All Contents © 2003 Burton Group. All rights reserved.

Federating Identity Management: Standards, Technologies and Industry Trends

November 20, 2003

Daniel BlumSenior VP, Research Director

dblum@burtongroup.comwww.burtongroup.com

2Federated Identity Management

Thesis

• What? Parallel efforts from OASIS, Liberty Alliance, Web access management vendors, and platform vendors are gaining momentum and will ultimately converge

• Perhaps not without some pain• “Identity networks” are needed to scale ubiquitous operation

• Why? By meeting business requirements for loosely coupled security between autonomous domains, federated identity extends identity management

• When? Now. Federated identity has many early adopters across multiple industries; products and tools are available; ROI and competitive advantage are in sight

3Identity Management and Federation

Agenda

• Federated Identity Concepts• Industry Trends• Recommendations

4Identity Management and Federation

Agenda

• Federated Identity Concepts• Industry Trends• Recommendations

5Federated Identity Concepts

The challenge: Managing many identities

InternalSystems& Data

Less-knownPartner or xSP

Loosely-coupled,Federated exterior systems

Customers

Tightly-coupled or loosely coupled, Integrated or federated interior systems

Employees Unknown

Extranets

The Internet

6Federated Identity Concepts

What is federated identity management?

• Agreements, standards, technologies that make identity and entitlements portable across autonomous domains

• Authentication assertions (federated sign on)• Authorization assertions• Attribute assertions• Identity linking procedures• Trust relationships• Business, legal agreements

7Federated Identity Concepts

Federated authentication between domains

Company A:Identity Provider

(IDP)access point

Company AIdentity

repository

1) Userauthenticates

Company B:Service Provider

(SP) access point

2) Check User’s id/credential

Company Bresource

3) User requests resource

5) Co. B requests identity assertion for User

6) Co. A sends identity assertion

7) User gets access!

User

Internet

4) Check policy

8Federated Identity Concepts

Federation conceptsFederated sign on

• Authentication requests, assertions

• Session managementFederated identity mapping

• Account linking• Privacy protections

• Link account to role (or persistent policy)

Federated identity information

• Attribute requests, assertions• Privacy protections

Federated authorization

• Authorization requests, assertions

Management

• Business, legal agreements• Trust relationships• Audit services

9Federated Identity Concepts

Risks

• Federated identity creates new risks• Relying on external party for identity assertions• Forensics and record retention must span boundaries• Slippery slope of transitive trust - trust failures could propagate,

cross-over attacks are possible

• …but reduces other risks• Pushes IdM and accountability to most responsible party• High security domains can be autonomous, but still interoperate• Lessens reliance on a large scale, centralized security

infrastructure (shifts complexity)

10Identity Management and Federation

Agenda

• Federated Identity Concepts• Industry Trends• Recommendations

11Industry Trends

What infrastructure is needed for federated identity?

Identity Networks

Federated Identity Standards

Base Security Capabilities(Mostly) Used

Within Domains

Used betweenOr within Products/

Domains

Public identity services, or other

communities

Ping Id

. NET PassportVerifiedBy Visa

Shibboleth

Others

SAML

Liberty

WS-Security

OthersXACML

WS-Federation

KerberosX.509

LDAPOthers

ID /PwdToken

12Industry Trends

Security Assertion Markup Language (SAML)

• SAML provides authentication, authorization, and attribute assertions between loosely coupled domains

• Meant to be complemented by XACML and other specs• SAML 2.0 will converge with donated Liberty Alliance Phase I work,

add user to role mapping, better session management, perhaps credentials collection

SAML

AuthenticationAssertion

AttributeAssertion

AuthorizationDecisionAssertion

CredentialsCollector

SystemEntity

ApplicationRequest

AuthenticationAuthority

AttributeAuthority

Policy DecisionPoint

Policy EnforcementPoint

DomainA

DomainB

13Industry Trends

Liberty Alliance

• Consortium of over 160 organizations: enterprises, service providers, and vendors

• In 2002, developed Identity Federation Framework (ID-FF) using opt in account linking on top of SAML

• In 2003, developing Identity Web Services Framework (ID-WSF), permission based attribute sharing and additional capabilities User

Linked account

Domain A(IDP)

Domain B(SP)

SAML Assertion

Linked account

Browser redirectOr Web service

Circle ofTrust

14Industry Trends

Federated identity products and adoption

• SAML early adoption gaining momentum• Multiple Web access management and other security products in

various stages of release or development• Open source solutions and toolkits available• Growing customer adoption across multiple industries

• Liberty entering early adoption• Head start by encouraging end user membership, adopting SAML,

and putting Liberty Phase I into OASIS• Products and early implementations underway• But some Web access management vendors are not yet

implementing Liberty standards

15Industry Trends

Federated identity: A growing stack of converging standards with common foundations

WS-Policy WS-Trust

WS-SecureConversation

WS-Federation

WS-Authorization,

WS-Privacy

SAML

Liberty ID-FFFederated Sign on

Liberty Alliance –Ph 2 (ID-WSF, ID-SIS)

Liberty Phase 2: Permission based attribute sharing

Foundation Web Standards: WSDL, SOAP, XML, HTTP, HTML

WS-Security

Microsoft, IBM, etc. unpublished

OASIS - publishedLiberty Alliance –Phase 1 (ID-FF)

Microsoft, IBM, etc.published

OASIS - new workKEY

XML Signature, XML Encryption, XML Key Management Services (XKMS)

SPML

XrMLXACML

16Industry Trends

SAML, Liberty Alliance, and WS-*

• Where they agree• WS-Security and WS-* carry SAML and Liberty assertions• OASIS, Liberty Alliance developing WS-Security bindings• Microsoft says it will support SAML in Authorization

Manager; IBM supports SAML, says it will support Liberty• WAM vendors will support both

• Where they disagree• Microsoft, IBM won’t join Liberty Alliance• WS-Federation has a different profile for browser based

users than SAML and Liberty• Microsoft promoting XrML, not SAML and XACML

17Industry Trends

SAML, Liberty Alliance, and WS-* : What to expect

• A standards race of “The Tortoise and the Hare”• SAML and/or Liberty “hare” racing ahead with federated

identity specific initiatives, well into early adoption• WS-* “tortoise” will need a few years to be fully

standardized, built, and broadly deployed• But Microsoft, IBM and partners can push a lot of

software into the channel• SAML and Liberty Alliance likely to converge with WS-*

over the next 5 years for a relatively comfortable coexistence

18

Industry Trends

Technology availability and adoption waves

2003 2004 2005 2006 2007

SAML

Liberty ID-FF

WS-Security

WS-*, New Liberty specs, SAML 2.0

Components, timing variable subject to standardization and convergence

19Industry Trends

Identity networks today

• Centralized• .NET Passport and AOL Screen Name Service

• Industry-based, proprietary• SecuritiesHub, Verified by Visa, others

• SAML-powered• Shibboleth, multiple corporate networks

• Liberty-powered• Corporate B2E projects underway• PingID and Neustar (eRX Land Records Exchange Network)• Financial networks (SecuritiesHub, others)• Mobile communications networks

20Identity Networks

Federation implies a poly-centric environment

• Many islands will emerge• Industry-specific solutions are likely• How will they converge?• Identity networks could emerge to

link the islands• Identity networks may be centralized

(like Passport), member-owned (as in the ATM, credit-card worlds), provide common governance and policy frameworks, or other models

Identity Network A

Identity Network B

Identity domainsIdentity peering

21

Identity Networks

Federated Identity and Web services network types

2003 2004 2005 2006 2007

Pair-wise, internal federation

Trusted third party enabled federation

Communities (hub optional)

Identity Networks

22Identity Management and Federation

Agenda

• Federated Identity Concepts• Industry Trends• Recommendations

23Recommendations

Early adopter lessons learned

• If you build it, they will come• Partner interest cascades…

• Return on investment (ROI) is out there • Federated identity is flexible, it works, and its reliable• But

• You have to pay to play• SAML protocol has some gaps• Browsing issues and performance bottlenecks arise• The infrastructure must be secure• Users will always surprise you

24Recommendations

Lessons learned from early deployments

• Technical issues not so difficult• Web developers prefer standards based SAML or Liberty approach to

point integration solutions• Some enterprises have written their own XML based federation layer• Others purchasing Web access management (WAM) support for IDP

operations, WAM or toolkit to accept assertions as SP

• Business issues more complicated than technical ones• Build in time to get business application owners on board, and work

through arrangements with partners• Some enterprises mandating federated IdM for suppliers• Create “workbooks” or other collaterals that help early partners

understand federated IdM (trading “hubs” can drive adoption)• Leverage existing industry associations, identity networks

25Recommendations

Today: Implement SAML, Liberty, and conventional IdM at appropriate architecture tiers

Future: Integrate federated identity with secure Web services

Enterprise Identity:Use a balance of consolidation, integration

and federation approaches internally

B2B Identity: Use SAML and/or a directory with delegated and

self service administration

Public Identity:Use identity networks, Liberty Alliance circles of trust,

and/or a directory with self service registration

26Recommendations

Deployment considerations

• Use consolidation, integration to build base camp to federate from (continue cleaning the identity house)

• Consider SAML and/or Liberty for current projects, augmenting conventional IdM

• Monitor WS-* for future opportunity to deploy secure, Web services solutions; seek convergent solutions

• Prepare for breaches on either side of your federations by adding business agreements for cooperative risk management and dispute resolution

• Brief the purchasing department, security department, and legal department to get their buyoff

27Conclusion

Conclusion

• Federated identity management is a strategic capability that will solve real problems

• SAML and Liberty provide federated identity to the current generation of Web-enabled computing

• Next generation of Web services computing taking shape, will include federated identity

• In the long run, federated identity will converge across both generations of computing

• Identity networks will link partners - internal and external, large and small