200 likes | 403 Views
User. Federated ID Server. Liberty Federation PoC. App Server. Socrates. Internet. Federated Validation of User. Federated ID Server. GM Network. Partner Network. Bob Chmara General Motors Corporation June 22, 2004. Intro.
E N D
User Federated ID Server Liberty Federation PoC App Server Socrates Internet Federated Validation of User Federated ID Server GM Network Partner Network Bob Chmara General Motors Corporation June 22, 2004
Intro • Contractor with GM for two years working in the area of Identity Management • Previously owned a consulting firm providing network and software services to small businesses • From November 2002 to November 2003, lead GM team in Liberty Federation Proof of Concept • Business Challenges • Technical Challenges • The Future of Liberty
Agenda • Intro • Liberty background • Circles of Trust • Versions • Proof of Concept • Goals • What worked, what didn't • Work analysis • Technical challenges • Firewall/Proxy issues • Session Mgt • Business challenges • Internal Alignment • External Alignment • Use Cases • Ongoing business efforts • Future of Liberty • Wrap up
Liberty Alliance • http://www.projectliberty.org/ • Consortium of 160+ companies, both technology producers and technology consumers. • "The striking thing about the Liberty Alliance is that it is knee-deep in end user involvement…", Network World, 12/23/02 • Liberty produces a set of specifications, not products • Formed in 2001 • Comprised of five expert groups • Business & Marketing Expert Group - Identifies and drives the market requirements for the Liberty specifications. • Technology Expert Group - Drives the technical specifications to support the market needs. • Public Policy Expert Group - Drives dialogue with government and non-government groups concerned with the many issues pertaining to identity. • Conformance Expert Group - Formed to define and manage the process for validating interoperability between vendors’ implementations. • Services Expert Group - Formed to define and manage the process for creating new service specifications.
Circles of Trust • The Liberty term for a Federation • Based on trust agreements between Identity Providers (IdP) and Service Providers (SP)
Phase 1 Overview • Identity Federation Framework, ID-FF • v1.0 Released July, 2002 • v1.1 Released January, 2003 • Elements • Opt-in Account Linking • Simplified Sign-On • Fundamental Session Management • Affiliations • Anonymity • Protocol for the Real-time Discovery and Exchange of Meta Data • Overview • There is no sharing of user supplied identity data among Federation members • Data is transferred via http or form-POST-based redirects (preferred method) or cookies Liberty Identity Federation Framework (ID-FF) Enables identity federation & management through identity/account linkage, simplified sign-on & simple session management
Phase 2 Overview • Identity Web Services Framework, ID-WSF • Released April, 2003, along with ID-FF v1.2 • Elements • Permission Based Attribute Sharing • Identity Service Discovery • Interaction Service • Security Profiles • Simple Object Access Protocol (SOAP) Binding • Extended Client Support • Identity Services Templates • Overview • Focus will be on core identity data that can be used across vertical markets • XML spec defined for identity data containers • User will have fine grained control over sharing • User may delegate authority to link accounts • Data will be transferred via Web Services Liberty Identity Federation Framework (ID-FF) Enables identity federation & management through identity/account linkage, simplified sign-on & simple session management Liberty Identity Web Services Framework (ID-WSF) Framework for building interoperable services, permission-based attribute sharing, identity service description & discovery, & associated security profiles
Phase 3 Overview • Identity Services Interface Specification, ID-SIS • Scheduled for release ??? • Elements • Personal Profile, Employee Profile • Registration, Contact book, Calendar, Geo-location, Presence, Alerts • Overview • User will be able to select different service providers for each service • Service providers will be able to accept events from other providers based on user preferences • Intended as the building blocks to be used in the creation of industry-specific services Liberty Identity Federation Framework (ID-FF) Enables identity federation & management through identity/account linkage, simplified sign-on & simple session management Liberty Identity Services Interface Specifications (ID-SIS) A collection of specs for interoperable services such as registration, contact book, geo-location, calendar, presence, alerts, etc. Liberty Identity Web Services Framework (ID-WSF) Framework for building interoperable services, permission-based attribute sharing, identity service description & discovery, & associated security profiles
Proof of Concept Liberty 1.x Federation between GM Employee Portal, MySocrates, and Business Partner employee benefits application. • Goals • What worked, what didn't • Work analysis • Technical challenges • Firewall/Proxy issues • Session Mgt • Business challenges • Internal Alignment • If it's not broke… • External Alignment • GM, Business Partner, WorkScape, Sun • White Paper • Public release of info • Use Cases
PoC Timeframe 20 Nov 2002, 1st meeting with Sun • 51 weeks, start to finish • Started November 2002 • Completed November 2003 • Business related effort – 29 Weeks • Engage with Financial Sponsor - 8 weeks • Engage with GM Business Unit – 4 weeks • Engage with Partner - 7 weeks • Use Case Development - 8 weeks • Financial Sponsor re-alignment – 2 weeks • Technical related effort – 12 Weeks • Lab Setup – 3 weeks • Technical Problems – 4 weeks • Use Case Testing – 5 weeks • Down time/shutdowns – 10 weeks 10 March 2003, Initial contact with Business Partner 22 April 2003, Project kick-off video conference 19 June 2003, Use cases finalized 20 August 2003, Project Technical kick-off video conference 11 Nov 2003, Core integration & functional testing complete
Technical Challenges • GM Lab policies and procedures were incomplete and not clear • Firewall and proxy configurations were unique to Liberty implementation • Test data and the associated encryption issues caused a delay • Cert Signing issues • Hardware Failures • Session Management Lab Change Request Arrrggghhhh!
Business Challenges • Arranging Financing • GM Business Unit engagement • If it's not broke… • Business Partner engagement • Whitepaper definition. Caused loss of initial funding source. • Agreement on distribution of project scope and results • Use cases were a long process (~2 months) - different goals. • And we only touched on legal agreements…
Production Plans • Production Implementation of PoC • GM IT Ready • GM Legal Ready • GM Security Ready • GM Business Unit tied up in major project with PoC Business Partner, will not assign resources to project • Business Partner IT Ready • Business Partner Business Unit tied up in major project with GM • Internal Federation difficult to implement • Identity Management Strategy still being defined – "Wait and see" • Non-Liberty compliant authentication services • Multiple existing non-standard Federation efforts already underway
Prognosticating - The Future of Liberty • Circles of Trust are limiting in B2C • Agreements are still Point-to-Point • Better suited to B2B or B2E implementations • Difficult to build in B2C environments • Competitors may not wish to belong to the same CoT • My consumption habits don't necessarily map to affinity programs • Depend upon incentives to create affiliations • Chained agreements are complex • Trust on demand • "Personal certs" from trusted providers such as Verisign. • Challenge is to make then cost effective and still maintain trustworthiness. • Validity depends on authentication to device in which cert is stored • SP's may require additional credentials • Liberty enabled devices • PDA, Cell Phones, Wired phone, Browsers and other Internet apps, Car Identity Provider • Identity and Profile storage • Profile storage is independent of profile consumers • On local devices or in secured datastore – synchronized to devices • Could be Federation Standards neutral via abstraction
Use Cases • Primary
Use Cases • Link/URL tests
Use Cases • Exceptions Based on User State
Use Cases • Timeouts & Windowing