Current State of Federated Identity OASIS Open Standards Forum 2008 Friday, 3 October 2008

Current State of Federated IdentityOASIS Open Standards Forum 2008Friday, 3 October 2008 Gerry Gebel VP & Service Director – IdPS ggebel@burtongroup.com www.burtongroup.com

A Few Points to Ponder • State of federation is strong – but the game is changing • Business models are driving up demand for federation technology – and forcing still other changes • Federation and SSO services – an emerging trend to watch

After this presentation, you will… • … stop federating • Because business people don’t know what you are talking about • … realize that protocols do not equal a business process • You need services and capabilities, in addition to protocols and technologies • … discover that the Internet doesn’t need an identity layer • Rather, it needs a relationship layer!

Business Trends Drive IT Trends • Same as it ever was • Global economy, cost-effective communications driving fundamental change to the business environment • The more global things get, the more pressure to decompose big orgs • Need to integrate business process across many boundaries • Must interoperate, connect with security and low friction

Business Trends Drive IT Trends • What a difference a year (and a financial crisis) makes • Do more with less, or do less with less • Plate tectonics: Business transformation, IT transformation collide • SaaS gaining favor . . . the times they are a-changing • Outsource, offshore, buy it as a service

The Expanding Identity Universe • Dynamics are driving requirements where CIOs have no control Control Scale Small Distributed SMB, SaaS Deperimeterization Outsourcing Large Centralized Current Technologies and Methodologies Focus Compliance Privacy Business Individual The CIO and the budget Consumers, Social Networks Massive

Where does federation fit in here?

Federation and Distributed Control 8

Examine the Problem • SSO: internal applications AD/Kerberos WAM/Federation Contractors Employees Employees Applications Partners Partner SaaS

Examine the Problem • SSO: hosted applications AD/Kerberos WAM/Federation Contractors Employees Employees Applications Partners Partner SaaS ? ? WAM/Federation WAM/Federation

Examine the Problem • SSO: external users AD/Kerberos WAM/Federation Employees AD/Kerberos? Applications Partners Contractors Partner SaaS

Examine the Problem • SSO: external users AD/Kerberos WAM/Federation Employees Federation? Applications Partners Contractors Partner SaaS

Examine the Problem • SSO: employee off site AD/Kerberos? AD/Kerberos WAM/Federation Employees Employees Applications Partners Contractors Partner SaaS

Examine the Problem • SSO: employee off site, hosted applications Federation? AD/Kerberos WAM/Federation Employees Employees Applications Partners Contractors Partner SaaS

Examine the Problem • SSO: new options AD/Kerberos WAM/Federation Contractors Employees Employees Applications Federation service Partners Partner SaaS

Examine the Problem • Why don’t we have SSO? • Architecture limitations don’t accommodate new application types: Software as a Service • Product and technology selection process failure • Used RFP checklist instead of usage scenario analysis • Vendor implementations limit your options • Kerberos exhibits its weakness when external users are involved • Microsoft Office products do not handle HTTP redirects • New products or technologies may be required • Hosted SSO/federation service is one possibility • New approaches may be required • Identity intermediaries can limit inherent friction

Examine the Problem SSL VPN Partner sites XML gateways Bulk feed Federation servers WAM servers Applications Applications App servers ESSO LDAP directory services Enterprise AD forest • Maybe it is time to look at the business problem, instead of the technology possibilities

Too Much Science, Not Enough Art Home authentication SharePoint 2003 ADFS agent SAML assertion SAML-enabled proxy Web SSO token Collaborator Web SSO server 8 4 7 6 1 2 3 5 9 Federation product ADFS WS-Federation Attribute and group memberships 10 SID Mapping info and claims Enterprise AD forest LDAP directory • The “science project”: connectivity is rarely straightforward

Growth Rates for Federation "How long has THAT been there?" • Has anyone spotted the elephant in the federation room? • All right, but what if deployment rate increases? • Assume enterprises can deploy 500 connections per year • One customer has 34,000 point-of-sale operations • And that’s just for SSO • No authorization • Not hub-to-hub > 1,000 connections @ 24 connections / year = 42 years!! = 68 years!!

The Aesthetics of Ubiquity • Your technology might be mediocre if: • Adding a connection requires a project manager • Adding a connection requires lab time • Each connection requires a custom contract • You have to coordinate your deployment with others • The solution only works for the latest-and-greatest infrastructure • Upgrading a server has ripple effects from end-to-end • It seems reasonable to measure “connections per year”

What about that glass ceiling? 21

Interoperability What if there was a similar program for XACML? Just asking…

Federation Marketplace • Products • BMC • CA • Entrust • Evidian • IBM • Microsoft • Novell • Oracle • Ping Identity • RSA • Siemens • Sun • Symlabs • Fed Services • Covisint • FuGen Solutions • Symplified • TriCipher • EduServ • Edge Federation • Cisco • Forum Sys • IBM • Layer 7 • Vordel

Open Source Options

Working on that scalability problem…

Expanding Federations

Federating Federations

SaaS Federations

SSO+ as a Service

Identity Aggregators • Single point of integration for all Nordic e-ID systems • Expanding into other regions…

Looking Ahead • What is the impact of: • User centric identity approaches • Of course, this is in name only • User centric becomes a reality when business models support it • OpenID • First party identity systems are not very interesting from a business perspective… • Information Cards • Unlike OpenID, info cards have a real security model • But the market is not responding • OSIS, Information Card Foundation, Identity Commons, Higgins, Identity Metasystem Interop TC, etc • Can someone please explain this to me?

In Review • State of federation is strong – but the game is changing • Business models are driving up demand for federation technology – and forcing still other changes • Federation and SSO services – an emerging trend to watch

Current State of Federated Identity • References • Burton Group’s Identity and Privacy Strategies • In Search of the Internet Identity System: Contrasting the Federation Approaches of SAML, WS-SX, and OpenID • Federation’s Future in the Balance: Teetering Between Ubiquity and Mediocrity • Business and Legal issues in Federations • A Relationship Layer for the Web… and Enterprises, Too

Current State of Federation Technology • References • Burton Group’s Identity and Privacy Strategies • In Search of the Internet Identity System: Contrasting the Federation Approaches of SAML, WS-SX, and OpenID • Federation’s Future in the Balance: Teetering Between Ubiquity and Mediocrity • Business and Legal issues in Federations • Information Card Landscape • A Relationship Layer for the Web… And Enterprises, Too

Current State of Federated Identity OASIS Open Standards Forum 2008 Friday, 3 October 2008

Current State of Federated Identity OASIS Open Standards Forum 2008 Friday, 3 October 2008

Presentation Transcript

October 2008

State of Kansas Open Enrollment 2008

October 2008

October 2008

Friday October 3rd , 2008

October 2008

October 2008

October 2008

October 2008

October 2008

October 2008

October 2008

October, 2008

October 2008

Welcome! _________________ October 14, 2008 HR Forum

October 2008

Identity Management Standards from OASIS

October 2008

Friday October 3

UWS Open Forum Series 2008

friday, october 3