ISDF04 HouserFedIdent

Views:
 
Category: Entertainment
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Slide1: 

Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity

Nationwide: 

Nationwide Fortune 500 company A leading US financial company & insurer Life Insurance Automobile Insurance Property & Casualty Insurance Liability Insurance Annuities Retirement Products Investment Services Mortgages

Objectives: 

Objectives How a Fortune 500 company implemented SAML for cross-company authentication (CCA) Under the covers: how artifact and signed SAML authentication works between business partners Building an extensible, enterprise architecture implementation with alpha and beta tools Lessons learned, challenges, and surprises when extending authentication and authorization to 3rd parties Identity, cryptography, and assertions, oh my! Web services authentication and authorization challenges

Web services: 

Web services Phenomenal Business acceleration since 1990 Transformation of business: From business at the club to EDI brokering From book binding to e-books to books on demand Supply chain management Rapid changes in business and trust models Outsourcing, resourcing, insourcing Hosting, co-location, managed services, ASPs Intense, cyclical Acquisition & Divestiture activity Global markets & economies

Web services (2): 

Web services (2) Generations of the Internet 1st Gen: Isolation Research 2nd Gen: Information Storefront 3rd Gen: Transaction eCommerce 4th Gen: Integration Web Services

Quick Web services primer: 

Quick Web services primer Web Services Uses open, lightweight protocols: Provides a direct connection to business logic and core objects through Internet protocols Instead of COM, DCOM and RPC, now invoke a Web service over HTTP

Federated identity: 

Federated identity What is federated identity? The agreements, standards and technologies that make identity and entitlements portable across autonomous domains.§ Cross-company authentication (CCA) Authentication & authorization between organizations and companies. Essentially, same thing under the covers § Source: RSA Security, http://www.rsasecurity.com/go/google/fed_id/redirect.html

Federated identity Use case 1: Travel model: 

A Federated identity Use case 1: Travel model A conducts business with B on behalf of end user Traditional back-office functions, but in real time Reference model: Travelocity® Internet / intranet End user B2B, B2C, B2E Web Page Internet / intranet B 3rd-party Web Services Provider Business Logic HTTP XML SOAP HTTP

Federated identity Use case 2: Portal model: 

Federated identity Use case 2: Portal model B provides service or collaborative content for A Transparent to the end user. Reference model: MapQuest® in Yahoo!® portal Business Logic HTTP HTTP XML SOAP End user B2B, B2C, B2E Internet / intranet A Web Page B 3rd-party Web Services Provider B Internet / intranet

Federated identity Use case 3: Single sign-on model: 

Federated identity Use case 3: Single sign-on model A redirects user to B B trusts A’s authentication “Single sign-on” (a.k.a. Cross-company authentication, federated identity.) Reference model: Private label banking HTTP XML SOAP SAML HTTP XML SOAP SAML HTTP XML SOAP SAML

Web services implications: 

Web services implications Extensible access portals for legacy business logic and processes Ability to react to the market very quickly Changes to core business applications are immediately available to trading partners, vendors, customers and regulators Business velocity without roadblocks of building extensive GUI presentation layers

Web services introduces Cross-company authentication: 

Web services introduces Cross-company authentication For selected interfaces: Other business partners trust your authentications, and… Your organization trusts the authentications provided by others.

SAML provides framework for cross-company authentication: 

SAML provides framework for cross-company authentication SAML: Security Assertions Markup Language Lightweight protocol to exchange security assertions & artifacts Can be signed for self-validating assertion Permits partners to exchange assertions about authentication and authorization of users

SAML: 

SAML SAML has 4 major components: Assertions Authentication assertions Attribute assertions Authorization decision assertions Request / response protocol – SOAP over HTTP Bindings – how SAML requests maps to transport protocols (such as SOAP) Profiles – how SAML assertions are embedded or transported between parties

SAML (2): 

SAML (2) POST /SamlService HTTP/1.1 Host: www.example.com Content-Type: text/xml Content-Length: nnn SOAPAction: http://www.oasis-open.org/committees/security <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”> <SOAP-ENV:Body> <samlp:Request xmlns:samlp:=”…” xmlns:saml=”…” xmlns:ds=”…”> <ds:Signature> … </ds:Signature> <samlp:AuthenticationQuery> … </samlp:AuthenticationQuery> </samlp:Request> </SOAP-ENV:Body> </SOAP-ENV:Envelope> Source: OASIS - http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-00.doc

SAML provides transaction trust: 

SAML provides transaction trust Messages / Transactions Session Business function Line of business Enterprise Session No existing protocol Protocols providing trust SSL / TLS / IPsec / Kerberos SAML / WS-Security XML-DSig / Passport

Nationwide & CCA timeline: 

Nationwide & CCA timeline 2000-2001 Implemented several federated identity solutions Used proprietary artifacts & communication session solutions Worked well, but…. Unique “one-off” solutions Lacked standards for standard implementation, extensive re-work

Nationwide & CCA timeline (2): 

Nationwide & CCA timeline (2) 2002 Resolved to adopt a standards-based federated identity solution Investigated several federated identity standards SAML selected as best SSO authentication solution at the time Joined Liberty Alliance as Associate Member

Nationwide & CCA Timeline (3): 

Nationwide & CCA Timeline (3) 2002 Determined three viable directions: Web Access Mgmt (WAM) middleware Adding SAML parsing to existing application(s) Building own assertion generator & parser Investigated the market for vendor best suited to deliver SAML-based solution Established contract with WAM vendor Built first SAML implementation for SSO

Nationwide: First SAML cross-company SSO: 

Nationwide Nationwide: First SAML cross-company SSO 2 3 Launched January, 2003 First commercial use of SAML for SSO Three business partners Nationwide provides portal, authentication & authorization for both other partners redirect redirect Financial Services Company Link

Nationwide: First SAML cross-company SSO: 

Nationwide: First SAML cross-company SSO End user B2B, B2C, B2E Internet / intranet Nationwide Financial Aggregator Financial Services Company Launched January, 2003 First commercial use of SAML for SSO Three business partners Nationwide provides portal, authentication & authorization for both other partners.

Challenges: 

Challenges Complexity Business issues Federation Weakest link Business trust models

Complexity: 

Complexity Corporate 3-tier Web architectures are already complex Federated SSO adds significant complexity in coupling: Existing infrastructure Web Access Mgmt (WAM) middleware Web services interfaces New infrastructure Cross-company functionality

Complexity (2): 

Complexity (2) Complexity requires technical sophistication on both sides of the relationship Developers need to understand: SAML Web services WAM Encryption Architects need to understand: Identity Management Authentication/authorization models

Complexity (3): 

Complexity (3) Complexity extends to privacy and identity issues Privacy policy aggregation, demarcation Need to involve CPO, General Counsel Identity management issues Legal contract & business agreement: Roles & responsibilities Vendor management Procedures for validating trust

Business issues: 

The technology is moderately complex. Trust & policies are harder. Closer to a wedding than a business relationship Nationwide’s solution: Certification & accreditation process Reference Architecture Strong 3-tier infrastructure architecture Forward-looking standards for trust governance Business issues

Federation: 

Federation Interoperability of identity frameworks Tough to do between existing corporate legacy applications Even tougher between disparate organizations Deep dive on assumptions, standards, vetting Must scale and scope to business context

Weakest link: 

Weakest link Security posture differences must be determined & governed. Alignment of reference architecture Policy & standards matrix comparison Establishment of CCA standards SLA & performance weakest link If your SLA is 7x24, and your partner’s SLA is 5x10, how will you provide 7x24?

SAML provides transaction trust: 

SAML provides transaction trust Messages / Transactions Session Business function Line of business Enterprise Session No existing protocol Protocols providing trust SSL / TLS / IPsec / Kerberos SAML / WS-Security XML-DSig / Passport

Web services introduces cross-company authentication: 

Web services introduces cross-company authentication For selected interfaces: Other business partners trust your authentications, and… Your organization trusts the authentications provided by others.

What now?: 

What now? The Interconnectedness of all things…

Business trust models: 

Business trust models Recognized needs: Ongoing contractual compliance Continual determination of trustworthiness Legal implications of trust model Result: CCA standards Development of XotaSM protocol XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

XotaSM: 

XotaSM Combination of protocol & methodology Permits determination of trustworthiness in real time between business partners Trust governance at the transaction level Continuous assessment of contractual and regulatory compliance Nationwide is establishing a consortium XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

Surprises: 

Surprises Troubleshooting with ½ the data Missing standards & solutions Interoperability Human factors

Troubleshooting: 

Troubleshooting SAML consists of HALF transactions: Asserting party  Relying party Troubleshooting with only half the data! Complexity and cross-disciplinary issues Coordinated helpdesk an issue Log sharing, aggregation Time synchronization an issue

Missing standards & solutions: 

Missing standards & solutions SAML has some gaps No SAML session management No support for timeout, logoff “rollup” Had to develop own session management and session timeout protocol Middleware gaps No signed SAML support in middleware Lack of 3-tier architecture support

Session management issues: 

Session management issues End user B2B, B2C, B2E Internet / intranet Nationwide Financial Aggregator Financial Services Company Cookie forces session timeout – user must re-authenticate User is redirected back to Nationwide gets SAML assertion Goes through SAML authentication process again

Interoperability: 

Interoperability Authentication & authorization required for both the business partners and users SAML provides user authentication No protocol support for partner connection authentication, authorization Each partner connection model unique Bleeding-edge implementation preceded Web services protocol standards

Human factors: 

Human factors Communications Issues Users unaware of SSO implementation: Sensitive to performance lag Multiple resubmits Question lack of sign-on – “Is security broken?” Deep bookmarking Users will bookmark relying party sites Persistent cookie that identifies user as CCA user?

Lessons learned: 

Lessons learned Have a good partner relationship with WAM vendor(s) Business issues as significant as technology issues Lightweight implementation toolkit required for smaller partners Trust modeling important consideration

Benefits achieved: 

Benefits achieved Federated identity provides flexible, adaptable solutions for SSO Ability to use infrastructure for affiliates, other contexts If you build it, they will come Federated identity works reliably Use of standards, such as SAML, pays off in 2nd, 3rd implementations

Q&A: 

Q&A Questions?

Further information: 

Further information Contact information: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide (614) 249-6639 houserd1@nationwide.com Best resources: OASIS http://xml.coverpages.org/saml.html Liberty Alliance http://projectliberty.org

Thank you. Questions, comments?: 

Thank you. Questions, comments? Mr. Houser will not be available to answer questions at the Ask-the-Experts booth in the Exhibit Hall. Please send question to jglossner@techtarget.com.

authorStream Live Help