current state of federated identity standards and implementations
DESCRIPTION
TRANSCRIPT
![Page 1: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/1.jpg)
All Contents © 2008 Burton Group. All rights reserved.
Current State of Federated Identity
OASIS Open Standards Forum 2008Friday, 3 October 2008
Gerry Gebel
VP & Service Director – IdPS
www.burtongroup.com
![Page 2: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/2.jpg)
A Few Points to Ponder
State of federation is strong – but the game is changing
Business models are driving up demand for federation technology – and forcing still other changes
Federation and SSO services – an emerging trend to watch
2
![Page 3: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/3.jpg)
After this presentation, you will…
… stop federating
• Because business people don’t know what you are talking about
3
… realize that protocols do not equal a business process
• You need services and capabilities, in addition to protocols and technologies
… discover that the Internet doesn’t need an identity layer
• Rather, it needs a relationship layer!
![Page 4: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/4.jpg)
Business Trends Drive IT Trends
Same as it ever was
• Global economy, cost-effective communications driving fundamental change to the business environment
• The more global things get, the more pressure to decompose big orgs• Need to integrate business process across many boundaries• Must interoperate, connect with security and low friction
4
![Page 5: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/5.jpg)
Business Trends Drive IT Trends
What a difference a year (and a financial crisis) makes
• Do more with less, or do less with less• Plate tectonics: Business transformation, IT transformation collide• SaaS gaining favor . . . the times they are a-changing• Outsource, offshore, buy it as a service
5
![Page 6: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/6.jpg)
Current Technologies and
Methodologies
The Expanding Identity Universe
Dynamics are driving requirements where CIOs have no control
6
Scale Control
Focus
Small
Large
Massive
Centralized
Distributed
Business Individual
SMB, SaaSSMB, SaaS
Consumers, Social Networks
Consumers, Social Networks
Deperimeterization Outsourcing
Deperimeterization Outsourcing
Compliance Privacy
Compliance Privacy
The CIO and the budget
![Page 7: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/7.jpg)
Where does federation fit in here? 7
![Page 8: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/8.jpg)
8
Federation and Distributed Control
![Page 9: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/9.jpg)
Examine the Problem
SSO: internal applications
9
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Employees
Contractors
Partners
![Page 10: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/10.jpg)
Examine the Problem
SSO: hosted applications
10
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Employees
Contractors
Partners
WAM/Federation WAM/Federation? ?
![Page 11: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/11.jpg)
Examine the Problem
SSO: external users
11
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Contractors
Partners
AD/Kerberos?
![Page 12: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/12.jpg)
Examine the Problem
SSO: external users
12
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Contractors
Partners
Federation?
![Page 13: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/13.jpg)
Examine the Problem
SSO: employee off site
13
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/FederationEmployees
Contractors
Partners
AD/Kerberos?
![Page 14: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/14.jpg)
Examine the Problem
SSO: employee off site, hosted applications
14
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/FederationEmployees
Contractors
Partners
Federation?
![Page 15: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/15.jpg)
Examine the Problem
SSO: new options
15
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Employees
Contractors
Partners
Federation service
![Page 16: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/16.jpg)
Examine the Problem
Why don’t we have SSO?
• Architecture limitations don’t accommodate new application types: Software as a Service
• Product and technology selection process failure• Used RFP checklist instead of usage scenario analysis
• Vendor implementations limit your options• Kerberos exhibits its weakness when external users are involved• Microsoft Office products do not handle HTTP redirects
• New products or technologies may be required• Hosted SSO/federation service is one possibility
• New approaches may be required• Identity intermediaries can limit inherent friction
16
![Page 17: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/17.jpg)
17
Enterprise AD forestLDAP directory services
XML gateways
Federation servers
WAM serversApplications
App servers
Applications
Partner sites
ESSO
SSL VPN
Bulk feed
Examine the Problem
Maybe it is time to look at the business problem, instead of the technology possibilities
![Page 18: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/18.jpg)
Too Much Science, Not Enough Art 18
The “science project”: connectivity is rarely straightforward
Enterprise AD forest
SAML assertion
SA
ML
-en
ab
led
pro
xy
Federation product
AD
FS
ag
en
t
Sh
are
Po
int
200
3
Web SSO token
LDAP directory
ADFS
Collaborator
SIDAttribute and group memberships
1
2
3
4
5
6
798
10
Mapping info and claims
WS-Federation
Web SSO server
Home authentication
![Page 19: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/19.jpg)
19Growth Rates for Federation
Has anyone spotted the elephant in the federation room?
• All right, but what if deployment rate increases?• Assume enterprises can deploy 500 connections per year• One customer has 34,000 point-of-sale operations
• And that’s just for SSO• No authorization• Not hub-to-hub
"How long has THAT been there?"
> 1,000 connections @ 24 connections / year= 42 years!!
= 68 years!!
![Page 20: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/20.jpg)
20The Aesthetics of Ubiquity
Your technology might be mediocre if:
• Adding a connection requires a project manager• Adding a connection requires lab time• Each connection requires a custom contract• You have to coordinate your deployment with others• The solution only works for the latest-and-greatest
infrastructure• Upgrading a server has ripple effects from end-to-end• It seems reasonable to measure
“connections per year”
![Page 21: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/21.jpg)
21
What about that glass ceiling?
![Page 22: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/22.jpg)
Interoperability 22
What if there was a similar program for XACML? Just asking…
![Page 23: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/23.jpg)
Products•BMC•CA•Entrust•Evidian•IBM•Microsoft•Novell•Oracle•Ping Identity•RSA•Siemens•Sun•Symlabs
Edge Federation•Cisco•Forum Sys•IBM•Layer 7•Vordel
Fed Services•Covisint•FuGen Solutions•Symplified•TriCipher•EduServ
Federation Marketplace
![Page 24: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/24.jpg)
Open Source Options 24
![Page 25: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/25.jpg)
Working on that scalability problem… 25
![Page 26: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/26.jpg)
Expanding Federations 26
![Page 27: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/27.jpg)
Federating Federations 27
![Page 28: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/28.jpg)
SaaS Federations 28
![Page 29: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/29.jpg)
SSO+ as a Service 29
![Page 30: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/30.jpg)
Identity Aggregators 30
Single point of integration for all Nordic e-ID systems
Expanding into other regions…
![Page 31: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/31.jpg)
Looking Ahead
What is the impact of:
• User centric identity approaches• Of course, this is in name only• User centric becomes a reality when business models support it
• OpenID• First party identity systems are not very interesting from a business
perspective…
• Information Cards• Unlike OpenID, info cards have a real security model• But the market is not responding
• OSIS, Information Card Foundation, Identity Commons, Higgins, Identity Metasystem Interop TC, etc
• Can someone please explain this to me?
31
![Page 32: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/32.jpg)
In Review
State of federation is strong – but the game is changing
Business models are driving up demand for federation technology – and forcing still other changes
Federation and SSO services – an emerging trend to watch
32
![Page 33: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/33.jpg)
33Current State of Federated Identity
References
• Burton Group’s Identity and Privacy Strategies• In Search of the Internet Identity System: Contrasting the Federation
Approaches of SAML, WS-SX, and OpenID• Federation’s Future in the Balance: Teetering Between Ubiquity and
Mediocrity• Business and Legal issues in Federations• A Relationship Layer for the Web… and Enterprises, Too
![Page 34: Current State of Federated Identity Standards and Implementations](https://reader034.vdocuments.net/reader034/viewer/2022042813/5483225bb4af9f61548b473d/html5/thumbnails/34.jpg)
34Current State of Federation Technology
References
• Burton Group’s Identity and Privacy Strategies• In Search of the Internet Identity System: Contrasting the Federation
Approaches of SAML, WS-SX, and OpenID• Federation’s Future in the Balance: Teetering Between Ubiquity and
Mediocrity• Business and Legal issues in Federations• Information Card Landscape• A Relationship Layer for the Web… And Enterprises, Too