Identity Management in a Federated Environment by malj


									Identity Management in a
 Federated Environment
                US-NATO TEM 6
               1-3 December 2009

                 Alan Murdock
              Dr. Robert Malewicz

                 Dr. Sven Kuehne
      CAT-2 Interoperability | NATO C3 Agency - The Hague
   Tel.: +31 (0)70 374 3562 | E-mail:
                    NATO IdM Initiatives
 SC/4-SC/5 NATO IdM Workshop (2008/09)
     output: NATO IdM Strawman Paper
     directory services oriented view
     focused on alliance aspect of NATO IdM
     identifies IdM use cases in NATO

 SC/4 Service Management Infrastructure AHWG
     output: SMI Technical Services Definitions working paper
     Security Management architecture view
     requirements/standards/technology agnostic approach
     identifies interfaces with other security management
      services              NATO UNCLASSIFIED               2

 Identity Management is ambiguous!

 Identity Management includes:
    Identity Assurance
    Identity Employment or Utilization
    Identity Services

 What is an “Identity”
    … a PKI certificate?
    … a set of attributes?
    … the same for every entity in the enterprise?
              Different view on IdM

 NATO has a two-dimensional challenge:
   IdM in the NATO Alliance
      28 NATO nations
      and partners
      constitute a federation

   IdM in the NATO Organization
      NATO HQs
      and NATO agencies
      constitute an enterprise (?)

                      NATO UNCLASSIFIED   4

• The concept of NATO IdM is in a very early stage of
• Requirements for NATO IdM need to be defined
• Two dimensions of the NATO IdM has potential to
  cause conflicts for IdM
• Emerging technologies (Identity 2.0) not reflected
  either in NATO IdM Strawman Paper or in SMI working
• Policy document for NATO IdM
• Interoperability at all levels

                     NATO UNCLASSIFIED              5
                          Way forward

 What can we accomplish today?

  • Listen
  • Inform
  • Plan for the future

                 NC3A Identity Management
                 Test Campaign
                         IdM Concept Validation
 Purpose:
   • Identify NATO IdM requirements based on IdM use cases
   • Verify architectures and solutions for identified IdM use cases

 Scope
   • Validation focused on federated scenarios within NATO Alliance

 Test Facility
   • Classification: NATO Unclassified
   • NNEC CES Testbed as an investigation platform on the NATO side
   • National Testbeds

 Procedure
   • VPN Joining Instruction
   • IdM Joining Instructions (based on ACP145 and ARH forms)
        agreed test scope (use cases) and schedule

                                NATO UNCLASSIFIED                      7
NNEC CES Testbed Layout

                                IdM Use Cases

 IdM use cases defined in NIdM Strawman Paper
  •   Access to C2 Data/Services in NATO SECRET Domain
  •   Single Sign On in Cross-Domain Federation Scenario
  •   Use of certificates bound to the identity
  •   NATO Pass System
  •   Use of national military ID-Card

 Technology/Solution specific IdM use cases for
  •   Cross-domain group management
  •   Security token based authentication for Web Services
  •   Portal access (based on SharePoint Server)
  •   Collaboration tools (based on JChat application)
  •   Access to legacy applications
  •   Others …

                             NATO UNCLASSIFIED               9
                IdM Strawman and Technology/Solution
                  Driven Use Cases Relevance Mapping

           Paper       Access to                                            Use of
                       C2 Data     SSO in        Use of         NATO Pass   national
                       and         Federation    certificates   System      military ID-
Technology/            Services                                             Card

Group Management                                                             

Security Token
                                                                             
based authentication

Portal Access                                                                

Collaboration Tools                                                          

Access to Legacy
                                                                             

                                    NATO UNCLASSIFIED                                      10
IdM Use Case Validation Environment

         NATO UNCLASSIFIED            11
                           Service Components

 Information Exchange Gateway scenario B (IEG B)
   NATO Enterprise Directory Service (NEDS)
   Allied Replication Hub (ARH)
   Border Directory Services
   NATO Public Key Infrastructure (NPKI) Certificate Authority
   Security Token Service (STS)
   Policy Enforcement Point (PEP)
   Policy Decision Point (PDP)
   Web servers/portals and clients
   Web Proxy
   Web Concentrator
   Collaboration tool servers and clients
   Identity Data Sources
                             NATO UNCLASSIFIED                    12
                           Use Cases

•   Cross-domain group management
•   Security token based authentication for Web Services
•   Portal access (based on SharePoint Server)
•   Collaboration tools (based on JChat application)
•   Access to legacy applications
                   Group Management Use Case

 Foundation for other use cases
 Foundation for a formal access control mechanism
  implementation. Access control models being considered:
    role based access control (RBAC) currently used in many C2 systems,
    attribute based access control (ABAC) anticipated to be more exploited
     in future service-oriented systems
 Potential areas of usage (examples)
    cross-domain group management delegation
    cross-domain group mapping
 Status
    directory components installed
    meta-tools installed, configured, jobs implemented
    initial testing completed

                                 NATO UNCLASSIFIED                            14
IdM in Group Management

                      NNEC Hints

 “Network of networks” is one of the main concepts of
  NNEC vision – environment be made up of many
  separate networks linked together
 Community of Interest (CoI) a driver for access
  control in NNEC
 Sharing of identity information between these
  different networks is crucial for providing access
 Service Oriented Architecture (SOA) based on Web
  services is a candidate technology to materialize the
  NNEC vision, where services can be (dynamically)
  discovered and called by different clients
                       NATO UNCLASSIFIED                  16
               Security Token Based Access Use Case
 Simple services can be combined into more complex ones
 Typically users interact with web services using different kinds
  of GUIs (web and form based ones).
 Service provider/consumer interoperability
    standard protocols like SOAP, HTTP
    Web services related standards, including the WS-* stack (e.g. WS-
     Security, WS-Trust, WS-Federation etc .)
 Secure SOA-based data/services exchange scenarios in a
  federated environment to be demonstrated
 Status:
      all components installed,
      not all configured yet
      not all tested yet
      not integrated with directory yet

                               NATO UNCLASSIFIED                          17
Secure Token Based Access

    … Integrated
with Directory Services

                            Access to Portal
 Web portal access handling is one of the most common and
  basic information sharing requirements
 Access granularity is a desired feature that needs to be
  implemented in future NATO portals
 Microsoft SharePoint is identified as a future NATO portal
  product. The next version to be integrated with Microsoft's
  Identity Architecture, and so will be able to act as a relying party
  to XML security tokens.
 Initially, access from national domain to NATO portals is the
  most expected operational scenario
 Status:
   all components installed                     implemented different
   meta-tools installed, configured              authentication mechanisms for
    jobs implemented                              internal/external users
   initial testing completed                    hashed passwords for external
                                                  users populated through ARH
                                NATO UNCLASSIFIED                                 20
IdM in Access to Portal

                        Collaboration Tools Use Case
 XMPP is an open technology for real-time communication, which
  powers a wide range of applications, e.g.:
      instant messaging,                          collaboration,
      presence,                                   lightweight middleware,
      multi-party chat,                           content syndication,
      voice and video calls,                      generalized routing of XML data.

 XMPP is a mandatory collaboration standard for military usage
  in many NATO nations
 JChat application, a standard NATO collaboration tool, to be
  used on the NATO side
 Status: not implemented yet
    all components installed                 hashed passwords for external
    meta-tools installed, configured          users populated through ARH
     jobs implemented

                                NATO UNCLASSIFIED                                      22
IdM in Collaboration Tools

                  Access to Legacy Applications

 There are still applications in NATO CIS, which are not PKI
  and/or Web services enabled
 Authentication/Authorization mechanisms:
    implemented as an integral part of the applications (usernames
     and passwords stored in a local database), which results in
     application specific solutions, or
    are not implemented at all
 For completeness of the IdM use case validation picture legacy
  systems should be included
 Status: not implemented yet

                             NATO UNCLASSIFIED                        24
IdM in Legacy Systems


 The concept of IdM in a federated NATO environment
  (NATO plus NATO nations) is in an early stage of

 List of use cases for IdM is open
 NC3A CES/NNEC testbed provides an infrastructure
  for complex IdM validation to be performed with
  Alliance partners

                       NATO UNCLASSIFIED               26
Why Identity Management matters …
                    CONTACTING NC3A

       NC3A Brussels                             NC3A The Hague
Visiting address:                         Visiting address:
Bâtiment Z                                Oude Waalsdorperweg 61
Avenue du Bourget 140                     2597 AK The Hague
B-1110 Brussels
Telephone +32 (0)2 7074111                Telephone +31 (0)70 3743000
Fax +32 (0)2 7078770                      Fax +31 (0)70 3743239
Postal address:                           Postal address:
NATO C3 Agency                            NATO C3 Agency
Boulevard Leopold III                     P.O. Box 174
B-1110 Brussels - Belgium                 2501 CD The Hague
                                          The Netherlands

                             NATO UNCLASSIFIED                          28

To top