Ramesh Nagappan, profile picture
Uploaded byRamesh Nagappan
PDF, PPTX433 views

Interoperable Provisioning in a distributed world

This document discusses interoperable provisioning in a distributed environment. It provides an overview of identity provisioning approaches such as batch provisioning, LDAP replication, and using assertions. The document then discusses the Services Provisioning Markup Language (SPML) standard for interoperable provisioning and describes SPML version 2.0 features and components. It also covers implementing SPML using Java web services toolkits and SPML's relationships with WS-Security and SAML standards.

Embed presentation

Download as PDF, PPTX
Interoperable Provisioning in a Distributed World Mark Diodati, Burton Group Ramesh Nagappan, Sun Microsystems Sampo Kellomaki, SymLabs 02/08/07 – IAM 302
Contacts • Mark Diodati (mdiodati@burtongroup.com) • Ramesh Nagappan (Ramesh.Nagappan@Sun.COM) • Sampo Kellomaki (sampo@symlabs.com)
References • OASIS PSTC SPML 2.0 Specifications — http://docs.oasis-open.org/provision/spml-2.0-cd-01/pstc-spml2-cd-01.pdf • OpenSPML 1.0 Toolkit — www.openspml.org • JAX-WS 2.0 Reference Implementation — https://jax-ws.dev.java.net/ • Identity provisioning with SPML – Patterns and Best practices. — www.coresecuritypatterns.com • Sun Java System Identity Manager (Supports SPML 2.0) — Download at http://www.sun.com/download/products.xml?id=453fe041 • SPML: Gaining Maturity (Burton Group research document) — www.burtongroup.com/spml
Agenda • Presentation – Mark Diodati • Presentation – Ramesh Nagappan • Presentation – Sampo Kellomaki • References
Identity Management - Provisioning Identity Data Services Identities, roles, groups Provisioning Services AccessGateway Policy Enforcement Infrastructure Identity & Policy Admin Delegated admin, self-service Federation Public Identity Services Affiliate Enterprises Subjects (Users, services) Internal Business Units Platform- or application-specific policy enforcement Federation Proxy Virtualization Directory Replication Synchronization Objects (Applications, services, resources) ManagementandAudit Authenticationandreducedsign-on Access proxy Authorization Firewalls Other
Federated Provisioning • The federation standards and products are mature from a technology perspective — Provide good user SSO (authentication) for web applications — Possess some authorization capabilities — Lack user identity provisioning capabilities • Many (most) service provider (SP) applications require a non- ephemeral identity — The identity provider (IdP) and SP must agree upon a provisioning protocol to meet this requirement • How are identities provided to the SP?
Batch Approach • Using an out-of-band process, the IdP sends using provisioning information (adds, changes, deletions) to the SP • Excel spreadsheet, EDI, or other • Benefits — Low technology barrier • Challenges — Slower updates can introduce service and liability issues — IdP may not have a mechanism to verify user identities status — May introduce burdensome manual processes for both the IdP and the SP
LDAP Replication Approach Service Provider Identity Store Local LDAP StoreMaster LDAP Store (1) User information is replicated to onsite store (LDAPS) Darth Sidious Darth Sidious Service Provider Application (4) User with SAML artifact attempts access Darth Sidious (6) Application retrieves user attributes Identity Provider (IdP) (5) Application retrieves SAML assertion
Assertion Approach Identity Provider (IdP) Service Provider Identity Store Darth Sidious Service Provider Application(1) User with SAML artifact attempts access (2) Application retrieves SAML assertion (3) Application creates user identity SAML assertion Name = Darth Sidious SSN = 555-55-5555 Group = Sith Darth Sidious
Services Provisioning Markup Language (SPML) • SPML v1 approved in 2003 — Some “Essential” operations were not included (had to be customized) — Some errors in XML schema • SPML v2 OASIS standard approved in spring of 2006 — “Essential” functions included • Three profiles — DSML (most commonly used and existed in v1) — XSD (new in v2, from WS-Provisioning proposal) — SAML (currently in development) to provide tighter integration of user attributes • Good provisioning vendor support — Widely adopted by the provisioning vendors (Sun, CA, BMC, HP, Oracle, Siemens) • Improving target vendor support — Citrix, SAP, MaxWare
SPML • Benefits — Interoperable provisioning (no custom connectors required) — Reliability — Some auditing and correlation • Challenges — Requires a separate channel for federated provisioning — User schema will likely require pre-agreement — Does not provide protocol security (by intent) • Authentication and confidentiality - use HTTPS and/or WS-Security 2004 • Authorization – may be achieved via certificate trust list or may require more advanced authorization features in the future Provisioning tools can provide authorization capabilities
SPML – Federated Provisioning (2) User added
Agenda • Presentation – Mark Diodati • Presentation – Ramesh Nagappan • Presentation – Sampo Kellomaki • References
The State of SPML 2.0 • SPML 2.0 has been ratified as an OASIS standard. • Builds on the concepts of SPML 1.0 specifications. — Maintains the core protocol, basic roles, operations, data types and elements. — Core protocol enables interoperability among Provisioning service providers. • Defines modal mechanisms for executing provisioning synchronously or asynchronously. • Defines the notion of SPML Profiles. — Profiles define the agreement protocol between requestor and service provider. — SPML v2 XSD Profile and DSML v2 Profile • DSML v2 profile provides the backward compatibility with SPML 1.0 and to support LDAP and X.500 directory services — SPML v2 SAML 2.0 Profile is on its way ! • SPML 2.0 supports extended operations as “Capabilities”.
SPML 2.0 - Logical components • Requesting Authority (RA) — Client initiating the SPML requests to the provisioning system. • Provisioning Service Provider (PSP) — The identity provisioning system that listens, receives, processes SPML requests and returns responses. — Executes provisioning operations. • Provisioning Service Target (PST) — Actual resource where operations are performed. • Provisioning Service Object (PSO) — Represents the data entity on a PST. (ex. User account) Requesting Authority Provisioning Service Provider SPML Response SPML Request PSOPSO PSO Provisioning Service Targets
SPML 2.0: Operations & Capabilities • Core Operations (Mandatory) — SPML 2.0 conformant providers must implement all of them — Basic Operations • addRequest • modifyRequest • deleteRequest • lookupRequest — Discovery Operation • listTargets • Optional Capabilities — Operations that apply to a specific target and supported by a provider. — SPML 2.0 defines a set of standard capabilities • Async capability • Batch capability • Bulk capability • Password capability • Search capability • Suspend capability • Updates capability — Allows PSP define custom capabilities.
Anatomy of a SPML 2.0 Message Request Message Response Message </addRequest> </data> </dsml:attr> <dsml:value>mypasswd</dsml:value> <dsml:attr xmlns:dsml= 'urn:oasis:names:tc:DSML:2:0:core' name=‘password'> </dsml:attr> <dsml:value>JavaGuy</dsml:value> <dsml:attr xmlns:dsml= 'urn:oasis:names:tc:DSML:2:0:core' name='objectclass'> </dsml:attr> <dsml:value>mySPMLTestId</dsml:value> <dsml:attr xmlns:dsml= 'urn:oasis:names:tc:DSML:2:0:core' name='accountId'> <data> <openspml:operationalNameValuePair xmlns:openspml= 'urn:org:openspml:v2:util:xml' name='session' value='AAALPgAAYD0A'/> <addRequest xmlns='urn:oasis:names:tc:SPML:2:0' requestID='rid-spmlv2' executionMode='synchronous‘ targetID=‘xyz1`> </addResponse> </pso> </data> </dsml:attr> <dsml:value>mypasswd</dsml:value> <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name=‘password'> </dsml:attr> <dsml:value>JavaGuy</dsml:value> <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core‘ name='objectclass'> </dsml:attr> <dsml:value>mySPMLTestId</dsml:value> <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core‘ name='accountId'> <data> <psoID ID=‘mySPMLTestId'/> <pso> <openspml:operationalNameValuePair xmlns:openspml='urn:org:openspml:v2:util:xml' name='session' value='AAALPgAAYD0A'/> <addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='success' requestID='rid-spmlv2‘ targetID=‘xyz1`>
SPML Based Provisioning via Web Services Requesting Authority Provisioning Service Provider WSDL Provisioning Service Targets SOAP WS-Security SPML UDDI
SPML Relationship with WS-Security and SAML • SPML recommends the use of SSL/TLS protocols and WS-Security for ensuring Transport-layer and Message-layer security. — SPML can take advantage of SOAP/HTTPS transport provisioning requests and responses. — XML Encryption and XML Digital Signature allows to ensure SPML message/element- level confidentiality and integrity. — WS-Security tokens (X.509, SAML Token) to authenticate provisioning service providers. • SPML supports the principles of using SAML 2.0 and Project Liberty Alliance standards. — SPML requests and responses can make use of SAML assertions as a authentication context between the requesting authority and provisioning systems. — SAML assertions from an Identity provider can be used to qualify a subject on a provisioning target.
Role of SPML in Identity Federation (Liberty ID-FF) IdentityIdentity ProviderProvider Service ProvidersService Providers (Out(Out--sourced)sourced) IDID--FF: Circle of TrustFF: Circle of Trust ServiceService ProviderProvider Service providers can issue SPML requests based on a “SAML Authorization Decision” Assertion. • Helps dynamic/on-demand provisioning of roles, privileges, resources etc. ServiceService RequesterRequester InternetInternet SPML Use SAML Assertions
Implementing SPML with Java • OpenSPML 1.0 Toolkit — Comprehensive vendor-independent Java API toolkit for SPML 2.0. — Java classes for constructing/parsing SPML requests and responses support implementing a SPML 2.0 conformant requesting authority. — Supports SPML 2.0 profiles (DSML v2 and XML Schema) and its supporting Java/XML bindings. — Web container pluggable SOAP runtime for sending/receiving SPML messages via SOAP over HTTP. • JAX-WS 2.0 — Java API toolkit for developing WS-I Basic Profile 1.1 compliant XML Web Services. — Helps to build SPML Web Services with WS-Security. • OpenSPML Toolkit can be plugged for creating SPML constructs.
Agenda • Presentation – Mark Diodati • Presentation – Ramesh Nagappan • Presentation – Sampo Kellomaki • References
Liberty Provisioning Initiatives • For avoidance of doubt — Trusted Module provisioning (liberty-idwsf-prov-v1.0-02.pdf) — Very specific target: Advanced Clients and Trusted Modules •Not applicable in this domain — General provisioning •Some marketing requirement floated •No specific approach chosen •SPML, enhanced with ID-WSF, could be an option
ID-DAP Overview MED1
Slide 24 MED1 If this is not a specification or a standard, we cannot discuss in detail, since it breaks interoperability. Mark Diodati, 1/26/2007
Health Care Use Case
Tentative Liberty Provisioning Map
Panel Discussion

More Related Content

PPTX
SOA for PL/SQL Developer (OPP 2010)
byLucas Jellema
 
PPTX
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
byLucas Jellema
 
PPTX
Where and when to use the Oracle Service Bus (OSB)
byGuido Schmutz
 
PDF
oracle-osb
byAbrarMoiz
 
PDF
SOA_BPM_12c_launch_event_SOA_track_deepdive_developerproductivityandperforman...
byGetting value from IoT, Integration and Data Analytics
 
PPTX
SOA Suite 12c - Service Bus new features summary
byLucas Jellema
 
PPTX
Exchange Server 2013 Architecture Deep Dive, Part 1
byMicrosoft TechNet - Belgium and Luxembourg
 
PDF
Plongée en eaux profondes dans l'architecture du nouvel Exchange 2013
byMicrosoft Décideurs IT
 
SOA for PL/SQL Developer (OPP 2010)
byLucas Jellema
 
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
byLucas Jellema
 
Where and when to use the Oracle Service Bus (OSB)
byGuido Schmutz
 
oracle-osb
byAbrarMoiz
 
SOA_BPM_12c_launch_event_SOA_track_deepdive_developerproductivityandperforman...
byGetting value from IoT, Integration and Data Analytics
 
SOA Suite 12c - Service Bus new features summary
byLucas Jellema
 
Exchange Server 2013 Architecture Deep Dive, Part 1
byMicrosoft TechNet - Belgium and Luxembourg
 
Plongée en eaux profondes dans l'architecture du nouvel Exchange 2013
byMicrosoft Décideurs IT
 

What's hot

PDF
Axis2 architecture and implementation
bySreeni I
 
PPTX
Five Cool Use Cases for the Spring Component of the SOA Suite 11g
byGuido Schmutz
 
PPT
Reusing Existing Java EE Applications from SOA Suite 11g
byGuido Schmutz
 
PPT
Oracle Service Bus vs. Oracle Enterprise Service Bus vs. BPEL
byGuido Schmutz
 
PDF
An Unbiased Look: Oracle SOA Suite 12c
byRevelation Technologies
 
PPTX
(ATS3-PLAT01) Recent developments in Pipeline Pilot
byBIOVIA
 
PDF
Architecture and tools
bysanjay_jha
 
PPTX
Rest API and Client OM for Developer
byInnoTech
 
PPTX
Microsoft Exchange Technology Overview
byMike Pruett
 
PPTX
Where to use OSB
byEdwin Biemond
 
PDF
Annex A Project Summary
byEngr K A Sheikh ITIL, OCS-DB, Exadata
 
PDF
Sakai Technical (Chinese)
byjiali zhang
 
PDF
Oracle Service Bus (OSB) for the Busy IT Professonial
byFrank Munz
 
PPTX
SQL Azure Federation and Scalability
byEduardo Castro
 
PDF
PaaS enabling Java EE applications through service meta-data and policies - J...
byJagadish Prasath
 
PPTX
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
byMichael Noel
 
Axis2 architecture and implementation
bySreeni I
 
Five Cool Use Cases for the Spring Component of the SOA Suite 11g
byGuido Schmutz
 
Reusing Existing Java EE Applications from SOA Suite 11g
byGuido Schmutz
 
Oracle Service Bus vs. Oracle Enterprise Service Bus vs. BPEL
byGuido Schmutz
 
An Unbiased Look: Oracle SOA Suite 12c
byRevelation Technologies
 
(ATS3-PLAT01) Recent developments in Pipeline Pilot
byBIOVIA
 
Architecture and tools
bysanjay_jha
 
Rest API and Client OM for Developer
byInnoTech
 
Microsoft Exchange Technology Overview
byMike Pruett
 
Where to use OSB
byEdwin Biemond
 
Annex A Project Summary
byEngr K A Sheikh ITIL, OCS-DB, Exadata
 
Sakai Technical (Chinese)
byjiali zhang
 
Oracle Service Bus (OSB) for the Busy IT Professonial
byFrank Munz
 
SQL Azure Federation and Scalability
byEduardo Castro
 
PaaS enabling Java EE applications through service meta-data and policies - J...
byJagadish Prasath
 
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
byMichael Noel
 

Similar to Interoperable Provisioning in a distributed world

PPTX
Introduction to SAML and how to create it by JoeSelian.pptx
byimcheaterid
 
PDF
SAML 101
byEchoworx
 
PDF
Open Standards in Identity Management
byPrabath Siriwardena
 
PDF
Introducing SAML 2.0 Protocol: Security and Performance
byAmin Saqi
 
PDF
SAML
byLéopold Gault
 
PDF
State-of-the-Art in Web Services Federation
byOliver Pfaff
 
PDF
SAML Executive Overview
byPortalGuard
 
PDF
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
byKenneth Peeples
 
PPTX
Understanding SAML 2.0: Enhancing Secure Authentication
byNarendra Kadali
 
PDF
Identity mediation for enterprise identity bus
byPushpalanka Jayawardhana
 
PDF
Attacking SSO (SAML) - Breaking into the front door of Authentication
byAmit Kumar
 
PPT
Web-services
bywebhostingguy
 
PPT
Security and information assurance
bybdemchak
 
PDF
Introduction to SAML 2.0
byMika Koivisto
 
PDF
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
byCloudIDSummit
 
PPTX
WSO2Con USA 2014 - Identity Server Tutorial
byPrabath Siriwardena
 
PPT
Introduction to Shib 2.0 (Chad La Joie)
byJISC.AM
 
PDF
WSO2 Identity Server - Product Overview
byWSO2
 
PDF
Design Pattern for Federated Single Sign-On Access
byMike Reams
 
PPTX
IdP, SAML, OAuth
byDan Brinkmann
 
Introduction to SAML and how to create it by JoeSelian.pptx
byimcheaterid
 
SAML 101
byEchoworx
 
Open Standards in Identity Management
byPrabath Siriwardena
 
Introducing SAML 2.0 Protocol: Security and Performance
byAmin Saqi
 
SAML
byLéopold Gault
 
State-of-the-Art in Web Services Federation
byOliver Pfaff
 
SAML Executive Overview
byPortalGuard
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
byKenneth Peeples
 
Understanding SAML 2.0: Enhancing Secure Authentication
byNarendra Kadali
 
Identity mediation for enterprise identity bus
byPushpalanka Jayawardhana
 
Attacking SSO (SAML) - Breaking into the front door of Authentication
byAmit Kumar
 
Web-services
bywebhostingguy
 
Security and information assurance
bybdemchak
 
Introduction to SAML 2.0
byMika Koivisto
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
byCloudIDSummit
 
WSO2Con USA 2014 - Identity Server Tutorial
byPrabath Siriwardena
 
Introduction to Shib 2.0 (Chad La Joie)
byJISC.AM
 
WSO2 Identity Server - Product Overview
byWSO2
 
Design Pattern for Federated Single Sign-On Access
byMike Reams
 
IdP, SAML, OAuth
byDan Brinkmann
 

More from Ramesh Nagappan

PDF
Post Quantum Cryptography: Technical Overview
byRamesh Nagappan
 
PDF
Biometric Authentication for J2EE applications - JavaONE 2005
byRamesh Nagappan
 
PDF
Secure Multitenancy on Oracle SuperCluster
byRamesh Nagappan
 
PDF
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
byRamesh Nagappan
 
PDF
High Performance Security and Virtualization for Oracle Database and Cloud-En...
byRamesh Nagappan
 
PDF
High Performance Security With SPARC T4 Hardware Assisted Cryptography
byRamesh Nagappan
 
PDF
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
byRamesh Nagappan
 
PDF
ICAM - Demo Architecture review
byRamesh Nagappan
 
PDF
Government Citizen ID using Java Card Platform
byRamesh Nagappan
 
PDF
PIV Card based Identity Assurance in Sun Ray and IDM environment
byRamesh Nagappan
 
PDF
Java Platform Security Architecture
byRamesh Nagappan
 
PDF
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
byRamesh Nagappan
 
PDF
Stronger Authentication with Biometric SSO
byRamesh Nagappan
 
PDF
Stronger/Multi-factor Authentication for Enterprise Applications
byRamesh Nagappan
 
PDF
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
byRamesh Nagappan
 
Post Quantum Cryptography: Technical Overview
byRamesh Nagappan
 
Biometric Authentication for J2EE applications - JavaONE 2005
byRamesh Nagappan
 
Secure Multitenancy on Oracle SuperCluster
byRamesh Nagappan
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
byRamesh Nagappan
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
byRamesh Nagappan
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
byRamesh Nagappan
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
byRamesh Nagappan
 
ICAM - Demo Architecture review
byRamesh Nagappan
 
Government Citizen ID using Java Card Platform
byRamesh Nagappan
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
byRamesh Nagappan
 
Java Platform Security Architecture
byRamesh Nagappan
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
byRamesh Nagappan
 
Stronger Authentication with Biometric SSO
byRamesh Nagappan
 
Stronger/Multi-factor Authentication for Enterprise Applications
byRamesh Nagappan
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
byRamesh Nagappan
 

Recently uploaded

PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
AI Technology important knowledge ......
byutkarshj2007
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 

Interoperable Provisioning in a distributed world

  • 1.
    Interoperable Provisioning ina Distributed World Mark Diodati, Burton Group Ramesh Nagappan, Sun Microsystems Sampo Kellomaki, SymLabs 02/08/07 – IAM 302
  • 2.
    Contacts • Mark Diodati(mdiodati@burtongroup.com) • Ramesh Nagappan (Ramesh.Nagappan@Sun.COM) • Sampo Kellomaki (sampo@symlabs.com)
  • 3.
    References • OASIS PSTCSPML 2.0 Specifications — http://docs.oasis-open.org/provision/spml-2.0-cd-01/pstc-spml2-cd-01.pdf • OpenSPML 1.0 Toolkit — www.openspml.org • JAX-WS 2.0 Reference Implementation — https://jax-ws.dev.java.net/ • Identity provisioning with SPML – Patterns and Best practices. — www.coresecuritypatterns.com • Sun Java System Identity Manager (Supports SPML 2.0) — Download at http://www.sun.com/download/products.xml?id=453fe041 • SPML: Gaining Maturity (Burton Group research document) — www.burtongroup.com/spml
  • 4.
    Agenda • Presentation –Mark Diodati • Presentation – Ramesh Nagappan • Presentation – Sampo Kellomaki • References
  • 5.
    Identity Management -Provisioning Identity Data Services Identities, roles, groups Provisioning Services AccessGateway Policy Enforcement Infrastructure Identity & Policy Admin Delegated admin, self-service Federation Public Identity Services Affiliate Enterprises Subjects (Users, services) Internal Business Units Platform- or application-specific policy enforcement Federation Proxy Virtualization Directory Replication Synchronization Objects (Applications, services, resources) ManagementandAudit Authenticationandreducedsign-on Access proxy Authorization Firewalls Other
  • 6.
    Federated Provisioning • Thefederation standards and products are mature from a technology perspective — Provide good user SSO (authentication) for web applications — Possess some authorization capabilities — Lack user identity provisioning capabilities • Many (most) service provider (SP) applications require a non- ephemeral identity — The identity provider (IdP) and SP must agree upon a provisioning protocol to meet this requirement • How are identities provided to the SP?
  • 7.
    Batch Approach • Usingan out-of-band process, the IdP sends using provisioning information (adds, changes, deletions) to the SP • Excel spreadsheet, EDI, or other • Benefits — Low technology barrier • Challenges — Slower updates can introduce service and liability issues — IdP may not have a mechanism to verify user identities status — May introduce burdensome manual processes for both the IdP and the SP
  • 8.
    LDAP Replication Approach ServiceProvider Identity Store Local LDAP StoreMaster LDAP Store (1) User information is replicated to onsite store (LDAPS) Darth Sidious Darth Sidious Service Provider Application (4) User with SAML artifact attempts access Darth Sidious (6) Application retrieves user attributes Identity Provider (IdP) (5) Application retrieves SAML assertion
  • 9.
    Assertion Approach Identity Provider(IdP) Service Provider Identity Store Darth Sidious Service Provider Application(1) User with SAML artifact attempts access (2) Application retrieves SAML assertion (3) Application creates user identity SAML assertion Name = Darth Sidious SSN = 555-55-5555 Group = Sith Darth Sidious
  • 10.
    Services Provisioning MarkupLanguage (SPML) • SPML v1 approved in 2003 — Some “Essential” operations were not included (had to be customized) — Some errors in XML schema • SPML v2 OASIS standard approved in spring of 2006 — “Essential” functions included • Three profiles — DSML (most commonly used and existed in v1) — XSD (new in v2, from WS-Provisioning proposal) — SAML (currently in development) to provide tighter integration of user attributes • Good provisioning vendor support — Widely adopted by the provisioning vendors (Sun, CA, BMC, HP, Oracle, Siemens) • Improving target vendor support — Citrix, SAP, MaxWare
  • 11.
    SPML • Benefits — Interoperableprovisioning (no custom connectors required) — Reliability — Some auditing and correlation • Challenges — Requires a separate channel for federated provisioning — User schema will likely require pre-agreement — Does not provide protocol security (by intent) • Authentication and confidentiality - use HTTPS and/or WS-Security 2004 • Authorization – may be achieved via certificate trust list or may require more advanced authorization features in the future Provisioning tools can provide authorization capabilities
  • 12.
    SPML – FederatedProvisioning (2) User added
  • 13.
    Agenda • Presentation –Mark Diodati • Presentation – Ramesh Nagappan • Presentation – Sampo Kellomaki • References
  • 14.
    The State ofSPML 2.0 • SPML 2.0 has been ratified as an OASIS standard. • Builds on the concepts of SPML 1.0 specifications. — Maintains the core protocol, basic roles, operations, data types and elements. — Core protocol enables interoperability among Provisioning service providers. • Defines modal mechanisms for executing provisioning synchronously or asynchronously. • Defines the notion of SPML Profiles. — Profiles define the agreement protocol between requestor and service provider. — SPML v2 XSD Profile and DSML v2 Profile • DSML v2 profile provides the backward compatibility with SPML 1.0 and to support LDAP and X.500 directory services — SPML v2 SAML 2.0 Profile is on its way ! • SPML 2.0 supports extended operations as “Capabilities”.
  • 15.
    SPML 2.0 -Logical components • Requesting Authority (RA) — Client initiating the SPML requests to the provisioning system. • Provisioning Service Provider (PSP) — The identity provisioning system that listens, receives, processes SPML requests and returns responses. — Executes provisioning operations. • Provisioning Service Target (PST) — Actual resource where operations are performed. • Provisioning Service Object (PSO) — Represents the data entity on a PST. (ex. User account) Requesting Authority Provisioning Service Provider SPML Response SPML Request PSOPSO PSO Provisioning Service Targets
  • 16.
    SPML 2.0: Operations& Capabilities • Core Operations (Mandatory) — SPML 2.0 conformant providers must implement all of them — Basic Operations • addRequest • modifyRequest • deleteRequest • lookupRequest — Discovery Operation • listTargets • Optional Capabilities — Operations that apply to a specific target and supported by a provider. — SPML 2.0 defines a set of standard capabilities • Async capability • Batch capability • Bulk capability • Password capability • Search capability • Suspend capability • Updates capability — Allows PSP define custom capabilities.
  • 17.
    Anatomy of aSPML 2.0 Message Request Message Response Message </addRequest> </data> </dsml:attr> <dsml:value>mypasswd</dsml:value> <dsml:attr xmlns:dsml= 'urn:oasis:names:tc:DSML:2:0:core' name=‘password'> </dsml:attr> <dsml:value>JavaGuy</dsml:value> <dsml:attr xmlns:dsml= 'urn:oasis:names:tc:DSML:2:0:core' name='objectclass'> </dsml:attr> <dsml:value>mySPMLTestId</dsml:value> <dsml:attr xmlns:dsml= 'urn:oasis:names:tc:DSML:2:0:core' name='accountId'> <data> <openspml:operationalNameValuePair xmlns:openspml= 'urn:org:openspml:v2:util:xml' name='session' value='AAALPgAAYD0A'/> <addRequest xmlns='urn:oasis:names:tc:SPML:2:0' requestID='rid-spmlv2' executionMode='synchronous‘ targetID=‘xyz1`> </addResponse> </pso> </data> </dsml:attr> <dsml:value>mypasswd</dsml:value> <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name=‘password'> </dsml:attr> <dsml:value>JavaGuy</dsml:value> <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core‘ name='objectclass'> </dsml:attr> <dsml:value>mySPMLTestId</dsml:value> <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core‘ name='accountId'> <data> <psoID ID=‘mySPMLTestId'/> <pso> <openspml:operationalNameValuePair xmlns:openspml='urn:org:openspml:v2:util:xml' name='session' value='AAALPgAAYD0A'/> <addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='success' requestID='rid-spmlv2‘ targetID=‘xyz1`>
  • 18.
    SPML Based Provisioningvia Web Services Requesting Authority Provisioning Service Provider WSDL Provisioning Service Targets SOAP WS-Security SPML UDDI
  • 19.
    SPML Relationship withWS-Security and SAML • SPML recommends the use of SSL/TLS protocols and WS-Security for ensuring Transport-layer and Message-layer security. — SPML can take advantage of SOAP/HTTPS transport provisioning requests and responses. — XML Encryption and XML Digital Signature allows to ensure SPML message/element- level confidentiality and integrity. — WS-Security tokens (X.509, SAML Token) to authenticate provisioning service providers. • SPML supports the principles of using SAML 2.0 and Project Liberty Alliance standards. — SPML requests and responses can make use of SAML assertions as a authentication context between the requesting authority and provisioning systems. — SAML assertions from an Identity provider can be used to qualify a subject on a provisioning target.
  • 20.
    Role of SPMLin Identity Federation (Liberty ID-FF) IdentityIdentity ProviderProvider Service ProvidersService Providers (Out(Out--sourced)sourced) IDID--FF: Circle of TrustFF: Circle of Trust ServiceService ProviderProvider Service providers can issue SPML requests based on a “SAML Authorization Decision” Assertion. • Helps dynamic/on-demand provisioning of roles, privileges, resources etc. ServiceService RequesterRequester InternetInternet SPML Use SAML Assertions
  • 21.
    Implementing SPML withJava • OpenSPML 1.0 Toolkit — Comprehensive vendor-independent Java API toolkit for SPML 2.0. — Java classes for constructing/parsing SPML requests and responses support implementing a SPML 2.0 conformant requesting authority. — Supports SPML 2.0 profiles (DSML v2 and XML Schema) and its supporting Java/XML bindings. — Web container pluggable SOAP runtime for sending/receiving SPML messages via SOAP over HTTP. • JAX-WS 2.0 — Java API toolkit for developing WS-I Basic Profile 1.1 compliant XML Web Services. — Helps to build SPML Web Services with WS-Security. • OpenSPML Toolkit can be plugged for creating SPML constructs.
  • 22.
    Agenda • Presentation –Mark Diodati • Presentation – Ramesh Nagappan • Presentation – Sampo Kellomaki • References
  • 23.
    Liberty Provisioning Initiatives •For avoidance of doubt — Trusted Module provisioning (liberty-idwsf-prov-v1.0-02.pdf) — Very specific target: Advanced Clients and Trusted Modules •Not applicable in this domain — General provisioning •Some marketing requirement floated •No specific approach chosen •SPML, enhanced with ID-WSF, could be an option
  • 24.
  • 25.
    Slide 24 MED1 Ifthis is not a specification or a standard, we cannot discuss in detail, since it breaks interoperability. Mark Diodati, 1/26/2007
  • 26.
  • 27.
  • 28.