1 / 36

Permissions

Liberty Alliance Project Open Standards for Network Identity Will open standards increase eCommerce? Bill Smith Director, Liberty Alliance Technology Sun Microsystems. Permissions.

carolec
Download Presentation

Permissions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Liberty Alliance ProjectOpen Standards for Network IdentityWill open standards increase eCommerce? Bill Smith Director, Liberty Alliance Technology Sun Microsystems

  2. Permissions The author has graciously given permission to reproduce his presentation at the XML 2002 Conference in Baltimore, Maryland. If copied, changes should not be made and appropriate citation of the author’s work should be given. Instructional media + magic, inc., December 2002

  3. Physical Height, Weight, Gender Experiential Education, Travel, Dining Preferential Food, Clothing, Shelter 1 Identity

  4. Physical Height, Weight, Gender Blood Type, Fingerprint, DNA Experiential Education, Travel, Dining Stock Purchases, Mortgage Balance, Drug Use Preferential Food, Clothing, Shelter Religion, Political affiliation, Club Memberships 1 Identity

  5. Some information needed to determine who I am is widely available – I distribute it A larger set of information is unavailable – I restrict access to trusted relationships Most of this information is in digital form 1 Identity

  6. Control who has access to what information Choose who to trust, what to give, when to change Trust relationships take time to establish 1 Identity

  7. Much of the information about me is in digital form, accessible via the Web It is kept by “trusted brokers” High-quality services are provided I can access and update 1 Digital Identity

  8. Much of the information about me is in digital form, accessible via the Web It is kept by “trusted brokers” High-quality services are provided I can access and update 1 Digital Identity What's the problem?...

  9. I have multiple Digital IDs Information is duplicated and difficult to synchronize Better services are possible 1 Digital Islands

  10. 1 Digital Islands Multiple, disconnected identities scattered across isolated Internet sites • User Name: Bill Smith • Email: bsmith48@freemail.com • PIN: wcs@foobar.com • Credit card number • Social security number • Drivers license • Passport • Entertainment preferences • Notification preferences • Employee authorization • Business calendar • Dining preferences • Education history • Medical history • Financial assets…

  11. 1 Digital Islands – the problem • Inconvenient and frustrating for users Multiple, disconnected identities scattered across isolated Internet sites • Distributed identity-services are difficult to develop and deploy • Continual re-authentication to disparate systems

  12. A method to link the Digital Islands Provide a logical single identity Preserve and enhance existing trust relationships Provide choice and opportunity for better services 1 Network Identity – the solution

  13. A Network Identity is a user’s overall global set of attributes constituted from their various accounts 1 Network Identity – it’s simple

  14. Digital Islands Disparate Systems Lack of communication, interoperability Conflicting Interests Technology suppliers, Technology consumers Service providers, fixed vs. mobile Consumer Demands Better services, Improved convenience Respect Privacy 1 Network Identity – not so fast

  15. Broad scope Web itself Fixed, wireless, desktop, cell phone, PDA, car ... Complexity Technology, Business, Consumer Service providers Reality Digital Islands exist Trust relationships well-established 1 Network Identity – practical solutions

  16. A Business Consortium Solving A Business Problem Over 130 for-profit, not-for-profit and government organizations, representing a billion customers, are currently Alliance members * Only a sample of Liberty members

  17. Liberty’s commercial investment in network identity and the collaboration of its diverse array of member companies can bring a lot to this space. The group’s combined experience, their collective ability to drive usage and the fact that they’re not trying to promote a product but a solution to a problem will help in their success. Dan Blum Burton Group

  18. Establish an open standard for federated network identity through open technical specifications that will: • Support a broad range of identity-based productsand services • Allow for consumer choice of identity provider(s) and the ability to link accounts through account federation • Provide the convenience of simplified sign-on, when using any network of connected services and devices • Enable organizations to realize new revenue and cost saving opportunities • Allow organizations to economically leverage relationships with customers, business partners, and employees • Improve ease of use for e-commerce 1 Mission of the Liberty Alliance

  19. Management Structure Management Board • Consists of 16 founding sponsors • Responsible for overall governance and maintenance • Final voting authority for specifications and other output Public Policy Expert Group Technology Expert Group Marketing Expert Group • Advise on privacy, security, and other public policy issues • Liaison to privacy groups and government agencies • Develops technical architecture and engineering requirements • Develops technical specifications • Interoperability • Develops marketing requirements and use cases • Responsible for membership, press relations, and marketing communications • Adoption

  20. Provider CentralProvider Provider Provider Provider Provider Provider Why is Federated Important? Centralized Model • Network identity and user information in single repository • Centralized control • Single point of failure • Links similar systems Open Federated Model • Network identity and user information in various locations • No centralized control • No single point of failure • Links similar and disparate systems

  21. Solution Analogousto ATM Networks Bank ATM Network A Bank A ATM Card Bank A ATM Card Bank ATM Network B Bank ATM Network A Bank ATM Network B Bank B ATM Card Bank B ATM Card Bank ATM Network C Bank C ATM Card Bank ATM Network C Bank C ATM Card Separate Cards with Each Bank Linked Cards within Bank Networks Seamless Access Across all Networks

  22. Solution Analogousto ATM Networks Bank ATM Network A Bank A ATM Card Bank A ATM Card Bank ATM Network B Bank ATM Network A Bank ATM Network B Bank B ATM Card Bank B ATM Card Bank ATM Network C Bank C ATM Card Bank ATM Network C Bank C ATM Card Federated Accounts within Trust Domain Linkage of Trust Domains Individual Accounts with Many Web Sites .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com .com Separate Cards with Each Bank Linked Cards within Bank Networks Seamless Access Across all Networks

  23. B2C – Travel Industry B2E – Employee Intranet 401k 3d Party Providers Car Rental Hotel Company Intranet Employee Purchase Plans Airline Partner Airlines Health Insurance Cruise Line Livery Dental Insurance B2B – Financial Services B2B - Automotive Treasury Debt Suppliers Dealers Commercial Banking Equity Manufacturers Transport Agencies Clearing House Credit Fleet Financing Examples of Trust Domains

  24. Future Versions • Permissions-based attribute sharing • Schema/protocols for core identity profile service • Simplified sign-on across authentication domains created in version 1.0 by business agreements • Delegation of authority to federate identities/accounts Specifications: A Phased Approach Approach Drivers • Support rapid acceptance and deployment • Phases build on each other • Enable incremental adoption Version 1.0 (Released 15 July 2002) • Federated network identity • Opt-in account linking and simplified sign-on within an authentication domain created by business agreements • Security built across all the features and specifications

  25. Version 1.0 Specifications Builds on top of SAML to provide additional privacy and functionality • Opt-in account linking – Users can link their accounts with different service providers within “circles of trust” • Enhanced single sign-on for linked accounts – Once users’ accounts are federated, they log-in, authenticate at one linked account and navigate to another linked account, without having to log-in again • Authentication context – Companies linking accounts communicate the type of authentication that should be used when the user logs-in • Global log-out – Users can be automatically logged-out of all sites to which they have active sessions • Multiple Client Support – browser, mobile device, and proxy

  26. SAML in a Nutshell • An XML-based framework for exchanging security information • XML schema and definition for security assertions • XML schema and definition for a request/response protocol • Rules on using assertions with standard transport and messaging frameworks (SOAP, Web Browsers). Bindings and Profiles • An OASIS standard • Vendors and users are both involved • Codifies current system outputs rather than inventing new technology • Excellent traction in the marketplace

  27. Liberty Federation/Account Linking Pre-existing accounts at various sites can be linked Pets.com Service Provider JoeSmith Excite.com Identity Provider Joe123 Books.com Service Provider Joe

  28. Liberty Federation/Account Linking Upon linking those accounts, the sites need to be able to have a frame of reference for the user Pets.com Service Provider JoeSmith Excite.com Identity Provider Joe123 Books.com Service Provider Joe

  29. Liberty Federation/Account Linking If account names are exchanged, sites can talk to each other without the user’s approval Pets.com Service Provider JoeSmith Joe123@excite.com Excite.com Identity Provider Joe123 JoeSmith@pets.com Joe@books.com Books.com Service Provider Joe Joe123@excite.com

  30. Liberty Federation/Account Linking If account names are exchanged, sites can talk to each other without the user’s approval Pets.com Service Provider JoeSmith Joe123@excite.com Excite.com Identity Provider Joe123 JoeSmith@pets.com Joe@books.com Books.com Service Provider Joe Joe123@excite.com

  31. Liberty Federation/Account Linking Instead, unique opaque handles resolvable only by the issuer should be exchanged Pets.com Service Provider JoeSmith Excite.com Identity Provider Joe123 <alias="dTvIiRcMlpCqV6xX" SecurityDomain="excite.com" Name="mr3tTJ340ImN2ED" /> <alias="mr3tTJ340ImN2ED" SecurityDomain=“Pets.com" Name="dTvIiRcMlpCqV6xX" /> <alias=“xyrVdS+xg0/pzSgx" SecurityDomain=“Books.com" Name="pfk9uzUN9JcWmk4RF" /> Books.com Service Provider Joe <alias="pfk9uzUN9JcWmk4RF" SecurityDomain="excite.com" Name="xyrVdS+xg0/pzSgx" />

  32. Liberty – Enhanced SSO • Extends an authentication assertion to include the “context” • How did the user log in? Password? Smartcard? Etc. • When should the user be re-authenticated? • How did account registration occur? (in person, via web page) • Extends the authentication request to allow for requesting a strength of authentication • Necessary for real-world scenarios: not all services require the same level of authentication.

  33. Liberty – Additional Features • Simple session management • Provides “single-logout” functionality • Identity federation management • Ability to terminate the federation • Ability to modify the opaque handle shared between authentication authority and relying party • Identity network support • Specifies a protocol by which a website can “discover” what Identity Provider a user is using

  34. Liberty Enabled-ProductsComing Soon!

  35. Permissions-Based Attribute Sharing • Enable businesses to share a principal's attributes according to their corporate policies, business agreements and local regulations, all while adhering to the principal's preferences and permissions • Interoperability Specs for Core Identity Profile Service • Enables users to obtain secure, personalized services that are interoperable across different service providers • Federation of Authentication Domains • Enables users to conveniently navigate and use SSO and share attributes with service providers who may be in different authentication domains. Version 2.0 specifications expected early 2003 Liberty Version 2.0

  36. Established to address real business and technology issues Recognized as the focal point for Network Identity discussions and solutions Produced well-received specification Proceeding with phased approach to deliver on vision and mission 1 Liberty – the Initiative

More Related