1CS 6204, Spring 2005
Federated Identity Concept
Muhammad Abu-Saqer
Some definition and images are taken
1. from workshop slides by Tony Nadalin (IBM) and Chris Kaler (Microsoft)
2. http://msdn.microsoft.coml
3. http://www.cs.virginia.edu/~acw/security/
2CS 6204, Spring 2005
Paper Overview
♦The paper describe the issues around federated identity management and describes a comprehensive solution
3CS 6204, Spring 2005
Federation terminology♦ Federation
A collection of realms/domains that have established trust. Thelevel of trust may vary, but typically includes authentication and may include authorization. The technology and business arrangements necessary to interconnect users, applications, and systemsFederated systems can interoperate across organizational and technical boundaries (i.e., various operating systems or security platforms)
♦ Trust– Is the characteristic that one entity is willing to rely upon a second
entity to executes a set of actions and/or make set of assertionabout subjects and/or scopes.
♦ Single Sign On– An optimization of the authentication sequence to remove the
burden of repeating actions placed on the end user.
4CS 6204, Spring 2005
Federated ATM Network
Account Numberand PIN
Home Bank Network
Visiting Bank Network
Funds Network of Trust
5CS 6204, Spring 2005
The Federation Model
♦The appeal of federation is that they are intended to allow a user to seamlessly traverse different sites within a given federation.
♦When the trust relationships established between the federation participants, one participant is able to authenticate a user and then act as an issuing party.
♦Other federation participants became rely parties.
6CS 6204, Spring 2005
What is the federation identity management problem
♦ There is no single entity or company that can centrally manage or control identity information.
♦ In some cases businesses like to outsource some security functions to parties which mange identity but they cannot because:1. There is no third pray identity providers serving market.2. There is no business liability models which make it safe to rely
on.♦ Other businesses want to leverage the identity they
maintain to enable additional business interactions but – Establishing the trust mechanism to allow entities to be federated
across business is difficult– They are afraid of the risk of damming their reputation if any
security penetration occurred
7CS 6204, Spring 2005
Who has the federated management problem
♦ Medium and large organization that use identity information to provide service to customer like university (online service like order a transcript).
♦ Medium and large organization that do business with one another and need to exchange information about individuals identities (like airline and rental car agency ,hospital, health insurance provider).
♦ Organization that need to integrate business applications across the enterprise and chain of supplier and customer( and need to authorize employee to conduct transaction on behalf of the organization).
9CS 6204, Spring 2005
The primary goals of federated identity service are:
♦ Reduce the cost of identity management by reducing duplication of effort.
♦ Leverage the work these existing identity mangers had already done by giving other parties access to the relevant identity information.
♦ Preserve the autonomy of all parties such that the identity mangers choice of operating system, network protocols,…should not impose the same choice on its partners.
♦ Respect business’s pre-existing trust structure and contracts.
♦ Protect individuals privacy by giving the user control over which attributes could other parties in the federation access
♦ Build an open standard to enable secure reliable transaction.
10CS 6204, Spring 2005
Advantages federation model
♦ Flexibility companies can easily build new services to deliver innovative business models or link their value-chin network to partners.
♦ Convenient navigation allow end-user and partner to navigate easily between websites without constantly authenticate themselves
♦ Less administration there will be need to administer a large and rapidly changing base of identities that are not under the control of the company.
♦ Safely satisfy the need of some business that unwilling to give their customers information to a business partner.
11CS 6204, Spring 2005
Three component enable the federation
♦ Identity provider simply means the entity that provides identity. (will precisely defined later).
♦ Attribute services provides away to federate access to authorized attributes for federated identities– The attributes owner has full control to decide which of
his attributes could exposed to other parties in the federation.
♦ The pseudonym service provides mapping mechanism which can be use to facilitate the mapping of trusted identities across federations to protect privacy and identity.
12CS 6204, Spring 2005
WS-Federation Terms
♦ Authorities– Security Token Service (STS) – Web service that issues
security tokens; makes assertions based on evidence that it trusts to whoever trusts it
– Identity Provider (IP) – Entity that acts as an authentication service to end requestors (an extension of a basic STS)
♦ Principles– Requestor– Resource– Other Services
13CS 6204, Spring 2005
Direct TrustToken Exchange
TrustTrust
Get identityGet identitytokentoken
Get accessGet accesstokentoken
11
33
22
IP/STS IP/STS
Requestor
Resource
14CS 6204, Spring 2005
Attribute Service
♦ Scenario: Suppose you visit a weather site for the current weather ; it provides a personalized response because it knows your zip code
♦ Why it worked: – Policy indicated an attribute service– Identity information was used to find zip code– Weather service was authorized to access zip code
♦ Specification defines the concept of an attribute service but not a specific interface
15CS 6204, Spring 2005
Attribute Service Example
♦ Attributes may have associated authorization rules (scope)♦ Each attribute may have its own access control and privacy
policy
16CS 6204, Spring 2005
Attribute Scoping
Zip: 12309Zip: 12309FN: FredFN: FredID: 3442 ID: 3442 Nick: Nick: FreddoFreddoID: FJ454ID: FJ454Nick: Nick: FredsterFredsterID: 3ID: 3--5555--3434……
(fabrikam123.com)(fabrikam123.com)
(business456.com)(business456.com)
((example.comexample.com))
Model allows for attributes to be scopedModel allows for attributes to be scoped
17CS 6204, Spring 2005
Pseudonym Service
♦ This service provides a mechanism for associating alternate identities
♦ Pseudonyms represent alternate identities– Depends on scope of request– Subject to authorization control– Can be integrated with IP/STS
18CS 6204, Spring 2005
Pseudonym Example
TrustTrust
““Fred” Fred” ““[email protected]@B456.com”” ““[email protected]@B456.com” ”
““[email protected]@F123.com””11
22
33
““[email protected]@B456.com””
B456.com
IP
Requestor Resource
B456.comPseudonym Service
19CS 6204, Spring 2005
References
♦ White paper titled “Federation of identities in a Web Services World– http://msdn.microsoft.com/library/default.asp?url=/libra
ry/en-us/dnglobspec/html/ws-federation-strategy.asp
♦ WS-Federation Feedback Workshop– http://www-106.ibm.com/developerworks/offers/WS-
Specworkshops/ws-fed200311.html
♦ Federation of Identities in a Web Services World– http://msdn.microsoft.com/ws-federation/