Identity Federation 101Mark Pelzel, Client Solutions DirectorJune 12, 2015

Upstate New York Oracle Users’ GroupEducational Workshop

Rolta AdvizeX

Mark PelzelClient Solutions Director of Managed Services

• 22+ years of Engineering & software solution delivery

• Responsible for development of solutions for a wide variety of customers

• TUSC – Early member - Mark developed skills in developing Oracle solutions

• Specialties: IT Business Solutions Architect & Realization Security & Identity & Access Management Cloud Solutions Oracle Solution Development

UNYOUG

• Brief Rolta AdvizeX Background

• Definitions

• Business and Technical Drivers for Federated Identity

• Technical Approach and Oracle Solutions

• Alternate Common Solutions

• Questions

Agenda

3

InfrastructurePlan, Build, Integrate

Data CentersCloud and Virtualization

Mobility and Security

ApplicationsCreate, Innovate, Manage

StrategyImplementation

Managed Services

Rolta AdvizeXNobody Does IT Better

UNYOUG

About Rolta & AdvizeX

• Formerly TUSC, only better Oracle Experts since 1988

• Over 38 years in business

• Doing business in over 40 countries

• Employing over 4,000 globally

• Revenues over $600MM

• Both acquisition and organic growth

• Multiple vendor and industry awards

5

Rolta + AdvizeX

Applications EBS and ERP Cloud

Business Intelligence and Big Data

Enterprise Performance Management and PBCS

Infrastructure Applications – Exchange, SharePoint

Storage and Server Platform

ExaData, Database and Middleware

Managed Services and Management Tools

Network

Desktop, Mobility, and End User Compute

Synergies = Increased Value and Solutions for Our Customers

6

6

Our Solutions Spectrum

7

Do you know some of our customers?

8

UNYOUG9

• Federated system – integrates existing, possibly heterogeneous systems while preserving their autonomy

• Identity Federation – the process and relationship of exchanging user or resource identity information between two enterprises or “realms”

• Single Sign-On (SSO) – a mechanism for user authentication to an application, database, resource/device, etc. which requires the user to present their credentials (identifier and password, at least) just one single time Consistent Credentials Reduced Sign-On True Desktop SSO

• Federated identity – a shared name identifier agreed between partner services in order to share information about the user across organizational boundaries

Definitions

10

• Security Assertion Markup Language (SAML) – an XML schema-based standard language for managing the user authentication and authorization and related processes

• Identity Provider (IdP) – the entity from which the user (or process) identification is provided and which initiates the Federated authentication

• Service Provider (SP) – the entity which provides application and other services in a Federated relationship which consumes the identity provided by the IdP and provides an authenticated user application “session”

• SAML Assertion – delivery of a session request from an IdP to an SP in the form of an HTTP Post including information about the IdP, key and certificate details, and (usually) user information

• Don’t forget about… Single Sign-Off – the process for ending an authenticated user session in one or more established application sessions

More Definitions

11

• Most Federated relationships provide web browser-based application access to end usersOther Federated services support WebService

Security – WS-Federation Liberty Identity FederationAuthorization Management

Additional Concepts

12

***Deliver Single Sign-On!!!• Support dynamic collaboration

• Provide a single, central point of access to all services – internal and distributed – aka CLOUDservices

• Consolidate user identities and authentication mechanisms

• Leverage a single security mechanism

Why Use Identity Federation?

13

• Leverages the identification/authentication of a trusted member of the federation (e.g. SAML IdP)

• May or may not require local accounts at all service providers – “transient federation”

• Requires out-of-band business agreements between members of the federation Legal, Technical, and Operational Agreements

• Really, all that happens is an assertion of a claim as to the identity of a user or request within a given context – “trust me…”

What Does Identity Federation Do?

14

• Federation defines the semantics of a particular set of profile attributes

• Service provider association and access control is based on the presence of one or more attributes

• Can be used in conjunction with federated identities or without them for dynamic collaboration

• Still requires out-of-band business agreements between members of the federation

• Can be used for more flexible and dynamic collaboration, but attribute negotiation may have privacy implications

In the End, It’s Just Authentication

15

• Following or assuming authentication at the IdP, a user initiates a request for access to an application service provided by the SP. This process is known as an Inter-Site Transfer request

• Usually though a portal End-User may not know

they are leaving the IdP’senvironment for the service

• The IdP’s Federation server handles the request

How Does Federation Work?The Federated Session Process – Step 1

Step 1

Identity Provider

Service Provider

Por

tal/A

pplic

atio

n E

ntry

Poi

nt

AuthenticationAuthority

AttributeAuthority

Inter-siteTransferService

AssertionConsumer

Service

Resource

16

• The Federation server responds to the request with an HTML form which includes a target component and a SAML response which is base64 encoded and which is digitally signed by the IdP Federation server

• The end user won’t see this unless they’re watching closely for responses on their browser or are tracing the HTML at the browser

The Federated Session Process – Step 2

Step 2

Step 1

Identity Provider

Service Provider

AuthenticationAuthority

AttributeAuthority

Inter-siteTransferService

AssertionConsumer

Service

Resource

Por

tal/A

pplic

atio

n E

ntry

Poi

nt

17

• The end user’s browser POSTs the form to the targeted SP’s Federation Server

• The form includes a SAMLResponse which is evaluated for format and content

• The end user doesn’t see any of this (unless something goes wrong)

The Federated Session Process – Step 3

Step 3

Step 2

Step 1

Identity Provider

Service Provider

AuthenticationAuthority

AttributeAuthority

Inter-siteTransferService

AssertionConsumer

Service

Resource

Por

tal/A

pplic

atio

n E

ntry

Poi

nt

18

• The SP’s Assertion Consumer Service on their Federation Server evaluates the signature (valid security key and identifiers) and initiates a security context – a session

• The SP then redirects the end user to the targeted resource/application

• The end user just sees that they’re in the application

The Federated Session Process – Step 4

Por

tal/A

pplic

atio

n E

ntry

Poi

ntStep 4

Step 3

Step 2

Step 1

Identity Provider

Service Provider

AuthenticationAuthority

AttributeAuthority

Inter-siteTransferService

AssertionConsumer

Service

Resource

19

• The end user’s browser POSTs a call to the application for access to the resource

• An authenticated user session is achieved with the user accessing the application either with transient application authorization or a mapped/actual user authorization, depending on Federation details and the capabilities and configuration of the application

The Federated Session Process – Steps 5 and 6

Por

tal/A

pplic

atio

n E

ntry

Poi

nt

Step 5

Step 4

Step 3

Step 2

Step 1

Identity Provider

Service Provider

AuthenticationAuthority

AttributeAuthority

Inter-siteTransferService

AssertionConsumer

Service

ResourceStep 6

20

• More secure and complex sessions are processed

• The IdP issues an artifactinstead of a SAML assertion which requires communication between the IdP and SP Federation servers

• The SP makes a behind-the-scenes call to the IdP based on additional SAML parameters

• An artifact encodes the following data: 2-byte type code 20-byte SourceID (usually IdP

providerId) 20-byte AssertionHandle

The Artifact-Based Federated Session Process –Alternative

Por

tal/A

pplic

atio

n E

ntry

Poi

nt

8

7

6

54

3

2

1

Service Provider

AuthenticationAuthority

AttributeAuthority

Inter-siteTransferService

AssertionConsumer

Service

Resource

ArtifactResolution

Service

• The SAML query is bound to a SAML SOAP Request and includes the artifact

21

• Governed by OASIS development standards www.oasis-open.org saml.xml.org

• Three versions of SAML 1.0 – basic assertion model 1.1 – expanded XML schema and profile management 2.0 – further extension of schema and standards

SAML Details and Considerations

22

• Allows SP initiated session

SAML 2.0 – SP Initiated

23

• In a statement, the SAML Subject is important:<saml:Subject>

<saml:NameIdentifierFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"NameQualifier="https://idp.org/shibboleth">user@idp.org

</saml:NameIdentifier>…

</saml:Subject>

• A basic SAML Response element:<samlp:Response

xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"IssueInstant="2004-12-05T09:22:05Z" MajorVersion="1" MinorVersion="1"ResponseID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"><samlp:Status>

<samlp:StatusCode Value="samlp:Success"/></samlp:Status><!-- insert SAML assertion here -->

</samlp:Response>

What Does the SAML Assertion Look Like?

24

• Transient Federation Emphasis on the Federated relationship Actual end user may not be identified, session may be independent or

generic of user

• Account Mapping (most common) User account exists on both IdP and SP as same identity

• Account Linking Similar to Mapping, but user linked on a unique non-identity attribute

• Attribute Federation Account “Type” or Role exists on both IdP and SP

• Combined Federation Multiple attributes combined to identify user from IdP to SP

Types of Identity Federation

25

Oracle’s Solutions

• Oracle Identity Federation – OIF Supports all common Federation protocols/types SAML 1.x, 2.0, WS-Federation, Liberty

IAM Suite/Governance Directory Services – OID, OUD, OVD

26

OIF Is Easy to Use

• Oracle Identity Federation – OIF Common Oracle Administration Actually easy to adapt WebLogic and Middleware knowledge for administration

27

Alternative Solutions

• Get to know the capabilities of these… OpenSAML / OpenSSO Sun Identity Manager and Java

System Federation Manager ShibbolethExpect to see this at the other endGood open solution

MS Active Directory Federation Services – ADFSCore to MS environmentsGood to use for testingAzure/Cloud

28

•Applications are most definitely moving to public or private cloud servicesFederated Identity Management is key to making this work

•Overall Identity Management in the cloud is more difficultSecurity/Risk, separation, data ownershipToday’s CISOs won’t risk the headline of their company’s data being compromised

Be Wary of the Cloud Trend

29

• Oracle Identity Federation (OIF) works well with Oracle and Non-Oracle solutions

• ADFS is expanding and becoming popular with Azure-based deployments

• Get on the same SSO page! Insist on an Executive Sponsor/Owner who has

authority

• Provide thorough training of Service Desk and Support staff

• Set a goal for complete adoption in two years

Some Considerations

30

31

• OASIS www.oasis-open.org

• SOA Federated Identity Management Andrew S. Townley, Archistry Limited

• Wikipedia Various SAML, Federation, and SSO references from wikipedia.org

• 101 Things to Know About SingleSignOn www.authenticationworld.com, Guy Huntington

• Security Assertion Markup Languate www.globus.org, Tom Scavo, NCSA

• Oracle Identity Management www.oracle.com onlineappsdba.com

Credits (thank you to these sources!)

32

Mark Pelzel | mpelzel@advizex.comwww.AdvizeX.comwww.Rolta.com

33