liberty federation poc gm network
DESCRIPTION
TRANSCRIPT
Liberty Federation PoCLiberty Federation PoC
GMNetwork
Federated Validation of User
FederatedID Server
FederatedID Server
User
PartnerNetwork
Socrates
App Server
Internet
Bob ChmaraGeneral Motors CorporationJune 22, 2004
IntroIntro
Contractor with GM for two years working in the area of Identity Management
Previously owned a consulting firm providing network and software services to small businesses
From November 2002 to November 2003, lead GM team in Liberty Federation Proof of Concept Business Challenges Technical Challenges The Future of Liberty
AgendaAgenda
• Intro• Liberty background
• Circles of Trust• Versions
• Proof of Concept• Goals
• What worked, what didn't• Work analysis
• Technical challenges Firewall/Proxy issues Session Mgt
• Business challenges• Internal Alignment• External Alignment• Use Cases
• Ongoing business efforts• Future of Liberty• Wrap up
Liberty AllianceLiberty Alliance
http://www.projectliberty.org/ Consortium of 160+ companies, both technology producers and
technology consumers. "The striking thing about the Liberty Alliance is that it is knee-deep in
end user involvement…", Network World, 12/23/02 Liberty produces a set of specifications, not products
Formed in 2001 Comprised of five expert groups
Business & Marketing Expert Group - Identifies and drives the market requirements for the Liberty specifications.
Technology Expert Group - Drives the technical specifications to support the market needs.
Public Policy Expert Group - Drives dialogue with government and non-government groups concerned with the many issues pertaining to identity.
Conformance Expert Group - Formed to define and manage the process for validating interoperability between vendors’ implementations.
Services Expert Group - Formed to define and manage the process for creating new service specifications.
Circles of TrustCircles of Trust
The Liberty term for a Federation
Based on trust agreements between Identity Providers (IdP) and Service Providers (SP)
Phase 1 OverviewPhase 1 Overview
Identity Federation Framework, ID-FF v1.0 Released July, 2002 v1.1 Released January, 2003 Elements
Opt-in Account Linking Simplified Sign-On Fundamental Session Management Affiliations Anonymity Protocol for the Real-time Discovery and Exchange of Meta Data
Overview There is no sharing of user supplied identity data among
Federation members Data is transferred via http or form-POST-based redirects
(preferred method) or cookies
Liberty Identity Federation
Framework (ID-FF)
Enables identity federation & management through identity/account linkage,
simplified sign-on & simple session management
Liberty Identity Federation
Framework (ID-FF)
Enables identity federation & management through identity/account linkage,
simplified sign-on & simple session management
Phase 2 OverviewPhase 2 Overview
Identity Web Services Framework, ID-WSF Released April, 2003, along with ID-FF v1.2 Elements
Permission Based Attribute Sharing Identity Service Discovery Interaction Service Security Profiles Simple Object Access Protocol (SOAP) Binding Extended Client Support Identity Services Templates
Overview Focus will be on core identity data that can be used across
vertical markets XML spec defined for identity data containers User will have fine grained control over sharing User may delegate authority to link accounts Data will be transferred via Web Services
Liberty Identity Federation
Framework (ID-FF)
Enables identity federation & management through identity/account linkage,
simplified sign-on & simple session management
Liberty Identity Federation
Framework (ID-FF)
Enables identity federation & management through identity/account linkage,
simplified sign-on & simple session management
Liberty Identity Web Services Framework (ID-WSF)
Framework for building interoperable services, permission-based attribute sharing, identity service
description & discovery, & associated security profiles
Liberty Identity Web Services Framework (ID-WSF)
Framework for building interoperable services, permission-based attribute sharing, identity service
description & discovery, & associated security profiles
Phase 3 OverviewPhase 3 Overview
Identity Services Interface Specification, ID-SIS Scheduled for release ??? Elements
Personal Profile, Employee Profile Registration, Contact book, Calendar, Geo-location, Presence, Alerts
Overview User will be able to select different service providers for each service Service providers will be able to accept events from other providers based on user preferences Intended as the building blocks to be used in the creation of industry-specific services
Liberty Identity Federation
Framework (ID-FF)
Enables identity federation & management through identity/account linkage,
simplified sign-on & simple session management
Liberty Identity Federation
Framework (ID-FF)
Enables identity federation & management through identity/account linkage,
simplified sign-on & simple session management
Liberty Identity Services Interface Specifications (ID-SIS)
A collection of specs for interoperable services such as registration, contact book, geo-location, calendar,
presence, alerts, etc.
Liberty Identity Services Interface Specifications (ID-SIS)
A collection of specs for interoperable services such as registration, contact book, geo-location, calendar,
presence, alerts, etc.
Liberty Identity Web Services Framework (ID-WSF)
Framework for building interoperable services, permission-based attribute sharing, identity service
description & discovery, & associated security profiles
Liberty Identity Web Services Framework (ID-WSF)
Framework for building interoperable services, permission-based attribute sharing, identity service
description & discovery, & associated security profiles
Proof of ConceptProof of Concept
Goals What worked, what didn't
Work analysis Technical challenges
Firewall/Proxy issues Session Mgt
Business challenges Internal Alignment
If it's not broke… External Alignment
GM, Business Partner, WorkScape, Sun White Paper Public release of info
Use Cases
Liberty 1.x Federation between GM Employee Portal, MySocrates, and Business Partner employee benefits application.
PoC GoalsPoC Goals
Business Goals Increased employee satisfaction
Removes barriers and impedimentsExpansion of Portal Paradigm
Enhance relationships with Liberty Partners
Technology Goals Implementation guidelines Gain experience that can be applied to
other systemsGM Affinity ProgramsVendor/Supplier systemsDealer systemsStreamline internal processes
Validate Liberty spec
Goals Implementation
SSO Completed
SLO 90% complete
Secondary Authentication Not tested – Partner unable to incorporate required systems into test environment
Dynamic federation Bulk Federation
Portlet within MySocrates Not tested due to Partner business rules
SunONE Identity Server on both sides of environment SunONE Portal/Identity Server to Liberty enabled proprietary identity server
Include "real-world" connectivity Done
Comprehensive white paper Under Development
PoC TimeframePoC Timeframe
51 weeks, start to finish Started November 2002 Completed November 2003
Business related effort – 29 Weeks Engage with Financial Sponsor - 8
weeks Engage with GM Business Unit – 4
weeks Engage with Partner - 7 weeks Use Case Development - 8 weeks Financial Sponsor re-alignment – 2
weeks Technical related effort – 12 Weeks
Lab Setup – 3 weeks Technical Problems – 4 weeks Use Case Testing – 5 weeks
Down time/shutdowns – 10 weeks
10 March 2003, Initial contact with Business Partner
22 April 2003, Project kick-off video conference
19 June 2003, Use cases finalized
20 August 2003, Project Technical kick-off video conference
11 Nov 2003, Core integration & functional testing complete
20 Nov 2002, 1st meeting with Sun
Technical ChallengesTechnical Challenges
GM Lab policies and procedures were incomplete and not clear
Firewall and proxy configurations were unique to Liberty implementation
Test data and the associated encryption issues caused a delay
Cert Signing issues Hardware Failures Session Management
Lab Change Request
Arrrggghhhh!
Business ChallengesBusiness Challenges
Arranging Financing GM Business Unit engagement
If it's not broke…
Business Partner engagement Whitepaper definition. Caused
loss of initial funding source. Agreement on distribution of
project scope and results Use cases were a long process
(~2 months) - different goals. And we only touched on legal
agreements…
Production PlansProduction Plans
Production Implementation of PoC GM IT Ready GM Legal Ready GM Security Ready GM Business Unit tied up in major project with PoC Business
Partner, will not assign resources to project Business Partner IT Ready Business Partner Business Unit tied up in major project with
GM
Internal Federation difficult to implement Identity Management Strategy still being defined – "Wait and
see" Non-Liberty compliant authentication services Multiple existing non-standard Federation efforts already
underway
Prognosticating - The Future of LibertyPrognosticating - The Future of Liberty Circles of Trust are limiting in B2C
Agreements are still Point-to-Point Better suited to B2B or B2E
implementations Difficult to build in B2C environments
Competitors may not wish to belong to the same CoT
My consumption habits don't necessarily map to affinity programs
Depend upon incentives to create affiliations
Chained agreements are complex
Trust on demand "Personal certs" from trusted providers
such as Verisign. Challenge is to make then cost effective
and still maintain trustworthiness. Validity depends on authentication to
device in which cert is stored SP's may require additional credentials
Liberty enabled devices PDA, Cell Phones, Wired phone,
Browsers and other Internet apps, Car
Identity Provider
Identity and Profile storage Profile storage is independent of profile
consumers On local devices or in secured datastore –
synchronized to devices Could be Federation Standards neutral via
abstraction
Backup SlidesBackup SlidesUse CasesUse Cases
Use CasesUse Cases
Primary
Single Log-OnDefault Target Page Successful
Single Log-Off 90% Complete
Bulk Federation Successful (Exclusive of GM HR systems)
First Access of SP App xPartner unable to incorporate PW management system into test/development environment
De-federation Successful
Use CasesUse Cases
Link/URL tests
Single Log-OnUser Specified Target Page Successful
Multiple account holder Successful
Authentication Context XPartner opted not to incorporate second app into PoC.
Access Target Page via URL Successful
Access federated URL directlyAccess the Redirect Page Successful (Requires
Partner to expose URL via proxy.)
Use CasesUse Cases
Exceptions Based on User State
Pre-federation access Successful
"Half" federated access Successful
Blocked account Successful
Bulk federation failure SuccessfulPurely Partner test.
Use CasesUse Cases
Timeouts & Windowing
SP App (local) logout Successful
SP App session time out. Out of Scope
Session ManagementEmployee's MySocrates session will not time out due to activity on the SP App
Out of Scope
Session ManagementEmployee's MySocrates session times out forcing an SP App time out
Out of Scope