Docstoc

Gebel

Document Sample
Gebel Powered By Docstoc
					Current State of Federated Identity
Gerry Gebel VP & Service Director – IdPS ggebel@burtongroup.com www.burtongroup.com

OASIS Open Standards Forum 2008 Friday, 3 October 2008

All Contents © 2008 Burton Group. All rights reserved.

A Few Points to Ponder
State of federation is strong – but the game is changing

2

Business models are driving up demand for federation technology – and forcing still other changes

Federation and SSO services – an emerging trend to watch

After this presentation, you will…
… stop federating

3

• Because business people don’t know what you are talking about
… realize that protocols do not equal a business process

• You need services and capabilities, in addition to protocols and technologies
… discover that the Internet doesn’t need an identity layer

• Rather, it needs a relationship layer!

Business Trends Drive IT Trends
Same as it ever was

4

• Global economy, cost-effective communications driving fundamental change to the business environment
• The more global things get, the more pressure to decompose big orgs • Need to integrate business process across many boundaries • Must interoperate, connect with security and low friction

Business Trends Drive IT Trends
What a difference a year (and a financial crisis) makes

5

• Do more with less, or do less with less
• Plate tectonics: Business transformation, IT transformation collide • SaaS gaining favor . . . the times they are a-changing • Outsource, offshore, buy it as a service

The Expanding Identity Universe
Dynamics are driving requirements where CIOs have no control
Scale
Small
SMB, SaaS Deperimeterization Outsourcing

6

Control

Distributed

Large

Current Technologies and Methodologies The CIO and the budget

Centralized
Compliance Privacy

Focus
Individual

Business
Consumers, Social Networks

Massive

Where does federation fit in here?

7

Federation and Distributed Control

8

Examine the Problem
SSO: internal applications
AD/Kerberos WAM/Federation

9

Contractors

Employees

Applications
Employees

Partners

Partner

SaaS

Examine the Problem
SSO: hosted applications
AD/Kerberos WAM/Federation Employees

10

Contractors

Applications
Employees

Partners

?

Partner

WAM/Federation

WAM/Federation

?

SaaS

Examine the Problem
SSO: external users
AD/Kerberos WAM/Federation Employees

11

AD/Kerberos?

Applications

Partners Contractors

Partner

SaaS

Examine the Problem
SSO: external users
AD/Kerberos WAM/Federation Employees

12

Federation?

Applications

Partners Contractors

Partner

SaaS

Examine the Problem
SSO: employee off site

13

AD/Kerberos? WAM/Federation

AD/Kerberos

Employees

Employees

Applications
Partners Contractors

Partner

SaaS

Examine the Problem
SSO: employee off site, hosted applications
Federation? WAM/Federation Employees AD/Kerberos Employees

14

Applications

Partners Contractors

Partner

SaaS

Examine the Problem
SSO: new options
AD/Kerberos WAM/Federation Contractors Employees

15

Applications
Employees Federation service

Partners

Partner

SaaS

Examine the Problem
Why don’t we have SSO?

16

• Architecture limitations don’t accommodate new application types: Software as a Service • Product and technology selection process failure
• Used RFP checklist instead of usage scenario analysis

• Vendor implementations limit your options
• Kerberos exhibits its weakness when external users are involved • Microsoft Office products do not handle HTTP redirects

• New products or technologies may be required
• Hosted SSO/federation service is one possibility

• New approaches may be required
• Identity intermediaries can limit inherent friction

Examine the Problem
Maybe it is time to look at the business problem, instead of the technology possibilities

17

SSL VPN

Partner sites
XML gateways

Federation servers WAM servers Applications Applications

App servers

Enterprise AD forest

ESSO

LDAP directory services

Too Much Science, Not Enough Art
The “science project”: connectivity is rarely straightforward
Home authentication
1 2

18

SAML-enabled proxy

5

SAML assertion Collaborator

Web SSO token
3

10

Web SSO server
4

Federation product ADFS
6 Attribute and group memberships 7

Mapping info and claims

8

9

LDAP directory

Enterprise AD forest

SharePoint 2003
WS-Federation
SID

ADFS agent

Growth Rates for Federation
Has anyone spotted the elephant in the federation room? > 1,000 connections @ 24 connections / year = 42 years!!

19

• All right, but what if deployment rate increases?
• Assume enterprises can deploy 500 connections per year • One customer has 34,000 point-of-sale operations

= 68 years!!

• And that’s just for SSO
• No authorization • Not hub-to-hub

"How long has THAT been there?"

The Aesthetics of Ubiquity
Your technology might be mediocre if:

20

• Adding a connection requires a project manager • Adding a connection requires lab time • Each connection requires a custom contract • You have to coordinate your deployment with others • The solution only works for the latest-and-greatest infrastructure • Upgrading a server has ripple effects from end-to-end • It seems reasonable to measure “connections per year”

What about that glass ceiling?
21

Interoperability

22

What if there was a similar program for XACML? Just asking…

Federation Marketplace
Products •BMC •CA •Entrust •Evidian •IBM •Microsoft •Novell •Oracle •Ping Identity •RSA •Siemens •Sun •Symlabs Fed Services •Covisint •FuGen Solutions •Symplified •TriCipher •EduServ

Edge Federation •Cisco •Forum Sys •IBM •Layer 7 •Vordel

Open Source Options

24

Working on that scalability problem…

25

Expanding Federations

26

Federating Federations

27

SaaS Federations

28

SSO+ as a Service

29

Identity Aggregators

30

 Single point of integration for all Nordic e-ID systems  Expanding into other regions…

Looking Ahead
What is the impact of:

31

• User centric identity approaches
• Of course, this is in name only • User centric becomes a reality when business models support it

• OpenID
• First party identity systems are not very interesting from a business perspective…

• Information Cards
• Unlike OpenID, info cards have a real security model • But the market is not responding

• OSIS, Information Card Foundation, Identity Commons, Higgins, Identity Metasystem Interop TC, etc
• Can someone please explain this to me?

In Review
State of federation is strong – but the game is changing

32

Business models are driving up demand for federation technology – and forcing still other changes

Federation and SSO services – an emerging trend to watch

Current State of Federated Identity
References

33

• Burton Group’s Identity and Privacy Strategies
• In Search of the Internet Identity System: Contrasting the Federation Approaches of SAML, WS-SX, and OpenID • Federation’s Future in the Balance: Teetering Between Ubiquity and Mediocrity • Business and Legal issues in Federations • A Relationship Layer for the Web… and Enterprises, Too

Current State of Federation Technology
References

34

• Burton Group’s Identity and Privacy Strategies
• In Search of the Internet Identity System: Contrasting the Federation Approaches of SAML, WS-SX, and OpenID • Federation’s Future in the Balance: Teetering Between Ubiquity and Mediocrity • Business and Legal issues in Federations • Information Card Landscape • A Relationship Layer for the Web… And Enterprises, Too


				
DOCUMENT INFO