IntroIntro

Contractor with GM for two years working in the area of Identity Management

Previously owned a consulting firm providing network and software services to small businesses

From November 2002 to November 2003, lead GM team in Liberty Federation Proof of Concept Business Challenges Technical Challenges The Future of Liberty

AgendaAgenda

• Intro• Liberty background

• Circles of Trust• Versions

• Proof of Concept• Goals

• What worked, what didn't• Work analysis

• Technical challenges Firewall/Proxy issues Session Mgt

• Business challenges• Internal Alignment• External Alignment• Use Cases

• Ongoing business efforts• Future of Liberty• Wrap up

Liberty AllianceLiberty Alliance

http://www.projectliberty.org/ Consortium of 160+ companies, both technology producers and

technology consumers. "The striking thing about the Liberty Alliance is that it is knee-deep in

end user involvement…", Network World, 12/23/02 Liberty produces a set of specifications, not products

Formed in 2001 Comprised of five expert groups

Business & Marketing Expert Group - Identifies and drives the market requirements for the Liberty specifications.

Technology Expert Group - Drives the technical specifications to support the market needs.

Public Policy Expert Group - Drives dialogue with government and non-government groups concerned with the many issues pertaining to identity.

Conformance Expert Group - Formed to define and manage the process for validating interoperability between vendors’ implementations.

Services Expert Group - Formed to define and manage the process for creating new service specifications.

Circles of TrustCircles of Trust

The Liberty term for a Federation

Based on trust agreements between Identity Providers (IdP) and Service Providers (SP)

Phase 1 OverviewPhase 1 Overview

Identity Federation Framework, ID-FF v1.0 Released July, 2002 v1.1 Released January, 2003 Elements

Opt-in Account Linking Simplified Sign-On Fundamental Session Management Affiliations Anonymity Protocol for the Real-time Discovery and Exchange of Meta Data

Overview There is no sharing of user supplied identity data among

Federation members Data is transferred via http or form-POST-based redirects

(preferred method) or cookies

Liberty Identity Federation

Framework (ID-FF)

Enables identity federation & management through identity/account linkage,

simplified sign-on & simple session management


Framework (ID-FF)




Identity Web Services Framework, ID-WSF Released April, 2003, along with ID-FF v1.2 Elements

Permission Based Attribute Sharing Identity Service Discovery Interaction Service Security Profiles Simple Object Access Protocol (SOAP) Binding Extended Client Support Identity Services Templates

Overview Focus will be on core identity data that can be used across

vertical markets XML spec defined for identity data containers User will have fine grained control over sharing User may delegate authority to link accounts Data will be transferred via Web Services


Framework (ID-FF)




Framework (ID-FF)



Liberty Identity Web Services Framework (ID-WSF)

Framework for building interoperable services, permission-based attribute sharing, identity service

description & discovery, & associated security profiles





Identity Services Interface Specification, ID-SIS Scheduled for release ??? Elements

Personal Profile, Employee Profile Registration, Contact book, Calendar, Geo-location, Presence, Alerts

Overview User will be able to select different service providers for each service Service providers will be able to accept events from other providers based on user preferences Intended as the building blocks to be used in the creation of industry-specific services


Framework (ID-FF)




Framework (ID-FF)



Liberty Identity Services Interface Specifications (ID-SIS)

A collection of specs for interoperable services such as registration, contact book, geo-location, calendar,

presence, alerts, etc.

Liberty Identity Services Interface Specifications (ID-SIS)

A collection of specs for interoperable services such as registration, contact book, geo-location, calendar,

presence, alerts, etc.







Proof of ConceptProof of Concept

Goals What worked, what didn't

Work analysis Technical challenges

Firewall/Proxy issues Session Mgt

Business challenges Internal Alignment

If it's not broke… External Alignment

GM, Business Partner, WorkScape, Sun White Paper Public release of info

Use Cases

Liberty 1.x Federation between GM Employee Portal, MySocrates, and Business Partner employee benefits application.

PoC GoalsPoC Goals

Business Goals Increased employee satisfaction

Removes barriers and impedimentsExpansion of Portal Paradigm

Enhance relationships with Liberty Partners

Technology Goals Implementation guidelines Gain experience that can be applied to

other systemsGM Affinity ProgramsVendor/Supplier systemsDealer systemsStreamline internal processes

Validate Liberty spec

Goals Implementation

SSO Completed

SLO 90% complete

Secondary Authentication Not tested – Partner unable to incorporate required systems into test environment

Dynamic federation Bulk Federation

Portlet within MySocrates Not tested due to Partner business rules

SunONE Identity Server on both sides of environment SunONE Portal/Identity Server to Liberty enabled proprietary identity server

Include "real-world" connectivity Done

Comprehensive white paper Under Development

PoC TimeframePoC Timeframe

51 weeks, start to finish Started November 2002 Completed November 2003

Business related effort – 29 Weeks Engage with Financial Sponsor - 8

weeks Engage with GM Business Unit – 4

weeks Engage with Partner - 7 weeks Use Case Development - 8 weeks Financial Sponsor re-alignment – 2

weeks Technical related effort – 12 Weeks

Lab Setup – 3 weeks Technical Problems – 4 weeks Use Case Testing – 5 weeks

Down time/shutdowns – 10 weeks

10 March 2003, Initial contact with Business Partner

22 April 2003, Project kick-off video conference

19 June 2003, Use cases finalized

20 August 2003, Project Technical kick-off video conference

11 Nov 2003, Core integration & functional testing complete

20 Nov 2002, 1st meeting with Sun

Technical ChallengesTechnical Challenges

GM Lab policies and procedures were incomplete and not clear

Firewall and proxy configurations were unique to Liberty implementation

Test data and the associated encryption issues caused a delay

Cert Signing issues Hardware Failures Session Management

Lab Change Request

Arrrggghhhh!

Business ChallengesBusiness Challenges

Arranging Financing GM Business Unit engagement

If it's not broke…

Business Partner engagement Whitepaper definition. Caused

loss of initial funding source. Agreement on distribution of

project scope and results Use cases were a long process

(~2 months) - different goals. And we only touched on legal

agreements…

Production PlansProduction Plans

Production Implementation of PoC GM IT Ready GM Legal Ready GM Security Ready GM Business Unit tied up in major project with PoC Business

Partner, will not assign resources to project Business Partner IT Ready Business Partner Business Unit tied up in major project with

GM

Internal Federation difficult to implement Identity Management Strategy still being defined – "Wait and

see" Non-Liberty compliant authentication services Multiple existing non-standard Federation efforts already

underway

Prognosticating - The Future of LibertyPrognosticating - The Future of Liberty Circles of Trust are limiting in B2C

Agreements are still Point-to-Point Better suited to B2B or B2E

implementations Difficult to build in B2C environments

Competitors may not wish to belong to the same CoT

My consumption habits don't necessarily map to affinity programs

Depend upon incentives to create affiliations

Chained agreements are complex

Trust on demand "Personal certs" from trusted providers

such as Verisign. Challenge is to make then cost effective

and still maintain trustworthiness. Validity depends on authentication to

device in which cert is stored SP's may require additional credentials

Liberty enabled devices PDA, Cell Phones, Wired phone,

Browsers and other Internet apps, Car

Identity Provider

Identity and Profile storage Profile storage is independent of profile

consumers On local devices or in secured datastore –

synchronized to devices Could be Federation Standards neutral via

abstraction

Backup SlidesBackup SlidesUse CasesUse Cases

Use CasesUse Cases

Primary

Single Log-OnDefault Target Page Successful

Single Log-Off 90% Complete

Bulk Federation Successful (Exclusive of GM HR systems)

First Access of SP App xPartner unable to incorporate PW management system into test/development environment

De-federation Successful

Use CasesUse Cases

Link/URL tests

Single Log-OnUser Specified Target Page Successful

Multiple account holder Successful

Authentication Context XPartner opted not to incorporate second app into PoC.

Access Target Page via URL Successful

Access federated URL directlyAccess the Redirect Page Successful (Requires

Partner to expose URL via proxy.)

Use CasesUse Cases

Exceptions Based on User State

Pre-federation access Successful

"Half" federated access Successful

Blocked account Successful

Bulk federation failure SuccessfulPurely Partner test.

Use CasesUse Cases

Timeouts & Windowing

SP App (local) logout Successful

SP App session time out. Out of Scope

Session ManagementEmployee's MySocrates session will not time out due to activity on the SP App

Out of Scope

Session ManagementEmployee's MySocrates session times out forcing an SP App time out

Out of Scope

liberty federation poc gm network

Documents