Das SOA-Referenzmodell Identity &
Access Management der Deutschen
Telekom Laboratories / T-Systems Enterprise Services Gmb...
Agenda.


          1      Introduction

          2      AAA & IdM Reference Architecture
          2.1   Essentials
    ...
Agenda.


          1      Introduction

          2      AAA & IdM Reference Architecture
          2.1   Essentials
    ...
Introduction – SOA and Security.
The T-Systems Approach.



                                                              ...
Agenda.


          1      Introduction

          2      AAA & IdM Reference Architecture
          2.1   Essentials
    ...
AAA & IdM Reference Architecture –
Essentials.
Challenges.
Identity silos with poor interoperability.
              Servic...
AAA & IdM Reference Architecture –
Essentials.
Challenges from the user perspective.
Identity fragmentation, plethora of p...
AAA & IdM Reference Architecture –
Essentials.
Challenge from the business perspective.
Mergers & acquisitions, reorganiza...
AAA & IdM Reference Architecture –
Essentials.
Mission – Provide guidance and blueprints for seamless and overarching
AAA ...
AAA & IdM Reference Architecture -
Essentials.
Reference Model & Reference Architecture.
Terminology.
                    ...
AAA & IdM Reference Architecture –
Essentials.
Reference Model: AAA & IdM Ecosystem.


                        Authenticat...
Agenda.


          1      Introduction

          2      AAA & IdM Reference Architecture
          2.1   Essentials
    ...
AAA & IdM Reference Architecture – Concepts.
Simplified version.




          User Agent                     Identity Pro...
AAA & IdM Reference Architecture – Concepts.
Some selected concepts with regards to Service oriented Architectures.




  ...
AAA & IdM Reference Architecture – Concepts.
Trust: Security Tokens, Claims & Assertions




         User Agent          ...
AAA & IdM Reference Architecture – Concepts.
Delegated authorization based on attributes.


       AuthZ                  ...
AAA & IdM Reference Architecture – Concepts.
Access control requires consistent and accurate identity data.


            ...
Agenda.


          1      Introduction

          2      AAA & IdM Reference Architecture
          2.1   Essentials
    ...
A typical SOA Architecture and Security.
A collaborative SOA approach, based on a typical large scale architecture.



  C...
SOA and Security – Questions (1).
Details inside one global service location.
                                            ...
SOA and Security – Questions (1).
Details inside one global service location.



1.   Which security information is requir...
A typical SOA Architecture and Security.
A collaborative SOA approach, based on a typical large scale architecture.




  ...
SOA and Security – Questions (2).
Questions about global multi domain service delivery.


4. Security
  between global
  d...
SOA and Security – Questions (2).
Questions about global multi domain service delivery.



4.   Which security rules shoul...
Agenda.


          1      Introduction

          2      AAA & IdM Reference Architecture
          2.1   Essentials
    ...
SOA and Security – Answers.
Based on the AAA & IdM Reference Architecture.
                                              S...
SOA and Security – Answers.
Usage of security tokens.
                                                      Security Servi...
SOA and Security – Answers.
Authorization based on policies and security tokens.
                                         ...
SOA and Security – Answers.
Provisioning of accurate and consistent security data.
                                       ...
SOA and Security – Answers.
Put it all together ...
                                                          Security Ser...
SOA and Security – Answers.
The good news is, it works in global multi domain service delivery too.




                  ...
Agenda.


          1      Introduction

          2      AAA & IdM Reference Architecture
          2.1   Essentials
    ...
Conclusions.


 A well designed security architecture within the enterprise’s SOA
 application zone eases transition into ...
Contacts.
Dietmar Krüger, T-Systems Enterprise Services GmbH
dietmar.krueger@t-systems.com
+49 30 3497 3108

Dr. Bert Klöp...
Upcoming SlideShare
Loading in …5
×

Das SOA-Referenzmodell Identity

654 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
654
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Das SOA-Referenzmodell Identity

  1. 1. Das SOA-Referenzmodell Identity & Access Management der Deutschen Telekom Laboratories / T-Systems Enterprise Services GmbH Deutsche Telekom Bitkom: SOA & Security 12.03.2008
  2. 2. Agenda. 1 Introduction 2 AAA & IdM Reference Architecture 2.1 Essentials 2.2 Digest of Concepts 3 Characteristic SOA Security Questions AAA & IdM Reference Architecture based 4 Answers 5 Conclusions Dietmar Krüger / Dr. Bert Klöppel March 12th, 2 2008
  3. 3. Agenda. 1 Introduction 2 AAA & IdM Reference Architecture 2.1 Essentials 2.2 Digest of Concepts 3 Characteristic SOA Security Questions AAA & IdM Reference Architecture based 4 Answers 5 Conclusions Dietmar Krüger / Dr. Bert Klöppel March 12th, 3 2008
  4. 4. Introduction – SOA and Security. The T-Systems Approach. Project T-Systems SOA Process Model Demands Governance Analysis Conception Transformation Retire Security Secure SOA Solution AAA & IdM Reference Architecture A secure SOA solution combines general SOA architecture/governance rules, security and project demands. Our approach: Generally independent process model for SOA and security – project specific fusion. Dietmar Krüger / Dr. Bert Klöppel March 12th, 4 2008
  5. 5. Agenda. 1 Introduction 2 AAA & IdM Reference Architecture 2.1 Essentials 2.2 Digest of Concepts 3 Characteristic SOA Security Questions AAA & IdM Reference Architecture based 4 Answers 5 Conclusions Dietmar Krüger / Dr. Bert Klöppel March 12th, 5 2008
  6. 6. AAA & IdM Reference Architecture – Essentials. Challenges. Identity silos with poor interoperability. Service Provider Domain A Service Provider Domain B Mobile Applications Web Applications Streaming Digital Content Digital Content Contracts Cost Control Preferences 3G Access ISP Access Roles Identities Privacy Access Rights Credentials Roaming Roaming SIM Card Authentication ISP Network Access Network Access Provider Domain A Network Access Provider Domain B Dietmar Krüger / Dr. Bert Klöppel March 12th, 6 2008
  7. 7. AAA & IdM Reference Architecture – Essentials. Challenges from the user perspective. Identity fragmentation, plethora of passwords and identity theft. Courtesy of Francis Shanahan (http://www.francisshanahan.com/detail.aspx?cid=641) Dietmar Krüger / Dr. Bert Klöppel March 12th, 7 2008
  8. 8. AAA & IdM Reference Architecture – Essentials. Challenge from the business perspective. Mergers & acquisitions, reorganizations and changing business alliances. Domain centric Identity Management No Corp. Interop. Corp. Federated Identity Management SSO, SLO Corp. Attributes Corp. CoT Dietmar Krüger / Dr. Bert Klöppel March 12th, 8 2008
  9. 9. AAA & IdM Reference Architecture – Essentials. Mission – Provide guidance and blueprints for seamless and overarching AAA & IdM functionalities by means of defining an AAA & IdM Reference Architecture. Service Provider Domain A Service Provider Domain B Mobile Applications Single Sign Attribute Web Applications Digital Content On/Off Exchange Digital Content Authorization Identity AAA & IdM Management Reference Architecture Privacy Authentication Federation Accounting SIM Card Authentication Charging ISP Network Access Network Access Provider Domain A Network Access Provider Domain B Dietmar Krüger / Dr. Bert Klöppel March 12th, 9 2008
  10. 10. AAA & IdM Reference Architecture - Essentials. Reference Model & Reference Architecture. Terminology. Abstract Framework with a minimal set Reference Model of unifying concepts, axioms and relationships. Independent of standards, technologies, implementations and details conceptual guidance Generalized Architecture of several end systems acc. to OASIS that share one or more commonalities. Defines infrastructure, components, interfaces and proposesArchitectureand standards. Reference technologies Reference Architecture Guidance acc. to Carnegie Mellon University, domain specificEngineering Institute Software derivations domain specific derivations Realization Structure of systems, which comprise software elements, Software the externally visible properties of those elements Software Architecture andSoftware the relationship among them. Architecture Software Architecture Architecture acc. to Carnegie Mellon University, Software Engineering Institute technology specific derivations technology specific derivations System System Implementation System Implementation System Implementation System Implementation System Implementation Implementation Dietmar Krüger / Dr. Bert Klöppel March 12th, 10 2008
  11. 11. AAA & IdM Reference Architecture – Essentials. Reference Model: AAA & IdM Ecosystem. Authentication Authorization Authenticati Authorizatio Principal on n Authority Authority Identity Management Identity Provisioning Relying Identity Attribute Identity Provisioning Party Provider Provider Provider Accounting and Charging Identity Auditing Accounting Charging Identity Auditing Provider Provider Provider Dietmar Krüger / Dr. Bert Klöppel March 12th, 11 2008
  12. 12. Agenda. 1 Introduction 2 AAA & IdM Reference Architecture 2.1 Essentials 2.2 Digest of Concepts 3 Characteristic SOA Security Questions AAA & IdM Reference Architecture based 4 Answers 5 Conclusions Dietmar Krüger / Dr. Bert Klöppel March 12th, 12 2008
  13. 13. AAA & IdM Reference Architecture – Concepts. Simplified version. User Agent Identity Provider Authentication Authentication (Principal) Enforcement Validation Relying Party Attribute Provider Authorization Authorization Enforcement Decision Relying Party Accounting Identity Provider Provisioning Charging Identity Provider Auditing AAA & IdM Infrastructure Dietmar Krüger / Dr. Bert Klöppel March 12th, 13 2008
  14. 14. AAA & IdM Reference Architecture – Concepts. Some selected concepts with regards to Service oriented Architectures. User Agent Identity Provider Authentication Authentication (Principal) Enforcement Validation Relying Party Attribute Provider Authorization Authorization Enforcement Decision Relying Party Accounting Identity Provider Provisioning Charging Identity Provider Auditing AAA & IdM Infrastructure Dietmar Krüger / Dr. Bert Klöppel March 12th, 14 2008
  15. 15. AAA & IdM Reference Architecture – Concepts. Trust: Security Tokens, Claims & Assertions User Agent Identity Provider Authentication Authentication (Principal) Security Token Enforcement Validation (Issuer) Trust Validation Information (about someone) Relying Party Attribute Provider Security Token Service Basic Building Block of an Authorization Authorization IdM & AAA infrastructure Enforcement Decision … can be distributed over any fixed or mobile network and Relying Party interchanged between network and service layer Accounting Identity without further requirement Provider Provisioning on security Charging Identity Provider Auditing X.509, PKI Kerberos SAML WS-Trust AAA & IdM Infrastructure Dietmar Krüger / Dr. Bert Klöppel March 12th, 15 2008
  16. 16. AAA & IdM Reference Architecture – Concepts. Delegated authorization based on attributes. AuthZ User Session User AuthN Context Delegation Token Agent can be distributed User Authentication Authentication (Principal) to other parties … Identity Provider Enforcement Validation Security Token (AuthZ Decision) Resource attributes Relying Party Attribute Provider User attributes Delegated AuthZ Decision … Context attributes AuthZ Policy Authorization AuthZ Decision Authorization Enforcement Decision … based on AuthZ Policy User entitlements Relying Party Accounting Identity Provider Provisioning OASIS XACML & SAML Charging Identity Provider Auditing WS-Trust Other policy languages AAA & IdM Infrastructure Dietmar Krüger / Dr. Bert Klöppel March 12th, 16 2008
  17. 17. AAA & IdM Reference Architecture – Concepts. Access control requires consistent and accurate identity data. … reuse of Identity Information Identities, Personas, Profiles User Agent Federation & SSO Authentication Identity Provider Authentication (Principal) Enforcement Validation Security tokens (with identity information) AuthN Policy AuthN Credentials Relying Party Security Token Attribute Provider (AuthZ Decision) Identity Attributes Entitlements Privacy Policies Delegated AuthZ Decision … AuthZ Policies Authorization Authorization Enforcement Decision … accurate & up-to-date provisioning of Relying Party Identity Information Accounting Provisioning Identity Provider Policy Provisioning Charging Identity Provider Auditing OASIS SPML AAA & IdM Infrastructure Dietmar Krüger / Dr. Bert Klöppel March 12th, 17 2008
  18. 18. Agenda. 1 Introduction 2 AAA & IdM Reference Architecture 2.1 Essentials 2.2 Digest of Concepts 3 Characteristic SOA Security Questions AAA & IdM Reference Architecture based 4 Answers 5 Conclusions Dietmar Krüger / Dr. Bert Klöppel March 12th, 18 2008
  19. 19. A typical SOA Architecture and Security. A collaborative SOA approach, based on a typical large scale architecture. Complex and structured enterprise architecture for a global business partner SOA access from various independent external partners via internet Possible multi location service delivery Portal Proxy local ESB Rev global ESB Gateway WS Dietmar Krüger / Dr. Bert Klöppel March 12th, 19 2008
  20. 20. SOA and Security – Questions (1). Details inside one global service location. Security Service Zone Security Rules Authenti- Directory Token cation Service Service Service Policy 2. Repository and Server security directory DMZ Portalzone Datenbankzone Reverse Proxy Portal DB Client Applikationszone 3. security App. 1 Internet questions within DWH the app-zone App. 2 WS Gateway BAM Legacy Zone BPEE Wrapper Legacy Systeme 1. Security information ESB Zone within the ESB (z.B. MQ) repository Security Rules Functional Descr. Transformation Repository. (z.B. XSLT) Non-Func. Descr. Dietmar Krüger / Dr. Bert Klöppel March 12th, 20 2008
  21. 21. SOA and Security – Questions (1). Details inside one global service location. 1. Which security information is required within the service repository and how should this information be structured? 2. How should security information be shared between the security directory and the service repository? – Which system should be the leading one? 3. Which security is necessary within the service providers? Do we need some additional security architecture structures there? (see question #3 and the following scenario) Dietmar Krüger / Dr. Bert Klöppel March 12th, 21 2008
  22. 22. A typical SOA Architecture and Security. A collaborative SOA approach, based on a typical large scale architecture. Portal Proxy local ESB Rev global ESB Gateway WS Portal Proxy local ESB Rev global ESB Gateway WS Dietmar Krüger / Dr. Bert Klöppel March 12th, 22 2008
  23. 23. SOA and Security – Questions (2). Questions about global multi domain service delivery. 4. Security between global domains 5. Security and global service finding 6. Replication of security repository Dietmar Krüger / Dr. Bert Klöppel March 12th, 23 2008
  24. 24. SOA and Security – Questions (2). Questions about global multi domain service delivery. 4. Which security rules should be applied between different regional locations (domains) of one global service provider? 5. Which security rules should be applied during the global service discovery? How should this task be distributed between the global ESB modules (e.g. repositories, content based security, service implementation) 6. Which distribution policy and rules should be applied for the global security information (within the repositories and the security dictionaries) Dietmar Krüger / Dr. Bert Klöppel March 12th, 24 2008
  25. 25. Agenda. 1 Introduction 2 AAA & IdM Reference Architecture 2.1 Essentials 2.2 Digest of Concepts 3 Characteristic SOA Security Questions AAA & IdM Reference Architecture based 4 Answers 5 Conclusions Dietmar Krüger / Dr. Bert Klöppel March 12th, 25 2008
  26. 26. SOA and Security – Answers. Based on the AAA & IdM Reference Architecture. Security Service Zone Security Rules Authenti- Directory Token cation Service Service Service Policy Server DMZ Portalzone Datenbankzone Reverse Proxy Portal DB Client Applikationszone App. 1 Internet DWH App. 2 WS Gateway BAM Legacy Zone BPEE Wrapper Legacy Systeme ESB Zone ESB (z.B. MQ) Security Rules Functional Descr. Transformation Repository. (z.B. XSLT) Non-Func. Descr. Dietmar Krüger / Dr. Bert Klöppel March 12th, 26 2008
  27. 27. SOA and Security – Answers. Usage of security tokens. Security Service Zone Security Token Service Security Rules Authenti- Directory Token cation Service Service Identity Attribute Service Authentication Provider Policy Server Provider Authority DMZ Portalzone Datenbankzone Security Token Proxy Reverse Portal (Issuer) Principal Client DB (User Agent) Information (about someone) Applikationszone App. 1 Internet DWH App. 2 WS Gateway BAM Legacy Zone Basic Building Block of an IdM & AAA infrastructure BPEE Wrapper Legacy Systeme … can be distributed over any fixed or mobile network and ESB Zone interchanged between network and service layer ESB (z.B. MQ) without further requirement on security Security Rules Functional Descr. Transformation Repository. (z.B. XSLT) Non-Func. Descr. Dietmar Krüger / Dr. Bert Klöppel March 12th, 27 2008
  28. 28. SOA and Security – Answers. Authorization based on policies and security tokens. Security Service Zone Security Rules Authenti- Directory Token cation Service Service Service Policy Server DMZ Portalzone Datenbankzone Relying Party Security Token Proxy Reverse Portal (Issuer) Authorization Client Enforcement DB Information (about someone) Applikationszone Internet Relying Party App. 1 DWH App. 2 Relying Party WS Gateway BAM Legacy Zone Authorization Authorization Enforcement Enforcement Flexible and scalable access control BPEE Wrapper Legacy for all kind of resources Systeme (e.g. portal, WS gateway, applications, engines) ESB Zone … based on authorization policies ESB (z.B. MQ) and security tokens. Authorization Policies Security Rules Functional Descr. AuthorizationTransformation Repository. Non-Func. Descr. Decision (z.B. XSLT) Dietmar Krüger / Dr. Bert Klöppel March 12th, 28 2008
  29. 29. SOA and Security – Answers. Provisioning of accurate and consistent security data. Security Service Zone Security Token Service Security Rules Authentication Credentials Authenti- Directory Token cation Service Service Identity Attribute Service Authentication Provider Policy Server Provider Authority Identities, Profiles Identities Attributes Authentication Policies DMZ Portalzone Datenbankzone Security Token Proxy Reverse Portal (Issuer) DB Client Information (about someone) Applikationszone App. 1 Identity Internet Provisioning DWH App. 2 WS Gateway BAM Legacy Zone BPEE Wrapper Accurate & up-to-date Legacy Systeme provisioning of identity information and security policies ESB Zone … enables secure service delivery ESB based on reliable security tokens. (z.B. MQ) Authorization Policies Security Rules Functional Descr. AuthorizationTransformation Entitlements Repository. Decision (z.B. XSLT) Non-Func. Descr. Dietmar Krüger / Dr. Bert Klöppel March 12th, 29 2008
  30. 30. SOA and Security – Answers. Put it all together ... Security Service Zone Security Token Service Security Rules Authentication Credentials Authenti- Directory Token cation Service Service Identity Attribute Service Authentication Provider Policy Provider Authority Server Identities, Profiles Identities Attributes Authentication Policies DMZ Portalzone Datenbankzone Relying Party Security Token Reverse Proxy Portal (Issuer) Authorization Principal Enforcement DB (UserClient Agent) Information (about someone) Applikationszone Internet Relying Party App. 1 Identity Provisioning DWH App. 2 Relying Party WS Gateway BAM Legacy Zone Authorization Authorization Enforcement Enforcement … and you are close to an BPEE Wrapper Legacy Systeme Enterprise Identity Bus ESB Zone supporting ESB (z.B. MQ) IdM and AAA as a Service. Authorization Policies Security Rules Functional Descr. AuthorizationTransformation Entitlements Repository. Decision (z.B. XSLT) Non-Func. Descr. Dietmar Krüger / Dr. Bert Klöppel March 12th, 30 2008
  31. 31. SOA and Security – Answers. The good news is, it works in global multi domain service delivery too. Security Token (Issuer) Information (about someone) Relying Party … due to the characteristics Authorization of the security token. Enforcement . Identity Provisioning Dietmar Krüger / Dr. Bert Klöppel March 12th, 31 2008
  32. 32. Agenda. 1 Introduction 2 AAA & IdM Reference Architecture 2.1 Essentials 2.2 Digest of Concepts 3 Characteristic SOA Security Questions AAA & IdM Reference Architecture based 4 Answers 5 Conclusions Dietmar Krüger / Dr. Bert Klöppel March 12th, 32 2008
  33. 33. Conclusions. A well designed security architecture within the enterprise’s SOA application zone eases transition into global scale ESB implementations (e.g. due to reorganizations, changing business alliances, mergers and acquisitions). The security architecture must be flexible and scalable due to SOA’s characteristics of fine-grained services with a multiplicity of interfaces. SOA requires an “Enterprise Identity Bus” approach supporting identity management, authentication and authorization as services (IdM & AAA as a Service). Originally, the AAA & IdM reference architecture was developed independent of SOA in order to be applicable in almost every context (e.g. Telco, Web 2.0). However, SOA and the AAA & IdM reference architecture match perfectly. Krüger / Dr. Bert Klöppel Dietmar March 12th, 33 2008
  34. 34. Contacts. Dietmar Krüger, T-Systems Enterprise Services GmbH dietmar.krueger@t-systems.com +49 30 3497 3108 Dr. Bert Klöppel, T-Systems Enterprise Services GmbH bert.kloeppel@t-systems.com +49 561 5893 430 Jörg Heuer, Deutsche Telekom Laboratories joerg.heuer@telekom.de +49 30 83535 8422

×