Iiw2007b Madsen 01


Published on

Presented at IIW 2007b as overview of various identity specs/initiatives

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Iiw2007b Madsen 01

  1. 1. A Framework for Identity System Confusion (Reduction) Paul Madsen, NTT IIW 2007 b
  2. 2. Credits Derived in large part on Eve Maler's ( ● www.xmlgrl.com) XML Summer School 2007 talk
  3. 3. Me Apologies to Dick
  4. 4. connectid.blogspot.com
  5. 5. Goals Identity initiatives abound ● OpenID, Cardspace, Higgins, SAML, Shibboleth, – ID-WSF, XRI/XDI, Oauth, etc More so than presenting details for any ● standard/protocol, this talk is meant to provide a framework for thinking about their value propositions – their design centres – differences/similarities – scenarios for their composition – Personal goal, not say 'user-centric' once ●
  6. 6. Bits An Identity Chat ● Overviews ● SAML – OpenID – Infocards – Liberty ID-WSF – Slicing/Dicing ●
  7. 7. An identity chat 1) IR->Sub: I need some identity 2) Sub->IR: Here are candidate IPs 3) IR<->Sub: Let's use IPa 4) IR->IPa: Can I have identity X for Subject? 5) IR<->Sub: Allow/deny? 6) IPa->IR: Here is the identity
  8. 8. Required Bits 1. IRs can indicate their desire for identity data 2. Candidate IPs that can provide the relevant identity can be discovered 3. Subject and IR can together select an IP. 4. IR can make an identity request of IP. 5. Subject and IP can together grant/dent request. 6. If approved, identity data can be delivered to RP. 7. Security & privacy throughout. Different ID systems do these bits differently (and with varying emphasis) but they all do them
  9. 9. What is SAML? According to its designers, it is: ●   “an XML-based framework for marshaling security and identity information and exchanging it across domain boundaries” • Strives to be the “universal solvent” of identity Especially SAML V2.0 – based on Liberty ID-FF – Has out-of-the-box profiles for interoperability, but can be – extended and profiled further Driven primarily by 'serious' scenarios where trust, liability, ● value, and privacy are at stake B2B, B2C, G2C... – What sorts of adopters does it have? ● Governments, telcos, financials, aerospace, Google Search – Appliance...
  10. 10. At SAML's core: assertions An assertion is a declaration of fact... ● ...according to someone – You have to determine if you trust them – SAML assertions contain one or more ● statements about a subject: Authentication statement: “Joe authenticated with a smartcard – PKI certificate at 9:07am today” Attribute statement (which can contain multiple attributes): “Joe is – a manager and has a £5000 spending limit” Authorization decision statement (use XACML instead for more – than simple needs here) Your own customised statements... –
  11. 11. SP-initiated/redirect/POST Service Provider Identity Provider sp.example.com idp.example.org Resource Assertion Single Access Consumer Sign-On check Service Service 2 3 7 5 Challenge Access Redirect with GET using for resource? <AuthnRequest> <AuthnRequest> credentials Signed POST signed User Supply <Response> <Response> login resource in HTML form 6 1 4 User or UA action Browser User or UA action
  12. 12. What is OpenID? According to its designers, it is: ● “an open, decentralized, free framework for user-centric digital identity” • Deeply rooted in World Wide Web philosophy: You identify yourself with a URL (or XRI) – a single universal namespace – Authentication consists of proving you “own” the corresponding web – resource Deeply committed to Internet-scale adoption ● Lots of scripty open source – Driven by “Web 2.0” scenarios: ● Blog commenting, contributing to wikis, social networking – Accepted at, e.g. ... ●
  13. 13. How does OpenID work? An OpenID is simultaneously: ● A unique publicly known identifier string by which your online – activities can be correlated A URL or XRI for some machine-readable information that redirects an – “OpenID Consumer” site (RP) to your “OpenID Provider” site (IdP) – you can host your own or delegate to a chosen provider Often, a URL or XRI for a human-readable web page about you – The provider does authentication and may also send back ● a small set of attributes set by you Through the Simple Registration extension – Nickname, email, full name, date of birth, gender, postcode, country, – language, timezone You can host an authentication service on your own web server ● E.g., connectid.blogspot.com (theoretically!) – You can use delegation to “chain” OpenIDs ●
  14. 14. SP-initiated simplified sign-on with OpenID OpenID Consumer RP OpenID Provider (OP) Optionally (e.g. projectconcordia.org) (e.g. prooveme.com) set up symmetric session 5 4 key (can be remembered Discovers for future OP thru interactions) OpenID resolution 7 10 2 6 9 User login POST OpenID Access Authentication site? response Display (and maybe Challenge Redirect OpenID Simple Reg Allow for to OP prompt attributes) access credentials page sent with 8 3 1 GET or POST User or UA action Browser User or UA action
  15. 15. What is Windows CardSpace? According to its designers, it is: ● “a Microsoft .NET Framework version 3.0 component that provides the consistent user experience required by the identity metasystem” • Uses software “cards” to let users manage identities – Card selector can mediates a “trust no one” IdP/RP relationship – Serves up or obtains claims – authentication and attribute data – associated with a card Driven by web authentication security concerns ● – Hardened against tampering and phishing attempts – Prepared to tie closely into OS and hardware platform – Functions as an identity agent Accepted at, e.g. ... ●
  16. 16. How does CardSpace work? You initially use the identity selector client ● component to: Install managed cards from IdPs (security token services or – STSs) after having authenticated to them Your card only points to claims made by the IdP; identifiers come from CoT- ● specific namespaces Create self-asserted cards that store your own – claims about yourself The identity selector functions as an on-board IdP, with “profile management” ● features Later, when you access a card-accepting RP: ● You choose from among your cards that satisfy the RP's and – IdP's policy requirements/abilities
  17. 17. RP-initiated simplified sign-on with a CardSpace managed card Information card-accepting RP STS that is a managed-card identity provider (IP) for particular card 6 2 9 Authn and Access Convey request resource? claims to RP claims from appropriate IP based on Send card selection RP Supply policy resource Send claims reqmts 8 5 1 Match RP policy requirements 7 Optionally encrypt claims for RP 3 to available IP policy capabilities Card 1 Card 2 ... CardSpace identity 4 Select one card out of those available that match policy selector intersection and select any optional claims asked for User action
  18. 18. Not the only game in town Other compatible (WS-Trust based) selector implementations emerging Shamefully out of date 26
  19. 19. Liberty ID-WSF  A SOAP-based framework for locating and invoking identity based Web services  Identity-based Web services:  Are associated with a Principal's Identity (e.g. My Calendar Service)  Typically invoked using a Principal’s Identity  Permissions-based Attribute Sharing  Invoking Services under control of user  Service Requestor doing so on behalf (either directly or indirectly) of user. 27
  20. 20. ID-WSF & WS-* 28
  21. 21. SAML and ID-WSF together SSO World Identity Services World SAML: The SP uses SAML to obtain the identity credential for Jane. SP/WSC WSP WSP ID-WSF: The SP (acting as a WSC) uses IF-WSF to invoke services at the WSPs on Jane’s behalf.. IdP DS SAML ID-WSF 29
  22. 22. Slicing/Dicing Lots of different ways to analyze these identity ● systems I'm going to attempt doing so ● In terms of the identity functions they support – In terms of the characteristics they share – In terms of how their support for different portions of – a ''Fear of Big Brother' scale Inevitably, any scheme will artificially ● Blur real distinctions – Over emphasize relatively minor differences –
  23. 23. In Theory In principle, a given federated identity operation consists of the following steps 1.Authentication (Subject lays claim to an identity at an IdP) 2.Single Sign On (fact of #1 is asserted to an RP) 3.Front-channel attribute exchange (accompanying #2 can be attributes) 4.Back-channel attribute exchange (other attributes retrieved through direct channel) 5.Single Log Out (synchronizing session terminations)
  24. 24. Infocards
  25. 25. Infocards
  26. 26. The Venn of Identity Infocards “The Venn of Identity”, Eve Maler/Drummond Reed
  27. 27. Big Brother The various identity systems make different ● assumptions about the necessity/appropriateness of a 3rd party IdP's involvement in transactions We get a 'Big Brother Paranoia' scale ● 1) Why you look like a nice IdP. 2) OK, but I'm watching you! 3) Stop staring at me! 4) I don't need you!
  28. 28. Fear of Big Brother Why you look OK, but I'm Stop staring at me! I don't need you! like a nice IdP. watching you! User asserts their User relies on 3rd party User relies on 3rd User relies on 3rd ● ● ● ● own identity IdPto assert identity party IdPto assert party IdP to assert attributes attributes identity attributes identity attributes ●Can be client or Consent for release can ● User able to enforce ●User's SP ● be obtained a priori or network hosted real-time control over activities/visits real-time through out-of- ●Ultimate control identity sharing obfuscated from IdP band interactions ●Credibility hurdle through active ●Implies smart client ●IdP does the 'right thing' mediation of identity because of business flow. drivers & legal constructs ●Implies smart client ●Varying assumptions about correlation SAML OpenID Infocards Cardspace ID-WSF idemix
  29. 29. Summary We confront/enjoy a plethora of identity systems ● today Notwithstanding their commonalities, the ● differences in driver use cases, philosophy, and functionality ensure that each has value Encouraging signs that subsequent ● development will happen in a cohesive & consistent manner.