Docstoc

Liberty Alliance Project Open Standards for Network Identity Will

Document Sample
Liberty Alliance Project Open Standards for Network Identity Will Powered By Docstoc
					Liberty Alliance Project
Open Standards for Network Identity

Will open standards increase eCommerce?



Bill Smith
Director, Liberty Alliance Technology
Sun Microsystems
                                                 Permissions


The author has graciously given permission to
reproduce his presentation at the XML 2002
Conference in Baltimore, Maryland. If copied,
changes should not be made and appropriate
citation of the author’s work should be given.

                  Instructional media + magic, inc., December 2002




                                                                     1
                            Identity



Physical
Height, Weight, Gender


Experiential
Education, Travel, Dining


Preferential
Food, Clothing, Shelter




                                 1   1
                                             Identity



Physical
Height, Weight, Gender
Blood Type, Fingerprint, DNA
Experiential
Education, Travel, Dining
Stock Purchases, Mortgage Balance, Drug Use
Preferential
Food, Clothing, Shelter
Religion, Political affiliation, Club Memberships



                                                    1   1
                                              Identity



Some information needed to determine who
I am is widely available – I distribute it

A larger set of information is unavailable – I
restrict access to trusted relationships

Most of this information is in digital form



                                                   1   1
                                             Identity



Control who has access to what information

Choose who to trust, what to give, when to
change

Trust relationships take time to establish




                                                  1   1
                                     Digital Identity


Much of the information about me is in
digital form, accessible via the Web

It is kept by “trusted brokers”

High-quality services are provided

I can access and update



                                                  1   1
                                     Digital Identity


Much of the information about me is in
digital form, accessible via the Web

It is kept by “trusted brokers”

High-quality services are provided

I can access and update


                       What's the problem?...
                                                  1   1
                                      Digital Islands


I have multiple Digital IDs

Information is duplicated and difficult
to synchronize

Better services are possible




                                                  1   1
                                           Digital Islands


                           •   User Name: Bill Smith
Multiple, disconnected     •   Email: bsmith48@freemail.com
                               PIN: wcs@foobar.com
  identities scattered     •




across isolated Internet   •   Credit card number
          sites            •   Social security number
                           •   Drivers license
                           •   Passport

                           •   Entertainment preferences
                           •   Notification preferences
                           •   Employee authorization
                           •   Business calendar
                           •   Dining preferences
                           •   Education history
                           •   Medical history
                           •   Financial assets…
                                                           1   1
                           Digital Islands – the problem


                               •   Inconvenient and
                                   frustrating
Multiple, disconnected             for users
  identities scattered
across isolated Internet       •   Distributed identity-
          sites                    services are difficult to
                                   develop and deploy



                               •   Continual re-
                                   authentication to
                                   disparate systems




                                                               1   1
                      Network Identity – the solution


A method to link the Digital Islands

Provide a logical single identity

Preserve and enhance existing trust
relationships

Provide choice and opportunity for better
services


                                                  1   1
                  Network Identity – it’s simple




A Network Identity is
  a user’s overall global
set
 of attributes constituted from
           their various accounts


                                             1   1
              Network Identity – not so fast



Digital Islands
Disparate Systems
Lack of communication, interoperability
Conflicting Interests
Technology suppliers, Technology consumers
Service providers, fixed vs. mobile
Consumer Demands
Better services, Improved convenience
Respect Privacy



                                             1   1
     Network Identity – practical solutions



Broad scope
Web itself
Fixed, wireless, desktop, cell phone, PDA, car ...
Complexity
Technology, Business, Consumer
Service providers
Reality
Digital Islands exist
Trust relationships well-established



                                                     1   1
                                          A Business Consortium
                                     Solving A Business Problem
  Over 130 for-profit, not-for-profit and government organizations,
  representing a billion customers, are currently Alliance members

* Only a sample of Liberty members




                                                                      1
Liberty’s commercial investment in
network identity and the collaboration of
its diverse array of member companies
can bring a lot to this space. The group’s
combined experience, their collective
ability to drive usage and the fact that
they’re not trying to promote a product
but a solution to a problem will help in
their success.
                                  Dan Blum
                               Burton Group



                                              1
                    Mission of the Liberty Alliance
    Establish an open standard for federated
    network identity through open technical
    specifications that will:

    •   Support a broad range of identity-based products
        and services
•       Allow for consumer choice of identity provider(s) and the
        ability to link accounts through account federation

•       Provide the convenience of simplified sign-on, when
        using any network of connected services and devices
    •   Enable organizations to realize new revenue and cost
        saving opportunities

    •   Allow organizations to economically leverage
        relationships with customers, business partners,
        and employees
•       Improve ease of use for e-commerce

                                                                1   1
                                                            Management Structure

                                  Management Board
         • Consists of 16 founding sponsors
         • Responsible for overall governance and maintenance
         • Final voting authority for specifications and other output




   Public Policy                        Technology                          Marketing
   Expert Group                        Expert Group                        Expert Group
• Advise on privacy,               • Develops technical                 • Develops marketing
  security, and other                architecture and                     requirements and use
  public policy issues               engineering                          cases
• Liaison to privacy                 requirements                       • Responsible for
  groups and government            • Develops technical                   membership, press
  agencies                           specifications                       relations, and marketing
                                   • Interoperability                     communications
                                                                        • Adoption




                                                                                                     1
                                     Why is Federated Important?
Centralized Model                         Open Federated Model

• Network identity and user               • Network identity and user
  information in single repository          information in various locations
• Centralized control                     • No centralized control
• Single point of failure                 • No single point of failure
• Links similar systems                   • Links similar and disparate systems



                                                              Provider
      Central Provider                      Provider

                                                                  Provider
                                          Provider
                                                                  Provider
                                                 Provider


                                                                                  1
                                             Solution Analogous
                                               to ATM Networks
Separate Cards with   Linked Cards within   Seamless Access
Each Bank             Bank Networks         Across all Networks

                               Bank ATM
          Bank A
                               Network A      Bank A
         ATM Card
                                             ATM Card
                                                                       Bank ATM
                                                                       Network B
                                                        Bank ATM
          Bank B               Bank ATM                 Network A
                                              Bank B
         ATM Card              Network B
                                             ATM Card

                                                                    Bank ATM
                                                                    Network C
          Bank C               Bank ATM       Bank C
         ATM Card              Network C     ATM Card




                                                                                   1
                                                                   Solution Analogous
                                                                     to ATM Networks
Separate Cards with        Linked Cards within                    Seamless Access
Each Bank                  Bank Networks                          Across all Networks

                                    Bank ATM
          Bank A
                                    Network A                       Bank A
         ATM Card
                                                                   ATM Card
                                                                                                               Bank ATM
                                                                                                               Network B
                                                                                      Bank ATM
          Bank B                    Bank ATM                                          Network A
                                                                    Bank B
         ATM Card                   Network B
                                                                   ATM Card

                                                                                                        Bank ATM
                                                                                                        Network C
          Bank C                    Bank ATM                        Bank C
         ATM Card                   Network C                      ATM Card




Individual Accounts with   Federated Accounts                     Linkage of Trust
Many Web Sites             within Trust Domain                    Domains
                                                                               .com    .com
                                                    .com                .com                  .com           .com   .com
                                        .com                                   .com    .com           .com                 .com
            .com
                                                                                                             .com   .com
                                                           .com
                    .com              .com                                                    .com   .com
                                                                                      .com                  .com

            .com                             .com     .com                                   .com    .com




                                                                                                                                  1
                                                      Examples of Trust Domains

B2C – Travel Industry                                  B2E – Employee
                                                       Intranet                                3d Party
                                                                                  401k
                                                                                              Providers
                         Car
                                   Hotel
                        Rental
                                                                                                          Employee
                                                                 Company
                                           Partner                                                        Purchase
             Airline                                              Intranet
                                           Airlines                                                         Plans



                        Cruise                                                    Health        Dental
                                  Livery                                        Insurance
                         Line                                                                 Insurance




B2B – Financial Services                               B2B - Automotive


                       Treasury   Debt
                                                                                Suppliers    Dealers


          Commercial
                                           Equity                                                       Transport
           Banking                                              Manufacturers
                                                                                                        Agencies


                       Clearing
                                  Credit
                        House                                                     Fleet     Financing




                                                                                                                     1
                                Specifications: A Phased Approach

Approach Drivers
   •   Support rapid acceptance and deployment
   •   Phases build on each other
   •   Enable incremental adoption


Version 1.0 (Released 15 July 2002)            Future Versions
• Federated network identity                   • Permissions-based attribute sharing
• Opt-in account linking and simplified        • Schema/protocols for core identity
  sign-on within an authentication domain        profile service
  created by business agreements               • Simplified sign-on across authentication
• Security built across all the features and     domains created in version 1.0 by
  specifications                                 business agreements
                                               • Delegation of authority to federate
                                                 identities/accounts




                                                                                            1
                                                  Version 1.0 Specifications

Builds on top of SAML to provide additional privacy and functionality

   Opt-in account linking – Users can link their accounts with different service providers
    within “circles of trust”

   Enhanced single sign-on for linked accounts – Once users’ accounts are federated,
    they log-in, authenticate at one linked account and navigate to another linked account,
    without having to log-in again

   Authentication context – Companies linking accounts communicate the type of
    authentication that should be used when the user logs-in

   Global log-out – Users can be automatically logged-out of all sites to which they have
    active sessions

   Multiple Client Support – browser, mobile device, and proxy




                                                                                              1
                                                  SAML in a Nutshell
   An XML-based framework for exchanging security information
     1. XML   schema and definition for security assertions
     2. XML   schema and definition for a request/response protocol
     3. Rules   on using assertions with standard transport and
         messaging frameworks (SOAP, Web Browsers). Bindings and
         Profiles

   An OASIS standard
     –   Vendors and users are both involved
     –   Codifies current system outputs rather than inventing new
         technology


   Excellent traction in the marketplace


                                                                      1
                                        Liberty Federation/
                                           Account Linking
    Pre-existing accounts at various sites can be linked


                                        Pets.com
                                        Service Provider
                                        JoeSmith
Excite.com
Identity Provider
Joe123

                                         Books.com
                                         Service Provider
                                         Joe



                                                            1
                                       Liberty Federation/
                                          Account Linking
    Upon linking those accounts, the sites need to be
      able to have a frame of reference for the user

                                        Pets.com
                                        Service Provider
                                        JoeSmith
Excite.com
Identity Provider
Joe123

                                        Books.com
                                        Service Provider
                                        Joe



                                                           1
                                       Liberty Federation/
                                          Account Linking
    If account names are exchanged, sites can talk to
       each other without the user’s approval

                                        Pets.com
                                        Service Provider
                                        JoeSmith
Excite.com                                 Joe123@excite.com
Identity Provider
Joe123
  JoeSmith@pets.com
  Joe@books.com                         Books.com
                                        Service Provider
                                        Joe
                                            Joe123@excite.com


                                                                1
                                       Liberty Federation/
                                          Account Linking
    If account names are exchanged, sites can talk to
       each other without the user’s approval

                                        Pets.com
                                        Service Provider
                                        JoeSmith
Excite.com                                 Joe123@excite.com
Identity Provider
Joe123
  JoeSmith@pets.com
  Joe@books.com                         Books.com
                                        Service Provider
                                        Joe
                                            Joe123@excite.com


                                                                1
                                      Liberty Federation/
                                         Account Linking
    Instead, unique opaque handles resolvable only by
      the issuer should be exchanged

                                       Pets.com
                                       Service Provider
                                       JoeSmith
Excite.com                                <alias="dTvIiRcMlpCqV6xX"
                                            SecurityDomain="excite.com"
Identity Provider                           Name="mr3tTJ340ImN2ED" />
Joe123

  <alias="mr3tTJ340ImN2ED"
    SecurityDomain=“Pets.com"          Books.com
    Name="dTvIiRcMlpCqV6xX" />
  <alias=“xyrVdS+xg0/pzSgx"
                                       Service Provider
    SecurityDomain=“Books.com"         Joe
    Name="pfk9uzUN9JcWmk4RF" />
                                          <alias="pfk9uzUN9JcWmk4RF"
                                            SecurityDomain="excite.com"
                                            Name="xyrVdS+xg0/pzSgx" />
                                                                     1
                                   Liberty – Enhanced SSO


 Extends an authentication assertion to include the
  “context”
   • How did the user log in? Password? Smartcard? Etc.
   • When should the user be re-authenticated?
   • How did account registration occur? (in person, via web page)

 Extends the authentication request to allow for
  requesting a strength of authentication

 Necessary for real-world scenarios: not all services
  require the same level of authentication.



                                                                     1
                               Liberty – Additional Features


 Simple session management
   • Provides “single-logout” functionality

 Identity federation management
   • Ability to terminate the federation
   • Ability to modify the opaque handle shared between
     authentication authority and relying party

 Identity network support
   • Specifies a protocol by which a website can “discover” what
     Identity Provider a user is using




                                                                   1
Liberty Enabled-Products
           Coming Soon!




                       1
                                                       Liberty Version 2.0

 Permissions-Based Attribute Sharing
   •   Enable businesses to share a principal's attributes according to their
       corporate policies, business agreements and local regulations, all while
       adhering to the principal's preferences and permissions


 Interoperability Specs for Core Identity Profile Service
   •   Enables users to obtain secure, personalized services that are
       interoperable across different service providers


 Federation of Authentication Domains
   •   Enables users to conveniently navigate and use SSO and share attributes
       with service providers who may be in different authentication domains.


          Version 2.0 specifications expected early 2003

                                                                                  1
                             Liberty – the Initiative


Established to address real business
and technology issues

Recognized as the focal point for Network
Identity discussions and solutions

Produced well-received specification

Proceeding with phased approach to deliver
on vision and mission

                                                  1   1