1 / 27

Olli Jussila Adaptive R&D TeliaSonera

FIDELITY project presentation on implementing Liberty Alliance technical specifications for identity management in the telecom sector, focusing on trust relations and user experience.

behan
Download Presentation

Olli Jussila Adaptive R&D TeliaSonera

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Olli JussilaAdaptive R&DTeliaSonera

  2. Agenda • TeliaSonera at a glance • Project presentation • Technical results • Business model and actor benefits • End user experience • Dissemination activities • Conclusion

  3. F I N L A N D N O R W A Y E S T O N I A S W E D E N L A T V I A D E N M A R K L I T H U A N I A The Nordic and Baltic leader in telecommunications Net sales 2006 EUR 9790 million Strong positions in mobile in Eurasia, Russia and Turkey through subsidiaries and associated companies Mobile services launched in Spain at the end of 2006 23.5 million customers Number of employees: 28,000 Number of Customers as of December, 2006

  4. Identity Management Nightmare ! Multiple accounts, multiple credentials everywhere

  5. Id-wsf Share My personal information Circle of trust Id-ff Sign on SPs with my IDP account Identifiers 1 IDP Identity Provider 3 Profiles SP Service Provider Id-ff 2 Single Sign On To other website WSP Attribute Provider SP Service Provider The Liberty solution

  6. FIDELITY –project assumptions • Potential Identity Providers and Circles of Trust are numerous • Users will navigate among these Circles of Trust • One CoT should be able to establish trust relations with another CoT to allow Identity roaming

  7. FIDELITY –project in a nutshell • Set up 4 heterogeneous Circles of Trust • Deploy strong authentication mechanisms • Demonstrate the inter-operability of these Circles of Trust regarding: • Liberty Alliance technical specifications • Business model • EU legal constraints • User experience • Provide standardisation and implementation contributions

  8. FIDELITY –project members • 4 telcos, setting up the CoTs : • France Telecom, Amena, Telenor, TeliaSonera • 3 industrial partners, providing ID platforms and software • Ericsson, Gemalto, Italtel • 3 SMEs, and 1 university, providing specific skills and software • TB-Security, Linus, Moviquity, Oslo university college

  9. FIDELITY final results Technical results

  10. Implementation of principal COTs/interCOT infrastructure and services • The four CoTs in France, Finland, Norway and Spain have been established. • Each CoT has • an Identity Provider • some Service Providers with Web service consumers WSC • and some Attribute Providers (Web service providers WSP) • In each COT: • ID-FF V1.2 (Identity Federation and SSO) has been fully tested • ID-WSF V1.1(Identity Web Service Framework) has been tested • Product from different vendors have been used in order to test interoperability of Liberty software implementation

  11. V-IdP Service Provider with WSC V-DS 10 1 7 11 2 8 3 9 6 5 4 H-IdP H-DS H-WSP Architecture and Information flow (simplified view) 1. A user access a service V-CoT 2. SP re-directs user to V-IDP 3. V-IDP re-directs/proxies user to H-IDP 4. H-IDP maps the authentication context request of V-IDP and authenticates a user. 5-6. Auth. assertion including DS info is returned and to V-IDP and V-SP H-CoT 7-8. SP (WSC) requests end point of H-WSP from H-DS. 9-10. SP (WSC) requests service from H-WSP 11. According privacy settings H-WSP initiates user-consent process via SP and Interaction service. WSP is also able to request stronger authentication via WSC/SP

  12. IDP Identity Provider IDP Technical DS WSP Personal Profile WSP Geolocation Profile WSP Wallet Profile SP Where Restaurant SP Student exchange SP Book a Hotel SP Attribute registration SP Wallet registration The French CoT User/passord EAP/SIM + password Software PKI

  13. IDP / DS Identity Provider WSP Wallet Profile WSP Geoloc Profile WSP Calendar Profile WSP Student Profile WSP Personal Profile SP Register with a mobile SP Privacy Manager SP Book A Hotel SP Where Restaurant The Finnish CoT User/passord OT sms (+ password) WPKI EAP / SIM GPRS HLR

  14. 7. Mobile USB-OTP 5. Some other from the same level? 4. PC EAP/SIM please? 3. 8.Authenticated ok, empty context Or Requested context V-SP V-IDP H-IDP 2. PC EAP/SIM please? 1. User accesses service provider InterCoT Single Sign On • Authentication Contexts 6. Authentication with the user User Agent

  15. InterCoT attribute sharing (ID-WSF) • InterCoT Discovery Service • Direct Access. By using this method, the V-WSC requests directly the Discovery Service of the H-CoT (H-DS) • DS-proxying. By using this method, the Discovery Service of the V-CoT (V-DS) acts as a DS-proxy between the V-WSC and the H-DS. • DS-chaining. By using this method, the V-WSC requests first the V-DS which redirects it to the H-DS. • If direct access is used, then we recommend the deployment of a Trust model based on PKI Tested

  16. ID-WSF trust model for attribute sharing – IntraCoT vs. InterCoT In IntraCoT, every (H-)SP – (H-)WSP pair has a direct business agreement implying direct trust relationship Technically, the trust between ID-WSF entities is established by exchanging metadatas on a bilateral basis In InterCoT, the business agreements are established only between IDPs but there is no direct business relationship between V-SP and H-WSP Technically, exchanging metadatas between every V-SP – H-WSP pair would be far too exhaustive → provisioning of metadatas would require too much effort Fidelity PKI trust model enables business model for InterCoT attribute sharing between V-SP and H-WSP Technically, this is implemented by using hierarchical certificate path validation (RFC3280)

  17. CA certificate exchange InterCoT Relationship Establishment Root --------- --------- CoT CA --------- --------- Root SP SP --------- --------- IDP 2 IDP 1 WSP WSP CoT CA --------- --------- • IDPs exchange the CA certificate chains, and delivers them to their other IntraCoT entities (SPs and WSPs)

  18. InterCoT Relationship Establishment Root CA cert --------- --------- Compliant with RFC3280 CoT CA cert --------- --------- is associated with trusts CoT CA SP cert --------- --------- WSP SP / WSC CoT CRL includes Home CoT Visited CoT --------- --------- Service request Certification revocation status check

  19. FIDELITY final results Business Scenarios, Actors benefits

  20. IDs IDP IDs SP SP IDs IDP IDs SP SP IDP IDs IDs SP SP Business scenarios • Closed Scenario: • Single Company IDP and SP • Open Scenario: • Telecom as IDP for external SP • Inter-CoT Scenario: • Telecom Operator alliances with internal and external SPs • Inter-CoT Scenario Multi-domains • Multi domain IDP alliances with internal and external SPs

  21. More users More services Actors Benefits • Identity Provider • Large user base • Attract new user • Enforce their trust relation with the user • Offer (sell) strong and complex authentication methods • Service Providers • Attract users • Simplify local user management • Use Strong authentication • Rely on user identity attributes • User • Simple and secure authentication • Ease of attribute management, control of data dissemination • Respect of his privacy The virtuous circle :

  22. FIDELITY final results End User Experience

  23. Master Key = IDP credentials CoCoT logo/brand Key = SP credentials CoT logo/brand Circle of Trust (CoT) and Circle of CoT (CoCoT) • Concepts explanation and representation • Explain to the user what is a CoT, what is CoCoT • Represent concepts with pictures: • CoT Homepage • Disclaimer • SSO description • Attribute sharing description • List of the SP belonging to the CoT • Map of the CoT and the CoT's partners (CoCoT) • Registration area • Personal area for registered users

  24. FIDELITY final results Dissemination activities

  25. Fidelity: Dissemination • Advisory Boards in each telco • Liberty Meetings (plenary, TEG) • 3GSM World Congress 2007 • IST 2006 • E challenge • ISSE in Roma • Internet Global Congress Barcelona • Security and identity management event in Barcelone • France Telecom R&D result event in Paris • Telecom I+D, Madrid • Celtic and Eureka events • Website : www.celtic-fidelity.org • Demo Kit : www.celtic-fidelity.org/fidelity/flash/ • Public documents : www.celtic-fidelity.org/fidelity/Documentation.jsp • Standardization activities (Wallet + calendar ID-WSF Serv. Interf. spec)

  26. Conclusion of the FIDELITY project • From a technical, business, legal and ergonomic point of view, Liberty solves the IDM issue and can be extended to InterCoT. • But read our public recommendations anyway… • The very good cooperation and acceptance between all partners was the basis for the success of the project. • The consortium is satisfied with the results obtained and will now begin to exploit them.

  27. Thank you for your attention Any questions?

More Related