150 likes | 261 Views
Liberty ID Federation Framework Web Services Framework. Kailash Bhoopalam Dept. of Computer Science Old Dominion University. Some Concepts. What is a federation? A union of organizations (M-W), that co-operate for the sole purpose of maximizing their business.
E N D
Liberty IDFederation FrameworkWeb Services Framework Kailash Bhoopalam Dept. of Computer Science Old Dominion University
Some Concepts • What is a federation? A union of organizations (M-W), that co-operate for the sole purpose of maximizing their business. • E.g., Airlines cooperate with hotels and rental cars to maximize revenues or distribute risk. • Issues • User information privacy • Protocol to exchange user information in the federation
An Example Federation. ID Provider (VeriSign) Jimmy
Liberty ID - Goals • Enable consumers (a.k.a. web users) to protect privacy and manage their network identity • Enables businesses to provide(or) advertise more value based services by leveraging the customer’s behavior in a trust community • Provides a single sign-on standard to include decentralized authentication and authorization • Create a controlled network-identity sharing mechanism that would be supported and would support current and emerging network access devices (use SSL, XML, X.509)
Premise for the Goals • Id of the user is fractured in the WWW across a number of service providers(sp) (banks, utlities, entertainment, etc) • No Process Policy or Technology Standard that informs the user about the following • To which sp’s is the identity shared • What information is being shared • Policy practices of identity providers(who ever they are) • WWW attributes become cumbersome when user attributes change • When partnerships between service providers exist, it is harder to maximize the utility of services • Provide anonymity to users when using certain services
Stakeholders views of liberty Views • Business (Service Provider) View • Framework to form circles of trust based on common interests • Allows for the registration of services • Support for anonymous services, usage directives • Support for gathering consent from the user. • User Views • Control over privacy information • Probable better service from service providers • Less fractured identity information
Trust Community! Circle of trust! why? why? why? • By logical reasoning and some empirical evidence its has been agreed that a GUIDs, do not work when used in large numbers! • GUIDs (A unique certificate for every person) • Verification is expensive in large hierarchies. • Certificate revocation is difficult to communicate. • An IBM employee working in USA gets a discount at Vodofone and Harrods! • If the US govt was the authority on the principal’s ID, would harrod’s or the british govt always believe in it? • It makes more sense to have IBM, vodofone and harrods form a trust circle by exchanging keys, CPS, and IDS endpoints.
Liberty ID Specifications • Federation Framework (FF) • Communication of identity information • Authentication • Single Sign On • Global logout • Web Services Framework (WSF) • Service registration • Service Discovery • Gathering user consent • Usage Directives
Functional Requirements (FF) • Protocols for Identity Federation • Provide user notice of id federation and defederation • SPs and IDS providers notify each other of id-federation • Notification of ID providers to SPs about account termination • User awareness of federated id’s • Temporary identity/ Anonymity for services • Authentication • Authentication of IDS Providers • Mutual Authentication of IDS, SP and Principal. • Confidentiality and Integrity of information • Support for multiple authentication methods. • Exchange of Authentication status, instant, method, pseudonym. • Re-authentication/ Multi-level authentication • Transitive authentication • Single Sign On, Global Logout
Architecture (FF) • Delegated Authentication/Authorization using Web Redirection • HTTP based redirection to ID providers • Limits of URL size • Content of URL (cleartext vs. encrypted) • Storing Authentication information state • Usage of session cookies if necessary (but not often)
Architecture (FF) contd. • Single Sign-On • Id federation and defederation • 1 ID and many SPs • 1 SP and many Ids • Linking of IDSs to enable re-authentication. • Metadata and Schema • Id as opaque handle (linked – UIs) • Multiple authentication mechanisms • Allow for apriori exchange of X509 certs, service endpoint information, CPSs etc.
Functional Requirements (WSF) • Service Discovery • Mechanism for SPs to query discovery services for relevant providers of services or attribute classes within a service for a particular principal • User prompt by the discovery service during registration • Registration of Service • Allows service providers to register( deregister) with discovery service a list of services and service attributes
Functional Requirements (WSF) contd. • Support for Gathering Consent • Mechanisms for SPs to utilize LECP communications channel for querying and obtaining principal consent and response. • Mechanism to share (after user consent) a subset of principal’s attributes with other providers • Mechanism to partially fulfill requests for attributes if consent not given for all requested attributes.
Functional Requirements (WSF) contd. • Support for Anonymous Services • Ability for an SP to make anonymous attribute requests and receive anonymous attribute responses • Ability to share attributes without disclosing identity. • Mechanism to prevent pseudonyms with Principal Ids • Usage Directives • Communicate intended usage of attributes • Communicate agreed upon usage of attributes • Mechanism that allows an RP SP to list the usage directives to an authorizing SP if required
References • Liberty Alliance http://www.projectliberty.org/specs/index.html • Advanced Web Services Framework http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ (WS Security) http://www-106.ibm.com/developerworks/webservices/library/ws-fed/ (WS Federation) http://www-106.ibm.com/developerworks/library/ws-polfram/ (WS Policy) http://www-106.ibm.com/developerworks/library/ws-trust/ (WS Trust)