Liberty Alliance Project The LIBERTY View of Digital Identity by ert554898


									Liberty Alliance Project
Digital Identity Defined

The LIBERTY View of Digital Identity
                            Jose-Luis Mariz
         Liberty Alliance Services Group. Geo-Location team. Chair
  Ericsson. Strategic Product Manager. Digital Identity Business Solutions
Liberty and Identity in a Nutshell
         The Importance of Identity
The most basic element in a high-value relationship with
customers, employees, citizens or business partners
Has to be managed with great care to avoid financial losses
   Secure solutions are essential
   User consent must be supported
Common mechanisms to handle Identities are required:
   Technically, to enable interoperability and seamless user experiences
   Legally, to enable a business relationship between different entities in
   a distributed environment
Liberty Value Proposition and Members
  Value Proposition
    Businesses and consumers want benefits of being connected
    anytime, anyplace - without compromising security or control of
    personal information. The Liberty Alliance provides the
    technology, knowledge and certifications to build identity into the
    foundation of mobile and web-based communications and
  Over 150 diverse member companies and organizations
    Government organizations
    End-user companies
    System integrators
    Software and hardware vendors

Technical Specifications and Implementation Guidelines
    Interoperability and public conformance testing
         Business guidelines and case studies
                   Policy guidelines
        Developer resources and User Groups
               Adoption and evangelism
   Liaison and collaboration with other organizations
                                Management Board
  Board Sponsor members
  Responsible for overall governance, legal, finances, and operations
  Final voting authority for specifications

   Business        Technology
                                        Services           Public Policy        Conformance
  Marketing           Expert
                                          Group            Expert Group         Expert Group
 Expert Group          Group
Gathers market    Defines Technical Focuses on the       Advises on privacy,    Oversees the
 requirements      architecture      creation of new      security and global    conformance
 and use cases    Develops           services             policy issues          testing program
Publishes          technical        Collaborates with    Works with privacy     Organizes
 Business          specifications    organizations        advocacy groups        conformance
 templates and    Drives             focused on           and government         testing events
 guidelines        interoperability  specific areas of    agencies              Manages the
Drives Market                        an industry         Publishes privacy       Liberty
 Adoption                           Drives the            and policy             licensing
 through                             deployment of        guidelines             program
 evangelism and                      new services

                     All members provide feedback on early drafts
                    Membership Categories
    Sponsors                     Associates                       Affiliates
•   Full participation and   •   Access to draft              •   For government
    voting rights in all         specifications prior to          agencies, educational
    expert groups.               pubic release                    institutions, and non-
•   Eligible for             •   May attend All Participant       profit organizations
    Management Board             Meetings                         only
•   May attend all Liberty   •   May participate in one       •   Same privileges as
    member meetings              Services track                   Associate members
                                                              •   May participate in
                                                                  unlimited number of
                                                                  Services tracks
               The Liberty Advantage

Open specifications—allows different systems to

Federated model—no central point of failure, no
intermediation between you and customer

Built on standards—works with legacy systems
Liberty Alliance Key Concepts
Federation – The act of establishing a relationship
between two entities, an association
comprising any number of Service
Providers and Identity Providers
Principal – a person or “user”, a
system entity whose identity can be
IdP, Identity Provider – a service which
authenticates and asserts a Principal’s identity
Single Sign-On (SSO) – the Principal’s
ability to authenticate with one system entity
(Identity Provider) and have that authentication
honored by other system entities, often Service Providers
                           Identity Services
Circle of Trust – a group of service
providers and identity providers that
have business relationships based on
Liberty architecture and operational
agreements and with whom users
can transact business in a secure and
apparently seamless environment.
Circles of Trust represent the second
wave of identity federation, after SSO
and federated account linking.
DS – Discovery Service – a service which provides
 Identity based Discovery of Web Service Providers
IS – Identity Service – a service invoked through or with a user’s identity

The ability to control my identity on
your network
Who I am
What you know about me
When you know it
How you can use it
Liberty Alliance – a Technology
 Liberty Identity           Liberty Identity
   Federation              Services Interface
   Framework                Specifications
     (ID-FF)                    (ID-SIS)
                          Liberty Identity
  CONFORMANCE         Web Services Framework

Liberty specifications build on existing standards,
        such as SAML, SOAP, WSS, XML
            Identity Federation Framework
Identity Federation
   Enables Identity
    federation and
  through features
        such as
 linkage, simplified
     sign on, and
    simple session

             SAML      HTTP

              WAP      XML    SSL/TLS
              Liberty Federation
Privacy-oriented identity federation and SSO
Defines a method of exchanging name identifiers that allows two
providers to speak about a “subject” in a common language –
the federated name identifier – whilst allowing that identifier to
be hidden from third parties (opaque identifier)
Extends the SAML authentication statement, adding the
concepts of session, and authentication context
Creates an authentication Request/Response protocol
Additional protocols to provide global single logout, "de-
federation", name identifier registration and mapping
Specifies various profiles for requesting and sending SAML
assertions in a web SSO environment, with intermediaries
Provides a foundation for identity-based services
Liberty Identity Federation Framework and SAML

    Liberty ID-FF 1.1 extended SAML 1.0
    SAML 1.1 copied some enhancements from ID-FF 1.1
    Liberty ID-FF 1.2 was based on SAML 1.1
    Are you confused yet? The market for SSO/federation
    technology certainly is!
    The answer: converge Liberty Federation and SAML
    into SAML 2.0
    SAML 2 contains equivalent technology to ID-FF 1.2,
    with some enhancements
       Identity Web Services Framework
Identity Federation
   Enables Identity
    federation and
  through features
        such as        Identity Web Services Framework
   identity/account               (ID-WSF)
 linkage, simplified
     sign on, and        Provides the framework for building
    simple session        interoperable identity-based web
     management                       services.

                               Discovery, Interaction

                              WS-               XML
             SAML      HTTP            WSDL
                              Security          Enc
              WAP      XML    SSL/TLS SOAP
            What is ID-WSF?
Framework for locating and invoking identity
based Web services
Identity Web services:
  Associated with a Principal’s Identity
  Can be Invoked using a Principal’s Identity
Permissions-based Attribute Sharing
  Invoking Services under control of user
     At the DS and at the WSP
        ID-WSF – New Concepts

Web Services Client (WSC): typically, the
invoker/consumer of an identity service
Web Services Provider (WSP): typically, the provider
of an identity service
Data Services Template (DST): provides an
extensible framework to produce new Identity
Services above the protocol stack, allowing
interoperability e.g.: ID-Personal Profile and ID-
Employee Profile
   Core Components – ID-WSF
Authentication Service
Identity based Service Discovery
Service Invocation (SOAP Binding)
User Interaction Service
                                Service Interfaces
                                    Service Interfaces (ID-SIS)
Identity Federation

                         Employee Profile
                         Business Profile
                         Personal Profile

                                            Contact Book

                                                                      Interface and data





   Enables Identity

    federation and
     management                                                   •   Will be defined in
  through features
        such as                      Identity Web Services            parallel
   identity/account                        (ID-WSF)
 linkage, simplified
     sign on, and         Provides the framework for building
                                                                  •   First service tracks:
    simple session         interoperable identity-based web              • Contact Book
     management                        services.                         • Geolocation

                                        Discovery, Interaction           • Presence
                                                                         • Gaming

                                    WS-                  XML
             SAML      HTTP                  WSDL
                                    Security             Enc
              WAP      XML          SSL/TLS SOAP
                  Identity Services Use Case
                                         It’s Jane

ID-FF: The SP interacts with
   the IdP through Jane’s
browser to obtain the identity
     credential for Jane.




Jane using a                                           ID-WSF: The SP (acting as
                                                        a WSC) interacts with the
                                 IdP            DS       DS and Jane’s WSPs in
                                                        order to invoke services at
                                                      the WSPs on Jane’s behalf..

                 ID-FF                               ID-WSF
             Liberty’s Focus on Privacy
• A fundamental objective of Liberty is to improve privacy through the
  federated model
• The Alliance addresses privacy within its specification development
      Public Policy Expert Group exerted influence from day 1 on privacy
      Liberty invites input from policy makers and privacy advocates
      Technology decisions are made to enhance privacy and make it
      easier to implement good privacy practices
  Privacy and Security Best Practices were developed to promote
  privacy-friendly implementations and deployments
  Security & Privacy Overview provides technical guidance on security
  and privacy ramifications of ID-WSF implementations
  Privacy Handling Components
Pseudonymous Access
Anonymous Access
Usage Directives
Authentication Context Comparison
Consumer Consent Header
XML Signatures
Interaction Service
              Thank You!
You may want to contact me for further
  Jose-Luis Mariz

You may want to get more information from:

To top