Identity as a Service

By Prabath Siriwardena, WSO2 Identity as a Service

IDENTITY goes hand in hand with TRUST

What makes my IDENTITY?

My AGE is part of my IDENTITY

My PHONE NUMBER is part of my IDENTITY

My e-MAIL is part of my IDENTITY

My SSN is part of my IDENTITY

Who needs my IDENTITY?

My HR MANAGER

My FINANCE MANAGER

My PROJECT MANAGER

PARTNERS of my company

LAWS of IDENTITY
Extending internet with an Identity Management Layer

LAWS of IDENTITY
User control & consent

LAWS of IDENTITY
User control & consent Technical Identity Systems must only reveal information identifying a user with the user’s consent.

LAWS of IDENTITY
Minimal disclosure for a given use

LAWS of IDENTITY
Minimal disclosure for a given use The solution which discloses the least amount of identifying Information and best limits its use is the most stable long term solution.

LAWS of IDENTITY
Justifiable parties

LAWS of IDENTITY
Justifiable parties Digital identity system must be designed so the disclosure of Identifying information is limited to parties having a necessary And justifiable place in a given identity relationship.

LAWS of IDENTITY
Directed Identity

LAWS of IDENTITY
Directed Identity A universal identity system must support both ‘ Omni-directional’ identifiers for use by public entities and ‘unidirectional’ identifiers for use by private entities, thus facilitating discovery while preventing un-necessary release of correlation handles.

LAWS of IDENTITY
Pluralism of operators & technologies

LAWS of IDENTITY
Pluralism of operators & technologies A universal identity system must channel and enable the Inter-working of ,multiple identity technologies run by Multiple identity providers.

LAWS of IDENTITY
Human Integration

LAWS of IDENTITY
Human Integration The universal Identity Meta-system must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against Identity attacks.

LAWS of IDENTITY
Consistent experience across contexts

LAWS of IDENTITY
Consistent experience across contexts The unifying identity meta-system must guarantee its Users a simple consistent experience while enabling Separation of contexts through multiple operators and technologies.

How do we share data related to IDENTITY ???

DIRECTORY SERVICES : LDAP/AD

IDENTITY attributes maintained in a central repo

IDENTITY attributes shared across multiple applications within the same domain

Enterprise SSO can be established within participating applications

Protocol incompatibilities could lead to silos

Directory awareness at the individual application level

LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC EXTERNAL

LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC

LDAP/Active Directory HR FINANCE ERP Identity Service

LDAP/Active Directory HR FINANCE ERP Identity Service EXTERNAL

IDENTITY as a SERVICE

Integrates IDENTITY services into application development

Decouples IDENTITY related logic from individual application business logic

User, IDENTITY related data externalized from the applications themselves

Adheres to SOA standards

IDENTITY SERVICES
AUTHENTICATION AUTHORIZATION AUDIT IDENTITY PROVIDER PROVISIONING

IDENTITY PROVIDER
Externalize IDENTITY attributes

IDENTITY PROVIDER
Information Cards

IDENTITY PROVIDER
OpenID

IDENTITY PROVIDER
Identity Governance Framework [IGF]

AUTHENTICATION
User Name/Password

AUTHENTICATION
User centric identity : CardSpace/OpenID

AUTHORIZATION
Manages authorization logic

AUTHORIZATION
XACML

AUTHORIZATION - XACML
A general purpose authorization policy language

Policy Expressions
“ Anyone can use web servers between 12:00 AM and 4:00 AM”
“ Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve”
“ Anyone view their own 401K information, but nobody else’s”
“ The print formatting service can access printers and temporary storage on behalf of any user with the print attribute”
“ The primary physician can have any of her patients’ medical records sent to a specialist in the same”

XACML Vs SAML Here comes another request…. Let me process the Auth’Z request… SAML XACML

PROVISIONING
Supports administration of IDENTITY & ACCESS Management

PROVISIONING
Provides centralized policy administration and controls

PROVISIONING
SPML

PROVISIONING
http://soa.sys-con.com/node/434383 Service Provisioning via SPML in SOA Simplifying identity and resource management for distributed services By: Manivannan Gopalan

AUDITING
Audit all IDENTITY events

AUDITING -XDAS
Distribute Audit Service

AUDITING -XDAS
The principle of accountability

AUDITING -XDAS
Detection of security policy violations

AUDITING -XDAS
http://www.opengroup.org/pubs/catalog/p441.htm

IDENTITY SERVICES
AUTHENTICATION [InforCards/OpenID] AUTHORIZATION [XACML] AUDIT [XDAS] IDENTITY PROVIDER [OpenID/InforCards] PROVISIONING [SPML]

USER CENTRIC IDENTITY
User in control of identity interactions

Service Provider/User/Identity Provider IDENTITY PROVIDER SERVICE PROVIDER

Information Cards

OpenID
http://www.slideshare.net/prabathsiriwardena/understanding-openid/

BUILDING FEDERATED IDENTITY
WITH OPENID
USER STORE OpenID PROVIDER REALM SERVICE PROVIDER

IDENTITY GOVERNANCE
Establishing policies, controls & enforcement mechanisms

IDENTITY GOVERNANCE
WHY? 1. A fragile and brittle SOA implementation 2. Services that cannot easily be reused because they are unknown to developers or because they were not designed with reuse in mind 3. Lack of trust and confidence in services as enterprise assets, which results in a “build it myself” mentality 4. Security breaches that cannot easily be traced 5. Unpredictable performance

IDENTITY GOVERNANCE
IDENTITY GOVERNANCE FRAMEWORK 1. Identity attribute service - a service that supports access to many different identity sources and enforces administrative policy 2. CARML : declarative syntax using which clients may specify their attribute requirements 3. AAPML : declarative syntax which enables providers of identity-related data to express policy on the usage of information, 4. Multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes

WSO2 IDENTITY SOLUTION

Questions…
Thank you…!

http://wso2.org	273
http://www.nandana.org	108
http://nandana83.blogspot.com	62
http://blog.facilelogin.com	61
http://blog.ruchith.org	31
http://www.slideshare.net	27
http://jisi.dreamblog.jp	25
http://blog.odysen.com	23
http://sylvain-maret.blogspot.com	11
https://www.wso2.org	5
http://www.citadelle-electronique.net	4
https://wso2.org	3
http://74.125.153.132	2
http://192.168.10.100	1
http://webcache.googleusercontent.com	1
http://translate.googleusercontent.com	1

Identity as a Service

by Prabath Siriwardena on Oct 21, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

16 Embeds 638

Statistics

Identity as a Service — Presentation Transcript