• Save
Identity federation & user centric identity
Upcoming SlideShare
Loading in...5
×
 

Identity federation & user centric identity

on

  • 2,007 views

As presented at the Identity 2009 event, in The Hague, on 6 oktober 2009

As presented at the Identity 2009 event, in The Hague, on 6 oktober 2009

Statistics

Views

Total Views
2,007
Views on SlideShare
1,745
Embed Views
262

Actions

Likes
2
Downloads
0
Comments
0

4 Embeds 262

http://maarten.wegdam.name 255
http://www.linkedin.com 3
http://www.slideshare.net 2
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 17.30 Identity federaties en hoe deze te schalen Vertrouwt u een ander in het beheren van de identiteiten? Kansen en bedreigen voor dienstenaanbieders? Welke standaarden en hoe deze te interoperen? Wat is de rol van Identity-as-a-Service hier? Hoe problematisch is schaalbaarheid van met name vertrouwen? De SURFfederatie wordt hier als case gebruikt.

Identity federation & user centric identity Identity federation & user centric identity Presentation Transcript

  • Identity federation & user centric identity Maarten Wegdam Novay (formerly Telematica Instituut) Identity 2009, 6 October 2009
  • What to expect
    • Trends in identity federation & user centric identity
      • bias towards consumer identity on the internet
    • Sectors & issues: business model is key
    • User centric identity & standards: more than a hype
    • Scaling federations: trust models and IaaS
  • Who am I?
    • Maarten Wegdam
      • Senior researcher @ Novay
      • Coordinator of identity, privacy & trust
    • Novay - formerly Telematica Instituut
      • independent ICT research institute
      • multi-disciplinary, ~100 people
      • innovative projects for companies & government
  • Identity federation – the basics
    • Identity = set of attributes
    • For authentication authorization and personalization
    • Requires trust between all three parties!!!
    identity provider (IdP) user relying party also called: service provider
  • Why identity federation? sales pitch for a service provider
    • Externalize identity not only from your applications, but also from your company
    • Cheaper & less fraud
      • less helpdesk, no token, no identity binding etc
    • Better conversion
      • e.g., new user can register immediately and online
    • The user wants it …
      • easier, quicker, more secure etc
  • Sectors and examples in NL B2G C2B B2B C2G eHerkenning Digitaal Paspoort (Sivi) OpenID.nl+ intra organization
  • 5 reasons why identity federation is difficult
    • Business model
    • Market entry
    • Diversity of standards
    • Privacy concerns
    • Trust issues
  • Business model
    • Goal: a healthy ecosystem!
    • Determine roles, and who-pays-who
    • Decreasing regulation:
      • Government issued (Belgium eID, DigiD)
      • Government regulated (PKIOverheid, eHerkenning)
      • Market scheme (OpenID.nl+ ?)
      • Free market – only a technical standard (OpenID)
    • Models 1 to 3 require some form of monopoly/regulator
  • User centric identity – what is it?
    • Give users insight & control
      • insight on what is shared
      • control over this (consent)
    • Decoupling of IdP and Relying Party
    • No control may be fine for enterprise SSO, but not for consumer identity on the internet
    • Well-known specs: OpenID & InfoCard
    • Not user centric -> IdP centric (SAML spec)
  • User centric identity OpenID is more than a hype
    • Social network, web 2.0 etc oriented, client less (web redirects)
    • A lot of IdPs, much slower adoption by Relying Parties
    • Simple : easy to support, but low on features and security
    • With privacy control (user consent before sharing attributes)
    • Part of “Open stack” (OAuth, OpenSocial etc)
    • Opinion: a great way to
      • avoid lists of usernames/password for low-security sites
      • avoid providing basic attributes over and over again (email address, name etc)
      • But: current version (v2) is only for low security
  • User centric identity OpenID is more than a hype
    • Social network, web 2.0 etc oriented, client less (web redirects)
    • A lot of IdPs, much slower adoption by RPs
    • Simple : easy to support, but low on features and security
    • With privacy control (user consent)
    • Part of “Open stack” (OAuth, OpenSocial etc)
    • Opinion: a great way to
      • avoid lists of usernames/password for low-security sites
      • avoid providing basic attributes over and over again
        • email address, name etc
      • But: current version (v2) is only for low security
  • User centric identity OpenID & SAML: beyond the marketing
    • OpenID is considered user centric, SAML (WebSSO) IdP centric
    • Both ‘web redirect’ based, therefore:
    • the same user control features offered by OpenID implementations can be offered by SAML
    • THUS: SAML can be as user centric as OpenID
    • Of course: SAML is much more secure, and has ‘closed’ trust model
  • User centric identity Information Cards
    • Originates from Microsoft, but now OASIS standard
    • Credit card metaphor for the user interface
    • Requires client, and has anti-phishing features!!
    • More decoupling between IdP and RP
    • Opinion:
      • Easy to use, except for creating cards
      • (Too) limited support for mobility
      • Promising standard
      • Slow adoption
  • User centric identity Information Cards
    • Originates from Microsoft, but now OASIS standard
    • Credit card metaphor for the user interface
    • Requires client, and has anti-phishing features!!
    • More decoupling between IdP and RP
    • Opinion:
      • Easy to use, except for creating cards
      • (Too) limited support for mobility (yet)
      • Promising standard
      • Slow adoption
  • [inspired by Venn of Identity by Eve Maler] Comparison SAML OpenID InfoCard simplicity and scalability over security client less closed trust model enables user centric identity anti-phishing & IdP-RP unlinkability integrates with web services client centered “ old” and much used “ new” and hype “ very new” and promising IdP discovery features
  • Scaling federations & trust
    • Trust is primarily a business and organizational issue, and secondary a technical one
    • Trust between IdPs and Relying Parties is a major issue for scalability of identity federations
      • Burton group: “Glass ceiling”
      • Several approaches, no easy solution!
  • Scaling federations & Trust Trust models [OASIS]
    • Pairwise
    • Brokered
    • Community
    • Reality: trust is typically mixed
      • Example: SURFfederatie combines all three
    IdP RP IdP TTP RP IdP RP
  • Scaling federations & Trust Identity-as-a-Service
    • IaaS: an IdP that deploys its identity service as a cloud service
    • IaaS provider can be a trust broker
      • and for smaller IdPs
      • and facilitate interoperability
    • Example: Covisint, SURFfederatie
  • Scaling federations & Trust Approaches to scaling trust
    • Standardized privacy statements
    • Providing (standardized) information in general
    • Third party statements (e.g., audits)
    • Confederations: federations of federations
    • User centric identity (reducing needed trust)
    • Identity-as-a-Service
    • Maybe in future: reputation management
  • Key take aways
    • Identity federation is about the identity of your customers & partners
    • What business model & amount of regulation is hot issue
    • Converged to three standards: SAML, InfoCard & OpenID; support all that make sense
    • User centricity is here to stay, and can be done with all three standards
    • Scaling federations means scaling trust: different approaches
    More information: [email_address] blog: http://maarten.wegdam.name