & Key Concepts
Resources
Architecture and Specification documents
Phase 1 - ID-FF
– Federated identity life-cycle
– Metadata
– SCR & Interoperability Conformance/Validation
– Security Mechanisms
Phase 2 - ID-WSF & ID-SIS
– Personal profile scenario
Privacy & Security Guidelines
Business Guidelines
2
Identity Crisis
Joe‟s Fish Market.Com
Tropical, Fresh Water, Shell Fish,
Lobster,Frogs, Whales, Seals, Clams
3
Open Interaction and Participation
Standards Bodies Other technologies
IETF MS Passport
W3C WS-Federation
Utilize &
OASIS
Influence Co-operate
OMA
PR
Liberty Alliance Government
and
PR
Members
Develop & Lobby
Deploy PR Groups
Develop &
Sun Deploy
AOL Requirements
Media
HP Apache
Nokia
Open Source Users
Vendors/Providers Community 4
Key Concepts and Terminology
Identity
Simplified Sign-On
Single Logout
Network Identity / Federated Identity
Circle of Trust
– Principal
– Identity Provider (IdP)
– Service Provider (SP)
– Liberty Enabled Clients or Proxies (LECP)
Pseudonyms & Anonymity
Authentication Assertion (SAML)
5
Key Concepts
Network Identity Concepts
COMPONENT DEFINITION EXAMPLE
ATTRIBUTES: • Personal consumer preferences (e.g., travel,
entertainment, dining)
Traits, profiles, preferences of an • Identity-specific histories (e.g., purchases,
identity, device, or business medical records, etc.)
partner • Device capabilities information (e.g., text-only,
video, etc.)
AUTHENTICATION:
A level of security guaranteeing • Govt issued (Drivers license, social security,
the validity of an identity Passport)
representation • Biometric (Fingerprint, Retinal Scan, DNA)
• Self-selected (PIN number, secret password)
AUTHORIZATION:
The provisioning of services or • Services based on attributes (e.g,. Travel,
activities based upon an entertainment, dining)
authenticated identity • Transaction consumption
• Gradient levels of service (e.g., based on
employee level)
6
“Circle of Trust” Model
Identity Service Provider
(e.g. Financial Institution, HR)
•Trusted entity
Partner •Authentication infrastructure
Partner
A Partner •Maintains Core Identity attributes
B
H •Offers value-added services
(optional)
Network
Partner Identity Partner
G Hub Provider C
Partner Partner
F Partner D
E Affiliated Service Providers
•Offer complimentary service
•Don't (necessarily) invest in
Circle of Trust authentication infrastructure
•Business agreements
•SLAs 7
•Policies/Guidelines/AUP
Key Concepts
Authentication Assertion (SAML)
Authentication Assertion
Assertion ID
Issuer
Issue Instant (timestamp)
Validity time limit
Audience Restriction
Authentication Statement
Authentication Method
Authentication Instant
User account info (IdP pseudonym)
User account info (SP pseudonym)
8
Digital Signature of assertion
Resources
Liberty Developer Resource Center
www.projectliberty.org/resources/resources.html
SAML
www.oasis-open.org/committees/security
SOAP
www.w3.org/2000/xp/Group/
SSL/TLS
www.ietf.org/html.charters/tls-charter.html
9
Complete Liberty Architecture
Liberty Identity Services Interface
Specifications (ID-SIS)
Liberty Identity Enables interoperable identity services such as personal
Federation identity profile service, alert service, calendar service,
Framework (ID-FF) wallet service, contacts service, geo-location service,
presence service and so on.
Enables identity federation
and management through Liberty Identity Web Services Framework
features such as (ID-WSF)
identity/account linkage,
simplified sign on, and Provides the framework for building interoperable
simple session identity services, permission based attribute sharing,
management identity service description and discovery, and the
associated security profiles
Liberty specifications build on existing standards
10
Liberty Specifications
ID-FF ID-SIS
ID-Personal Profile ID-Employee Profile
Implementation Guidelines 1.0 Implementation Guidelines 1.0
ID-Personal Profile 1.0 ID-Employee Profile 1.0
ID-FF Architectural
Overview 1.2 ID-WSF
ID-FF Implementation ID-WSF Architecture ID-WSF Security & Privacy
Guidelines 1.2 Liberty Glossary
Overview 1.0 Overview 1.0
ID-FF Static Liberty Trust Model ID-WSF Static ID-WSF Implementation
Conformance Req. 1.2 Guidelines Conformance Req. 1.0 Guidelines 1.0
ID-WSF Data Services
Identity Services Templates Template 1.0
ID-FF Protocols and ID-WSF Discovery ID-WSF Interaction
Schemas 1.2 Core Identity Services Protocols Service 1.0 Service 1.0
ID-FF Bindings and ID-WSF Security ID-WSF SOAP ID-WSF Client
Profiles 1.2 Mechanisms 1.0 Binding 1.0 Profiles 1.0
Web Services Bindings & Profiles
Liberty Authentication
Liberty SASL-based Liberty Reverse HTTP
Context 1.2 SOAP AuthN 1.0 Binding 1.0
Liberty Meta Data 1.2 Normative
11
Non-Normative
Coming Soon
Phase 1 - ID-FF
Federated identity life-cycle
Metadata
SCR & Conformance
Security Mechanisms
Authentication Context
12
Federated Identity Life-Cycle
13
Metadata
Metadata specification extensible framework for describing
– cryptographic keys
– service endpoints information
– protocol and profile support in real time
Metadata exchange options:
– In-band DNS based discovery
– In-band URI based discovery
– Out-of-band
Classes of metadata:
– Entity provider metadata
– Entity affiliation metadata
– Entity trust metadata
Origin and document verification through use of signatures
14
Identity Provider Introduction
Optional profile
Common Domain Cookie
– MUST be named _liberty_idp
– MUST be base-64 encoded list of IdP
succinct Ids
– Session or Persistent
Common domain established within the
identity federation network for use with
introduction protocol
15
Single Sign On and Federation
User IDP SP
Login/Authenticate
Introduction cookie
Login/Authenticate
You have a cookie from IDP, federate accounts?
Yes, federate my accounts
Redirect to IDP with Authentication Request
AuthnRequest
Authentication
Assertion Issued
Redirect to SP
Here is my SAML Assertion or SOAP endpoint @ IDP
SOAP
SOAP
Process Assertion
Start service
16
Federating an Identity
Airline, Inc
Welcome to Fly Right
Airline Group
Do you want to
federate your Car
Rental, Inc.
account? IdP A
Yes Cancel
Airline, Inc
Perform federation
CarRental, Inc Access after SP 1
Fly Right Airline Group
Federation
Welcome John12 CarRental, Inc
You’re signed on.
17
Account Federation Details (1)
User connects to IdP and authenticates
Identity User IDP SP
Provider
Airline, Inc Enter URL,
connect to
Fly Right IdP
Airline Group
Authentication Other
Login: John Request authentication
Password: xxx methods are
User
possible (e.g.
authentication certificate-based,
(e.g., ID and Kerberos, etc.
password)
Authentication
User goes to IdP of his Check
choosing and authenticates
Web page is
himself. For example, using displayed
ID and password.
18
Account Federation Details (2)
User can choose to federate accounts
with the IdP
Airline, Inc Identity User IDP SP
Fly Right Provider
Airline Group Initial
Welcome, John authentication
You can link the Authentication
following accounts Completed
Car Rental, Inc
Yes
Federation
Request
Service
Provider Begin Federation
After authenticating
with the IdP other
accounts that can be
federated are listed
19
Account Federation Details (3)
Federation initiated at the IdP
Identity User IDP SP
Federation requires
connecting to the SP
Provider
and authenticating once
Redirect to
SP for
federation
Redirect
User
authentication
Car Rental, Inc
Fly Right SP login and
Airline Group Service federation
ID:
Provider opt-in
Authentication
Password: Check
Federate with
Airline, Inc Federation
OK Processing
20
Account Linking and Identity
Federation
User handles (name identifiers)
– Eliminates need for global ID
– Prevents collusion between SP1 and SP2
SP1 account
John_s@sp1
Federate account
IDP account
John123@idp Alias: dTvIiR
Domain: IDP_A.com
Name:mr3tTJ
Federate account
Alias: mr3tTJ SP2 account
Domain: SP_1.com
Name: dTvIiR John_0811@sp2
Alias: xyrVdS Federate account
Domain: SP_2.com
Name: pfk9uz Alias: pfk9uz
Domain: IDP_A.com
Name: xyrVdS
21
Single Sign-on
Instead of the SP directly authenticating
the user the SP queries the IdP and the
IdP issues an authentication assertion
Identity Provider
(1) Initial authentication
(3) Authentication Assertion issued
(4) Authentication Assertion sent
HTTP
redirect
(2) User authentication
request (from SP)
Service Provider
22
Single Sign-On (1)
User connects to IdP and authenticates
Identity User IDP SP
Provider
Airline, Inc Enter URL,
connect to
Fly Right IdP
Airline Group
Authentication
Login: John Request Other
Password: xxx authentication
methods are
User
authentication
possible
(e.g., ID and
password)
Authentication
User goes to IdP of his Check
choosing and authenticates
Web page is
himself. For example, using displayed
ID and password.
23
Single Sign-On (2)
User chooses an SP
Identity User IDP SP
Airline, Inc Provider
Fly Right
Airline Group
IdP web
Welcome, John page is
displayed
Federated SPs
・Car Rental, Inc
・Hotels, Inc
Choose SP
or enter
URL
Service
Provider
Authentication
User is Request
connected to
the SP he
chooses 24
Single Sign-On (3)
User redirected to IdP based on
authentication request from SP
Identity User IDP SP
Provider
Authentication
Request
HTTP Authentication
Redirect Request SP can specify
(redirect)
Authentication the authentication
Request Service level it requires
Provider
User
authentication
request results
in redirect to IdP 25
Single Sign-On (4)
IdP issues an authentication assertion
Identity User IDP SP
Assertion is
Provider
generated if user
is authenticated Authentication
and identity at the Issuance of Request
SP is federated authentication (redirect) If user is not
assertion
already
authenticated
at IdP then
initial
authentication
Service
Authentication performed
isAirline.inc
Provider Assertion Fly Right
Airline Group
Issued
Login:
Password:
26
Single Sign-On (5)
Authentication assertion sent from IdP to Sp
Identity User IDP SP
Provider
Authentication
Assertion
Issued
Authentication
Assertion sent
HTTP
Redirect Authentication Assertion
Authentication Sent (redirect)
Assertion sent Service * Only Browser Post
profile
Provider
Secure ** In Browser-artifact
communication profile the IdP and SP
would exchange the
channel (SSL)
authentication assertion
is required between themselves
(back-channel)
Authentication
Assertion sent 27
(SOAP)
Single Sign-On (6)
SP checks the authentication assertion and
allows access to service
Identity User IDP SP
Car Rental.inc Provider
Fly Right
Airline Group
Check
Welcome, authentication
John123 assertion
[Authenticated]
Start service
Service
Provider
Service started
Check
authentication
assertion
28
Single Sign-On
Available profiles:
– Browser Artifact
– Browser POST
– LECP
29
Browser Artifact Single Sign-On Profile
30
Browser POST Single Sign-On Profile
31
LECP Single Sign-On Profile
32
Single Logout (1)
Single logout initiated at the IdP
Airline, Inc Identity User IDP SP
Fly Right Provider
Airline Group IdP logout
web page is Authentication
Do you want to displayed Completed
logout?
Single logout
Logout from all request
Service Providers
Yes Logout * Only Single logout
Request Sent SOAP/HTTP-based request
profile.
Service ** With HTTP
Provider Redirect and HTTP Process logout
GET profiles the
user agent contacts
Single logout
The IdP can offer to each SP directly
response
logout the user from Single
all sessions that were logout
authenticated by this confirmed
IdP 33
Single Logout
Can be initiated at either the IdP or SP
Available profiles
– HTTP-Based
• For IdP-initiated: HTTP-Redirect or HTTP GET
• For SP-initiated: HTTP-Redirect
– SOAP/HTTP-based
34
IdP-initiated Single Logout
SOAP/HTTP-based
35
Federation Termination Notification
Defederation
Can be initiated at either the IdP or SP
Available profiles
– HTTP-Redirect-Based
– SOAP/HTTP-based
36
IdP-initiated Federation Termination Notification
HTTP-Redirect
37
IdP-initiated Federation Termination Notification
SOAP/HTTP-based
38
Static Conformance
Requirements
SCR (ID-FF 1.1) describes four profiles
and the specific features (required or
optional) for each profile
– IDP
– SP Basic
– SP Complete
– LECP
39
Static Conformance
Requirements
Feature IDP Profile SP Basic SP Complete LECP
Single Sign-On using Artifact Profile MUST MUST MUST
Single Sign-On using Browser POST Profile MUST MUST MUST
Single Sign-On using LECP Profile MUST MUST MUST MUST
Register Name Identifier (IdP Initiated) - HTTP Redirect OPTIONAL MUST MUST
Register Name Identifier (IdP Initiated) - SOAP/HTTP OPTIONAL OPTIONAL MUST
Register Name Identifier (SP Initiated) - HTTP Redirect MUST MUST MUST
Register Name Identifier (SP Initiated) - SOAP/HTTP MUST OPTIONAL MUST
Federation Termination Notification (IdP Initiated) - HTTP MUST MUST MUST
Redirect
Federation Termination Notification (IdP Initiated) - MUST OPTIONAL MUST
SOAP/HTTP
Federation Termination Notification (SP Initiated) - HTTP MUST MUST MUST
Redirect
Federation Termination Notification (SP Initiated) - MUST OPTIONAL MUST
SOAP/HTTP
Single Logout (IdP Initiated) - HTTP Redirect MUST MUST MUST
Single Logout (IdP Initiated) - HTTP GET MUST MUST MUST
Single Logout (IdP Initiated) - SOAP MUST OPTIONAL MUST
Single Logout (SP Initiated) - HTTP Redirect MUST MUST MUST
Single Logout (SP Initiated) - SOAP MUST OPTIONAL MUST
40
Identity Provider Introduction MUST OPTIONAL OPTIONAL
Interoperability Validation
• A vendor becomes eligible to be
licensed to use the “Liberty
Interoperable” Logo by asserting
compliance against one or more Liberty
Alliance SCR conformance profiles and
then participating in a Liberty Alliance
InterOp event to validate the
assertion(s).
41
Security Mechanisms
Channel Security Message Security
– SPs authenticate IdPs using – Digital signatures should
IdP server-side certificates use key pairs distinct from
– Mutual authorization: SPs those used for TLS and
configured with list of SSL, also suitable for long-
authorized IdPs and IdPs term
configured with list of – Request protected against
authorized SPs replay and responses
– Before user presents checked for correct
personal authentication data correspondence with issued
to IdP the authenticated requests
identity of IdP must be
42
presented to the user
Authentication Context
Not all SAML assertions „are created equally‟
– Different Authorities will issue SAML assertions of different
quality
How will a consumer of these assertions
discriminate?
Authentication Context is the information extra to the
SAML assertion itself that describes:
– Identification, e.g. Physical verification
– Physical Protection, e.g. Private Key in hardware
– Operational Protection, e.g. N of M controls
– Authentication Mechanisms e.g. Smartcard with PIN
Gives a consumer of a SAML assertion the
information they need in order to determine how
much assurance to place in the assertion
43
Authentication Context
Liberty defined an XML Schema by which the
Authority can assert the context of the SAML
assertions it issues
Liberty also defined Authentication Context
„classes‟ – patterns against which an IdP can
claim conformance
Classes are designed to be representative of
todays (and future) authentication
technologies, for instance:
–Password over SSL
–Smartcard
–Pre-paid Mobile Login
–Biometric 44
Authentication Context
SPs have a means to say:
– I require that the User be authenticated with:
• „Smart card with private key‟,
• „Password or better‟,
• „Any mechanism, you decide, I trust your opinion‟
– The assertion you previously sent is insufficient for
my current transaction, authenticate the user
again
IDPs have a means to indicate to the SP the
specific details:
– Password policy requires 8 characters minimum,
e.g.
– The User was physically present at registration
45
Phase 2 - Basic Flow
In this scenario, IS is provided with
redirect profile and thus, strictly
In many case, these two entities is
speaking, IS is not an entity, i.e., IS is
co-located, i.e., disco is the part of IDP
one of the functions of AP.
User SP IDP Disco AP IS
Single Sign-On
Access Site
Shipping Address?
Use my personal profile
Where is attribute provider?
Use this attribute provider
Give me attributes check permission
Redirect UA to AP URL
Redirect to AP URL
HTTP GET to AP URL
Request permission
Give permission save permission
Redirect to SP
HTTP GET
Give me attributes check permission
Provide attributes 46
Security & Privacy Guidelines
ID-WSF Security & Privacy Overview
– An overview of the security and privacy
issues in ID-WSF technology and briefly
explains potential security and
privacy ramifications of the technology
used in ID-WSF
Privacy and Security Best Practices
– Highlights certain national privacy laws, fair
information practices and implementation
guidance for organizations using the
Liberty Alliance specifications.
47
Business Guidelines
Federated Identity cannot be successful
based on technology alone
Address business issues that need to be
considered when implementing circles of trust
and enabling federated network identity
– Mutual confidence
– Risk
– Liability
– Compliance
Application: Mobile Deployments Guideline
48
Liberty-enabled products & services
Communicator (available) NTT (TBD)
Computer Associates (Q4* 2003) NTT Software (available)
DataKey (available) Oblix (2004)
DigiGan (Q3* 2003) PeopleSoft (available)
Ericsson (Q4 2003) Phaos Technology (available)
Entrust (Q1 2004) Ping Identity (available)
France Telecom (Q4 2003) PostX (available)
Fujitsu Invia (available) RSA (Q2 2004)
Gemplus (TBD) Salesforce.com (TBD)
HP (available) Sigaba (available)
July Systems (available) Sun Microsystems (available)
Netegrity (2004) Trustgenix (available)
NeuStar (available) Ubisecure (available)
Nokia (2004) Verisign (Q4*)
Novell (available) Vodafone (2004)
WaveSet (available)
49
*Delivery dates being confirmed
For more information…
WWW.PROJECTLIBERTY.ORG
50