Bluewin Implements Liberty Alliance Specifications for Single Sign-On by bmd18385

VIEWS: 0 PAGES: 4

									Case Study:
Case By Touch
Pay Study:               Leaves Its Fingerprints on SAML 2.0
Bluewin Implements Liberty Alliance
 Introduction
    Supermarkets like Piggly Wiggly, Food Sign-On
Specifications for SingleLion and Scotts
   let customers check out using fingerprints and biometric                “50 years ago, credit cards were
   technology. In Midland, Texas, West Texas National Bank
   uses biometrics to speed up check cashing. Citibank                     considered taboo. 30 years ago,
  Company now offers biometrics options as part of their
   Singapore                                                               nobody thought ATMs would
    With approximately 2 product suite.
   platinum credit cardmillion customers, Bluewin
     (www.bluwin.ch) is the largest Internet service provider              catch on. 15 years ago, only
     in Switzerland and a few of the many organizations that are
     These are just of a fully owned subsidiary of the                     researchers used the Internet.
     deploying biometrics solutions developed by Pay By Touch,
     telecommunications company SwissCom.
     a technology and payments company headquartered in San
     Bluewin is among the first Internet service providers                  Biometrics’ time has arrived.”
     Francisco. a Liberty-enabled solution. The company
     to implement
     provides a range of services geared at both consumers
   But businesses. most exciting Pay By Touch application
    and by far, the                                                                                 Bill Townsend
   is around federation and how Pay By Touch is enabling                                    executive vice president,
  Application to authenticate themselves online and begin
   individuals
   federating with SAML-enabled partners. Pay By Touch’s
    B2C                                                                                                 Pay By Touch
   federation product is called TrueMe and it is poised to
  Challenge improve identity security on the Web.
   dramatically
    Bluewin sought to simplify single sign-on and
How TrueMe Works users to input multiple pieces of
    eliminate the need for
    information in order to enter password protected sites.
    They also wanted to enhance security and improve
                          automatic identification of a person based on his/her physiological or behavioral
Biometrics refers to the services.
    access to third-party
characteristics. This method of identification offers several advantages over traditional methods involving ID cards
                      advantage is challenges
or passwords. A key these goals, thethe fact that with biometrics, the person to be identified is required to physically
     In order to meet
present their “biometric” identity (e.g., provide a fingerprint ID) at the point-of-identification.
     extended to areas including managing user identity
     in a distributed environment, insuring user integrity,
                first on-demand different legal and
TrueMe is thefederation between biometric identity provider service. With TrueMe, a consumer can have all their
      enabling
                                                  in a hardware device where it is never exposed to the consumer’s PC. In
biometrics information securely encrypted access to
      organizational entities, as well as making
this framework, this identity information becomes the authentication mechanism into the identity provider. When the
      online services as user-friendly as possible.
consumer wishes to authenticate his/her identity online, the consumer simply swipes his/her finger image across a
TrueMe-certified biometric finger sensor that is either built into the computer or attached to it via a USB cable. Then
via SAML 2.0, the identity provider is able to federate TrueMe accounts the consumer might need to access on the
  Solution
Internet.

     Bluewin implemented the Liberty Alliance Identity           Bluewin has implemented the identity provider
                                                                 functionality in an internal development project is a
With TrueMe, the need to remember, maintain and type in passwords is eliminated. And, because a fingerbasedtruly
    Federation specifications. In this new environment,
                                                                 on as signatures, PINs, and even photos.
unique identifier, it is more secure than other authenticators suchOpen Source Framework Source ID. Bluewin is also
    Bluewin functions as the identity and attribute provider
    for a Swiss Circle of Trust. This means that once a Bluewin collaborating with different IT integrators to enable a
                                                                 the of trust with several access on service providers.
“The ability to separate out authentication and biometrics fromcircle resources that you participatingthe Internet is very
    user has been authenticated by a circle of trust identity
                                                                This way, Touch, “People may have 20 or 30 different
important to people today,” Thomas Hintz, the chief architect at Pay ByBluewin will be able to offer single sign-on for
    provider, that individual can easily be recognized by other
                                                                 if one Swiss sites and will store could be used to
passwords and a lot of times, they use the same password andmultiple password is breached itattributes only once.access
    service providers within the circle.
their other accounts. It’s a house of cards and the only way to mitigate this is through standards.”

     The first service provider in the circle of trust is the     The Bluewin identity provider supports Liberty’s Identity
                                                                Federation Framework specifications. open ID. We’ve
Focusing on SAML from day one was also an important element to the project. “We’ve looked at Attribute sharing will
     Swisscom Micropayment service. Other service providers
                                                                 we do plan the next as many of them as
looked at Microsoft CardSpace and you know, on our roadmap,be enabled in to adoptphase of development. are viable,
     including the famed online chocolate shop, Sprungli,
but we chose SAML as the first one because of the maturity of the products in that space,” said Hintz.
     (www.spruengli.ch) will soon follow suit.
The use of standards have been key to facilitating this maturity. Liberty’s Alliance’s standards like SAML 2.0--which
are based on well-defined marketplace requirements--have strong marketplace momentum, as evidenced by the
broad range of vendors who have committed to implementing the standards and the number of deployer RFPs that
mandate them.
        “The use of standards is a key step in fostering                                 TrueMe ID: How it Works
      Study:
Case interoperability, facilitating industry growth and limiting
Bluewin Implements“Liberty Alliance
    proprietary implementations, said Britta Glade,
    the chair of the Liberty Alliance identity theft special
                                                                                       1. The user navigates to a Web site
                                                                                          that accepts TrueMe.
    interest group and for Single Sign-On
SpecificationsisLiberty’s director of marketing.
    “Using standards a way of making your bet ‘safe.’                                  2. The Web site presents an i-frame
     PayByTouch is smart to recognize there are multiple                                  that sends a signed SAML
     specs out there, and to have long-term plan to support                               AuthnRequest to Pay By Touch
     them but starting with what’s proven and mature helps
  Company deployment speed and adoption.”
     insure                                                                            3. A secure tunnel is established
    With approximately 2 million customers, Bluewin
                                                                                          between the user’s biometric
    (www.bluwin.ch) is the largest Internet service provider
    in Switzerland and a fully owned subsidiary of the
                                                                                          sensor and Pay By Touch
  TrueMe Pilot Takes Off SwissCom.
    telecommunications company
                                                                                       4. The user’s template is extracted
        TrueMe was initially Internet service providers
    Bluewin is among the firstpiloted by Pay By Touch’s sales
                                                                                          and encrypted on the biometric
    to implement a Liberty-enabled solution. The company via
        team to access their Salesforce.com application
    provides a range of services loggingat both consumers names
                                                                                          device and securely transmitted
        biometrics. Instead of geared in with their user
    and businesses.
        and passwords, they simply swipe their fingers.
                                                                                          to Pay By Touch.

  Application to the Salesforce.com interface, Pay By                                  5. Pay By Touch verifies the device
      In addition
     B2C
       Touch has a “live” partnership with Oracle and WebEx.
                                                                                          key and the user’s template,
        At WebEx, Pay By Touch is building an interface                                   providing minimum two-factor
  Challenge
      to biometrically logon to WebEx and WebEx-based                                     identification
        supported to simplify single sign-on and
     Bluewin soughtapplications. “We’re also having in-depth
     eliminate the need forevery to inputPC OEM provider because
        discussions with users major multiple pieces of
                                                                                       6. The user’s acceptance is
     information in more to enter password protected sites. and
        more and order they are enabling their laptops                                    redirected to the website with a
     They also wanted to enhance security and improve
        desktops to have biometric readers. Obviously, they want                          signed SAML AuthnResponse
        to create value services.
     access to third-partyfor those products which our federated
        model provides,” said Keith Towne, Pay By Touch’s vice                         7. The Web site verifies the
    In order to meet business development. “But where we see
        president of these goals, the challenges                                              AuthnResponse and logs the
    extended to areas including for growth is in online access for
        the greatest potential    managing user identity                                      user in, never having to reveal
                                             TrueMe ID: How it works
    in a distributed environment, insuring user integrity, ISP login,                         the customer’s username or
        things such as e-commerce, banking, e-mail,
    enabling federation between different legal and
        and subscription services.”                                                           password to Pay By Touch or
    organizational entities, as well as making access to                                      through the browser
                                             1. The user navigates to a website
        Currently, as user-friendly as possible.
    online services Pay By Touch is in discussions with four U.S.
                                                 that accepts TrueMe.
                                              bank website redirects the user's
        banks and a major international2. Theto rollout TrueMe.
                                                   management
        Beginning with employees and cashbrowser to PayByTouch with a
  Solution                                       signed SAML AuthnRequest
        customers, then expanding to customers, the banks                                User’s Computer
                                             3. A secure tunnel is established
                                                 between uncovered,
        hope to counteract what Gartner research the user's sensor and
    Bluewin implemented the Liberty Alliance Identity lowered their
        which is that 57% of consumers who have  PayByTouch               Bluewin has implemented the identity provider
    Federation activity, and 43% of Internet banking customers,
        online specifications. In this new environment,                    functionality in an internal development project based
                                             4. The user's template is extracted
                                                 and encrypted on the secure Open Source Framework Source ID. Bluewin is also
        have done so because of increased device and transmitted toon
                                                 security-related
    Bluewin functions as the identity and attribute provider
    for concerns (source: Gartner, August 2006). Bluewin
        a Swiss Circle of Trust. This means that PayByTouch.
                                                  once a                  collaborating with different IT integrators to enable a
                                                                          circle
                                                 PayByTouch verifies the device of trust with several participating service providers.
                                             5. trust identity
    user has been authenticated by a circle of
                                                 key and the user's template, way, Bluewin will be able to offer single sign-on for
                                                                          This
        TrueMe is also part of easily be recognized byminimum
    provider, that individual can Oracle’s Extended Identity two-factor
                                                 providing other
    service providers within the circle. Reference Architecture, multiple Swiss sites and will store attributes only once.
        Management Ecosystem and                 identification
         a program that makes it easier for organizations to redirected to
                                              6. The user's browser is
                                                                              SAML
                                                   the website with a signed The Bluewin identity provider supports Liberty’s Identity
          first siloed security technologies into a comprehensive,
     Theunify service provider in the circle of trust is the
                                                   AuthnResponse
     Swisscom Micropayment service. Other 7. The website verifies the Federation Framework specifications. Attribute sharing will
         standards-based identity management framework
                                               service providers
     including TrueMe, users can access Oracle database and logs be enabled in the next phase of development.
         With the famed online chocolate shop, AuthnResponse
                                                    Sprungli,                 the user
                                                   in, never having to reveal the
         applications and suite follow suit. customer’s biometrics.
     (www.spruengli.ch) will soonof Oracle products via username or password
                                                   to and is an or through
         This interface s up and running todayPay By Touchavailable the
         product.                                  browser

                                                                                                                                         6
         Benefits to Service Providers
 Case Study: provider benefits are considerable. TrueMe is
      The Service                                                                                                                “66 percent of consumers worldwide
                    dealing with government and private organizations that need                                                 also favored biometrics as the ideal
     to verify age online – for purchase of age Alliance
 Bluewin Implements Liberty restricted items or                                                                                 method to combat fraud and identity

     block criminals and predators from Sign-On
 Specifications for Single joining.
     services. It can help online communities like social networks
                                                                                                                                theft as compared to other methods
                                                                                                                                such as smart cards and tokens”
          On the e-commerce side, payments are faster via a secure                                                                       Unisys Study, April 26, 2006
          “one-swipe” checkout feature. Pay By Touch is currently
   Companyworking to match their biometrically accessed electronic
                                                                                                                                “Technology also can substantially
           approximately can contain checking and
     With wallet, which 2 million customers, Bluewin credit account
     (www.bluwin.ch) is health insurance accounts, and loyalty
          information, the largest Internet service provider                                                                    improve the authentication process
                                                                                                                                by, for example, the use of biometrics
       Biometric SSO: Tools of the Trade
     in Switzerland and a fully more than 2,800of the locations with the
          accounts, used at owned subsidiary retail
          TrueMe service, thereby allowing
     telecommunications company SwissCom. online retailers to process                                                           to authenticate the consumer’s
          payments over the Internet service providers
     Bluewin is among the first lower cost automated clearing house
      • Identity Provider Infrastructure The company                                                                            identity, making it less likely that a
          network as opposed to solution.
     to implement a Liberty-enabledhigh interchange rates charged by
         >the credit card associations.
     provides a range 2.0 services geared at both consumers
           OASIS SAML of                                                                                                        criminal can gain access to another’s
     and> Liberty Phase II
          businesses.                                                                                                           account.”
           JAAS (Java Pay By Touch’s retail experience over the past few
         >Based on Authentication & Authorization Service)
                                                                                                                                     President’s ID Theft Task Force,
           LDAP v3
         >years, fraud and identity theft is virtually non-existent when
   Application                                                                                                                              Interim Recommendations,
           JSR-196 (Authentication Provider for Web Services)
         >biometrics are deployed, because, quite simply, crooks don’t
     B2C
 Biometric SSO: Bio AuthN Provider
      • Biometricgive their fingerprints during the commission of a
          want to Authentication Infrastructure                                                                                                 September 19th, 2006
           JAAS
   Challenge LoginModule
         >crime.

 Strategy> OASIS SAML 2.0
     Bluewin sought to simplify single sign-on and
 UsingBiometric Single Sign-on: Bio AuthN Provider Strategy
       a > OASIS compliant Biometric Authentication Provider
         SAML SPML 2.0 Adapter                                                                                                  “Given the foregoing analysis,
           eliminate the need for users to input multiple pieces of                                   J2EE
                                                                                                      Applications              Endpoint predicts that fingerprint
            • Identity in order to enter password protected sites.
           information Provisioning Infrastructure
           They also wanted2.0 enhance security and improve
                                                                                                                                readers will proliferate widely, and
               > OASIS SPML to
           access to third-party1.1
               > OASIS WS-BPEL services.                                                                                        shipments of embedded readers in
                                                                                       Issue SAML
                                    RequestSAML compliant                                Assertion                              notebooks and desktops, which are
                                    Access*Biometric AuthN
           In order to meet these goals, the challenges                                               Databases
      Biometrics Consortium 2006
                                             Middleware
                                                                                                                           19   expected to hit 15 million in 2006, will
           extended to areas including managing user identity
           in Biometrics
               a distributed environment, insuring user integrity,
                                                  Perform                                                                       reach 228 million in 2011.”
                                                                                                       Directories
                                               Authentication
           enabling federation between different legal and
           Single/Multi-modal                  & Issue SAML                                                                      Roger L. Kay, Endpoint Technologies
                                                 Assertion
           organizational entities, as well as making access to                                                                     Associates, “The Visible Face of PC
           online services as user-friendly as possible.                                             Enterprise                                          Security”-2006
                                                                                                     Applications *

                                                    [SAML Asserting                            [SAML Relying
       Biometric SSO: Identity Provider
     Solution
Biometrics Consortium 2006
                                    Authority]         Authorities]
                                                                                 A study of U.S. online adults found
                                                                                 that biometrics was the most popular
                                                                                                                      21


       Strategy Singlethe Liberty Alliance Identity Strategy has implemented the identity provider based
        Bluewin implemented Sign-on: Identity Provider
          Biometric compliant Identity Provider
       Using a SAML
                                                               Bluewin
                                                                                 strong authentication method, she
                                                                                                      J2EE
                                                               functionality in an internal development project
           Federation specifications. In this new environment,                                         Applications
           Bluewin functions as the identity and attribute provider                                      on Open Source said. When asked which method they
                                                                                                                            Framework Source ID. Bluewin is also
           for a Swiss Circle of Trust. This means that once a Bluewin
                                                                                                                           would prefer if they had to choose
                                                                                                         collaborating with different IT integrators to enable a
           user has been authenticated by a circle of trust identity       Issue SAML                                      something besides service providers.
                                                                                                         circle of trust with several participatinga password,
                                Request
           provider, that individual can easily be Compliant
                                                 SAML
                                                         recognized byAssertion                          This way, Bluewin will be able to offer single sign-on for
                                Access                                        other
                                                                                                      Databases            30.7% of respondents selected
                     SSO including Biometrics
 Multi-factorJava System Access Manager and BiObex
                                          Identity Provider Infrastructure                               multiple Swiss sites and will store attributes only once.
           service providers within the circle.
                                                                                                                                biometrics, while 18.1% chose a
 Case study with Sun
               Biometrics
                                                 Perform
                                              Authentication                                           Directories       keyfob that plugs into a computer’s
                                                                                                          The Bluewin identity provider supports Liberty’s Identity
           The first service provider in the circle of trust is the
           Single/Multi-modal                       [SAML Asserting                          [SAML Relying
                                                                                                       Federation Frameworkport and 18% chose a smartwill
           Swisscom Micropayment service. Other AuthN
                                            Biometric
                                                        service providers                                              USB specifications. Attribute sharing card
                                                       Authority]
                                               Middleware                                      Authority] enabled in the next phase of development.
                                                                                                       be
           including the famed online chocolate shop, Sprungli,                                                                 and reader.
           (www.spruengli.ch) will soonSun Java System Access Manager
                                        follow suit.                                                 Enterprise
                                                                                                     Applications *                    Gartner Survey, August 2006
   Multi-modal Biometrics
                                                     [SAML Asserting
                                                                  Authentication                        Relying
                                                                                               [SAML Desktops*
                                                                                            SAML

                                                            Authority]
                                                Single Sign-on
                                                                   Authorization                   Authorities]
                                                                                            Assertion *

      Biometrics Consortium 2006                                      Policies
                                                                                                     Databases /
                                                                                                                           20
                                              Multi-Domain SSO
                                                                                                     Directories
                                    SSL                          User/Role Pr ofiles
                                                Federated SSO

                                                                    Audit Logs
            Smartcard
         The Perfect Storm for Biometrics
            Study:
       CaseThe time is right for biometrics.      There’s consumer demand for faster and more secure payment and identity.
       Bluewin Implements Liberty Alliance
               Worry over identity theft is at an all time high. Technology like TrueMe exists to make what was once totally
               futuristic now entirely possible. And, what’s more the standards are in place—to enable widespread adoption.
       Specifications for Single Sign-On
                     About Pay By Touch

         Company San Francisco-based, Pay By Touch (www.paybytouch.com) develops
                  Pay By Touch Online
           With approximately 2 million customers, Bluewin
                       biometric authentication, personalized marketing and payment
           (www.bluwin.ch) is the largest Internet service provider
                       solutions. To date, patented Pay By Touch™ biometric services enable
           in Switzerland and a fully owned subsidiary of the
                       over 4 million shoppers in the U.S., Asia and Europe to quickly
           telecommunications company SwissCom.
                       and the first Internet a finger scan
           Bluewin is among securely use service providers to access personalized offers, make
                       purchases, and cash The company
           to implement a Liberty-enabled solution. checks at more than 2,600 locations nationwide.
                       The company also provides robust payment processing solutions for
           provides a range of services geared at both consumers
                       ACH
           and businesses. (electronic checking), card-present and card-not-present debit
                                            Confidential
                       and credit transactions. Over 60 issued and 175+ pending patents
         Applicationworldwide covering biometrically authenticated financial, membership
           B2C         or loyalty transactions and/or age verification.
         Challenge
            Bluewin sought to simplify single sign-on and
            eliminate the need for users to input multiple pieces of
            information in order to enter password protected sites.
            They also wanted to enhance security and improve
            access to third-party services.


            In order to meet these goals, the challenges
                       to areas including Alliance
            extendedAbout Liberty managing user identity
            in a distributed environment, insuring user integrity,
            enabling federation between different legal and
2007                     Liberty Alliance is the only global identity organization with a
            organizational entities, as well as making access to
                         membership base that
            online services as user-friendly as possible. includes technology vendors, consumer
                        service providers and educational and government organizations
                        working together to build a more trusted Internet by addressing
         Solution       the technology, business and privacy aspects of digital identity
                        management. The Liberty Alliance Management Board consists of
           Bluewin implemented the Liberty Alliance Identity               Bluewin has implemented the identity provider
                                                                           functionality in an internal France
                        representatives from AOL, Ericsson, Fidelity Investments, development project based
           Federation specifications. In this new environment,
                        Telecom, HP, Intel, Novell, NTT, Oracle, and Sun Microsystems. Liberty
           Bluewin functions as the identity and attribute provider        on Open Source Framework Source ID. Bluewin is also
                                              with identity organizations worldwidedifferent IT integrators to enable a
                        Alliance worksmeans that once a Bluewin
           for a Swiss Circle of Trust. This                               collaborating with to ensure all
                        voices are included of the global
           user has been authenticated by a circle in trust identity identity discussion and regularly
                                                                           circle of trust with several participating service providers.

                                                                            designed to will be able to offer
                        holds and participates in public events This way, Bluewinadvance the single sign-on for
           provider, that individual can easily be recognized by other
           service providers within the circle.                            multiple Swiss sites and will store attributes only once.
                        harmonization and interoperability of CardSpace, Liberty Federation
                                                                           The Bluewin identity specifications.
                        (SAML 2.0), Liberty Web Services, OpenID and WS-* provider supports Liberty’s Identity
            The first service provider in the circle of trust is the
            Swisscom Micropayment service. Other service providers           Federation Framework specifications. Attribute sharing will
            including the famed online chocolate shop, Sprungli,             be enabled in the next phase of development.
            (www.spruengli.ch) will soon follow suit.

								
To top