Identity as a Service

By Prabath Siriwardena, WSO2 Identity as a Service

IDENTITY goes hand in hand with TRUST

What makes my IDENTITY?

My AGE is part of my IDENTITY

My PHONE NUMBER is part of my IDENTITY

My e-MAIL is part of my IDENTITY

My SSN is part of my IDENTITY

Who needs my IDENTITY?

My HR MANAGER

My FINANCE MANAGER

My PROJECT MANAGER

PARTNERS of my company

LAWS of IDENTITY

Extending internet with an Identity Management Layer

LAWS of IDENTITY

User control & consent

LAWS of IDENTITY

User control & consent Technical Identity Systems must only reveal information identifying a user with the user’s consent.

LAWS of IDENTITY

Minimal disclosure for a given use

LAWS of IDENTITY

Minimal disclosure for a given use The solution which discloses the least amount of identifying Information and best limits its use is the most stable long term solution.

LAWS of IDENTITY

Justifiable parties

LAWS of IDENTITY

Justifiable parties Digital identity system must be designed so the disclosure of Identifying information is limited to parties having a necessary And justifiable place in a given identity relationship.

LAWS of IDENTITY

Directed Identity

LAWS of IDENTITY

Directed Identity A universal identity system must support both ‘ Omni-directional’ identifiers for use by public entities and ‘unidirectional’ identifiers for use by private entities, thus facilitating discovery while preventing un-necessary release of correlation handles.

LAWS of IDENTITY

Pluralism of operators & technologies

LAWS of IDENTITY

Pluralism of operators & technologies A universal identity system must channel and enable the Inter-working of ,multiple identity technologies run by Multiple identity providers.

LAWS of IDENTITY

Human Integration

LAWS of IDENTITY

Human Integration The universal Identity Meta-system must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against Identity attacks.

LAWS of IDENTITY

Consistent experience across contexts

LAWS of IDENTITY

Consistent experience across contexts The unifying identity meta-system must guarantee its Users a simple consistent experience while enabling Separation of contexts through multiple operators and technologies.

How do we share data related to IDENTITY ???

DIRECTORY SERVICES : LDAP/AD

IDENTITY attributes maintained in a central repo

IDENTITY attributes shared across multiple applications within the same domain

Enterprise SSO can be established within participating applications

Protocol incompatibilities could lead to silos

Directory awareness at the individual application level

LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC EXTERNAL

LDAP/Active Directory HR FINANCE ERP BUSINESS LOGIC BUSINESS LOGIC BUSINESS LOGIC

LDAP/Active Directory HR FINANCE ERP Identity Service

LDAP/Active Directory HR FINANCE ERP Identity Service EXTERNAL

IDENTITY as a SERVICE

Integrates IDENTITY services into application development

Decouples IDENTITY related logic from individual application business logic

User, IDENTITY related data externalized from the applications themselves

Adheres to SOA standards

IDENTITY SERVICES

AUTHENTICATION AUTHORIZATION AUDIT IDENTITY PROVIDER PROVISIONING

IDENTITY PROVIDER

Externalize IDENTITY attributes

IDENTITY PROVIDER

Information Cards

IDENTITY PROVIDER

OpenID

IDENTITY PROVIDER

Identity Governance Framework [IGF]

AUTHENTICATION

User Name/Password

AUTHENTICATION

User centric identity : CardSpace/OpenID

AUTHORIZATION

Manages authorization logic

AUTHORIZATION

XACML

AUTHORIZATION - XACML

A general purpose authorization policy language

Policy Expressions

“ Anyone can use web servers between 12:00 AM and 4:00 AM”

“ Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve”

“ Anyone view their own 401K information, but nobody else’s”

“ The print formatting service can access printers and temporary storage on behalf of any user with the print attribute”

“ The primary physician can have any of her patients’ medical records sent to a specialist in the same”

XACML Vs SAML Here comes another request…. Let me process the Auth’Z request… SAML XACML

PROVISIONING

Supports administration of IDENTITY & ACCESS Management

PROVISIONING

Provides centralized policy administration and controls

PROVISIONING

SPML

PROVISIONING

http://soa.sys-con.com/node/434383 Service Provisioning via SPML in SOA Simplifying identity and resource management for distributed services By: Manivannan Gopalan

AUDITING

Audit all IDENTITY events

AUDITING -XDAS

Distribute Audit Service

AUDITING -XDAS

The principle of accountability

AUDITING -XDAS

Detection of security policy violations

AUDITING -XDAS

http://www.opengroup.org/pubs/catalog/p441.htm

IDENTITY SERVICES

AUTHENTICATION [InforCards/OpenID] AUTHORIZATION [XACML] AUDIT [XDAS] IDENTITY PROVIDER [OpenID/InforCards] PROVISIONING [SPML]

USER CENTRIC IDENTITY

User in control of identity interactions

Service Provider/User/Identity Provider IDENTITY PROVIDER SERVICE PROVIDER

Information Cards

OpenID

http://www.slideshare.net/prabathsiriwardena/understanding-openid/

BUILDING FEDERATED IDENTITY

WITH OPENID

USER STORE OpenID PROVIDER REALM SERVICE PROVIDER

IDENTITY GOVERNANCE

Establishing policies, controls & enforcement mechanisms

IDENTITY GOVERNANCE

WHY? 1. A fragile and brittle SOA implementation 2. Services that cannot easily be reused because they are unknown to developers or because they were not designed with reuse in mind 3. Lack of trust and confidence in services as enterprise assets, which results in a “build it myself” mentality 4. Security breaches that cannot easily be traced 5. Unpredictable performance

IDENTITY GOVERNANCE

IDENTITY GOVERNANCE FRAMEWORK 1. Identity attribute service - a service that supports access to many different identity sources and enforces administrative policy 2. CARML : declarative syntax using which clients may specify their attribute requirements 3. AAPML : declarative syntax which enables providers of identity-related data to express policy on the usage of information, 4. Multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes