Identity federation & user centric identity

2,022 views

Published on

As presented at the Identity 2009 event, in The Hague, on 6 oktober 2009

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,022
On SlideShare
0
From Embeds
0
Number of Embeds
414
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • 17.30 Identity federaties en hoe deze te schalen Vertrouwt u een ander in het beheren van de identiteiten? Kansen en bedreigen voor dienstenaanbieders? Welke standaarden en hoe deze te interoperen? Wat is de rol van Identity-as-a-Service hier? Hoe problematisch is schaalbaarheid van met name vertrouwen? De SURFfederatie wordt hier als case gebruikt.
  • Identity federation & user centric identity

    1. 1. Identity federation & user centric identity Maarten Wegdam Novay (formerly Telematica Instituut) Identity 2009, 6 October 2009
    2. 2. What to expect <ul><li>Trends in identity federation & user centric identity </li></ul><ul><ul><li>bias towards consumer identity on the internet </li></ul></ul><ul><li>Sectors & issues: business model is key </li></ul><ul><li>User centric identity & standards: more than a hype </li></ul><ul><li>Scaling federations: trust models and IaaS </li></ul>
    3. 3. Who am I? <ul><li>Maarten Wegdam </li></ul><ul><ul><li>Senior researcher @ Novay </li></ul></ul><ul><ul><li>Coordinator of identity, privacy & trust </li></ul></ul><ul><li>Novay - formerly Telematica Instituut </li></ul><ul><ul><li>independent ICT research institute </li></ul></ul><ul><ul><li>multi-disciplinary, ~100 people </li></ul></ul><ul><ul><li>innovative projects for companies & government </li></ul></ul>
    4. 4. Identity federation – the basics <ul><li>Identity = set of attributes </li></ul><ul><li>For authentication authorization and personalization </li></ul><ul><li>Requires trust between all three parties!!! </li></ul>identity provider (IdP) user relying party also called: service provider
    5. 5. Why identity federation? sales pitch for a service provider <ul><li>Externalize identity not only from your applications, but also from your company </li></ul><ul><li>Cheaper & less fraud </li></ul><ul><ul><li>less helpdesk, no token, no identity binding etc </li></ul></ul><ul><li>Better conversion </li></ul><ul><ul><li>e.g., new user can register immediately and online </li></ul></ul><ul><li>The user wants it … </li></ul><ul><ul><li>easier, quicker, more secure etc </li></ul></ul>
    6. 6. Sectors and examples in NL B2G C2B B2B C2G eHerkenning Digitaal Paspoort (Sivi) OpenID.nl+ intra organization
    7. 7. 5 reasons why identity federation is difficult <ul><li>Business model </li></ul><ul><li>Market entry </li></ul><ul><li>Diversity of standards </li></ul><ul><li>Privacy concerns </li></ul><ul><li>Trust issues </li></ul>
    8. 8. Business model <ul><li>Goal: a healthy ecosystem! </li></ul><ul><li>Determine roles, and who-pays-who </li></ul><ul><li>Decreasing regulation: </li></ul><ul><ul><li>Government issued (Belgium eID, DigiD) </li></ul></ul><ul><ul><li>Government regulated (PKIOverheid, eHerkenning) </li></ul></ul><ul><ul><li>Market scheme (OpenID.nl+ ?) </li></ul></ul><ul><ul><li>Free market – only a technical standard (OpenID) </li></ul></ul><ul><li>Models 1 to 3 require some form of monopoly/regulator </li></ul>
    9. 9. User centric identity – what is it? <ul><li>Give users insight & control </li></ul><ul><ul><li>insight on what is shared </li></ul></ul><ul><ul><li>control over this (consent) </li></ul></ul><ul><li>Decoupling of IdP and Relying Party </li></ul><ul><li>No control may be fine for enterprise SSO, but not for consumer identity on the internet </li></ul><ul><li>Well-known specs: OpenID & InfoCard </li></ul><ul><li>Not user centric -> IdP centric (SAML spec) </li></ul>
    10. 10. User centric identity OpenID is more than a hype <ul><li>Social network, web 2.0 etc oriented, client less (web redirects) </li></ul><ul><li>A lot of IdPs, much slower adoption by Relying Parties </li></ul><ul><li>Simple : easy to support, but low on features and security </li></ul><ul><li>With privacy control (user consent before sharing attributes) </li></ul><ul><li>Part of “Open stack” (OAuth, OpenSocial etc) </li></ul><ul><li>Opinion: a great way to </li></ul><ul><ul><li>avoid lists of usernames/password for low-security sites </li></ul></ul><ul><ul><li>avoid providing basic attributes over and over again (email address, name etc) </li></ul></ul><ul><ul><li>But: current version (v2) is only for low security </li></ul></ul>
    11. 11. User centric identity OpenID is more than a hype <ul><li>Social network, web 2.0 etc oriented, client less (web redirects) </li></ul><ul><li>A lot of IdPs, much slower adoption by RPs </li></ul><ul><li>Simple : easy to support, but low on features and security </li></ul><ul><li>With privacy control (user consent) </li></ul><ul><li>Part of “Open stack” (OAuth, OpenSocial etc) </li></ul><ul><li>Opinion: a great way to </li></ul><ul><ul><li>avoid lists of usernames/password for low-security sites </li></ul></ul><ul><ul><li>avoid providing basic attributes over and over again </li></ul></ul><ul><ul><ul><li>email address, name etc </li></ul></ul></ul><ul><ul><li>But: current version (v2) is only for low security </li></ul></ul>
    12. 12. User centric identity OpenID & SAML: beyond the marketing <ul><li>OpenID is considered user centric, SAML (WebSSO) IdP centric </li></ul><ul><li>Both ‘web redirect’ based, therefore: </li></ul><ul><li>the same user control features offered by OpenID implementations can be offered by SAML </li></ul><ul><li>THUS: SAML can be as user centric as OpenID </li></ul><ul><li>Of course: SAML is much more secure, and has ‘closed’ trust model </li></ul>
    13. 13. User centric identity Information Cards <ul><li>Originates from Microsoft, but now OASIS standard </li></ul><ul><li>Credit card metaphor for the user interface </li></ul><ul><li>Requires client, and has anti-phishing features!! </li></ul><ul><li>More decoupling between IdP and RP </li></ul><ul><li>Opinion: </li></ul><ul><ul><li>Easy to use, except for creating cards </li></ul></ul><ul><ul><li>(Too) limited support for mobility </li></ul></ul><ul><ul><li>Promising standard </li></ul></ul><ul><ul><li>Slow adoption </li></ul></ul>
    14. 14. User centric identity Information Cards <ul><li>Originates from Microsoft, but now OASIS standard </li></ul><ul><li>Credit card metaphor for the user interface </li></ul><ul><li>Requires client, and has anti-phishing features!! </li></ul><ul><li>More decoupling between IdP and RP </li></ul><ul><li>Opinion: </li></ul><ul><ul><li>Easy to use, except for creating cards </li></ul></ul><ul><ul><li>(Too) limited support for mobility (yet) </li></ul></ul><ul><ul><li>Promising standard </li></ul></ul><ul><ul><li>Slow adoption </li></ul></ul>
    15. 15. [inspired by Venn of Identity by Eve Maler] Comparison SAML OpenID InfoCard simplicity and scalability over security client less closed trust model enables user centric identity anti-phishing & IdP-RP unlinkability integrates with web services client centered “ old” and much used “ new” and hype “ very new” and promising IdP discovery features
    16. 16. Scaling federations & trust <ul><li>Trust is primarily a business and organizational issue, and secondary a technical one </li></ul><ul><li>Trust between IdPs and Relying Parties is a major issue for scalability of identity federations </li></ul><ul><ul><li>Burton group: “Glass ceiling” </li></ul></ul><ul><ul><li>Several approaches, no easy solution! </li></ul></ul>
    17. 17. Scaling federations & Trust Trust models [OASIS] <ul><li>Pairwise </li></ul><ul><li>Brokered </li></ul><ul><li>Community </li></ul><ul><li>Reality: trust is typically mixed </li></ul><ul><ul><li>Example: SURFfederatie combines all three </li></ul></ul>IdP RP IdP TTP RP IdP RP
    18. 18. Scaling federations & Trust Identity-as-a-Service <ul><li>IaaS: an IdP that deploys its identity service as a cloud service </li></ul><ul><li>IaaS provider can be a trust broker </li></ul><ul><ul><li>and for smaller IdPs </li></ul></ul><ul><ul><li>and facilitate interoperability </li></ul></ul><ul><li>Example: Covisint, SURFfederatie </li></ul>
    19. 19. Scaling federations & Trust Approaches to scaling trust <ul><li>Standardized privacy statements </li></ul><ul><li>Providing (standardized) information in general </li></ul><ul><li>Third party statements (e.g., audits) </li></ul><ul><li>Confederations: federations of federations </li></ul><ul><li>User centric identity (reducing needed trust) </li></ul><ul><li>Identity-as-a-Service </li></ul><ul><li>Maybe in future: reputation management </li></ul>
    20. 20. Key take aways <ul><li>Identity federation is about the identity of your customers & partners </li></ul><ul><li>What business model & amount of regulation is hot issue </li></ul><ul><li>Converged to three standards: SAML, InfoCard & OpenID; support all that make sense </li></ul><ul><li>User centricity is here to stay, and can be done with all three standards </li></ul><ul><li>Scaling federations means scaling trust: different approaches </li></ul>More information: [email_address] blog: http://maarten.wegdam.name

    ×