Iiw2007b Madsen 01
37
A Framework for Identity System Confusion (Reduction) Paul Madsen, NTT IIW 2007 b
-
Upload
paul-madsen -
Category
Technology
-
view
3.285 -
download
0
description
Presented at IIW 2007b as overview of various identity specs/initiatives
Transcript of Iiw2007b Madsen 01
A Framework for Identity System Confusion (Reduction)
Paul Madsen, NTTIIW 2007 b
Credits● Derived in large part on Eve Maler's (
www.xmlgrl.com) XML Summer School 2007 talk
Me
Apologies to Dick
connectid.blogspot.com
Goals● Identity initiatives abound
– OpenID, Cardspace, Higgins, SAML, Shibboleth, ID-WSF, XRI/XDI, Oauth, etc
● More so than presenting details for any standard/protocol, this talk is meant to provide a framework for thinking about– their value propositions– their design centres– differences/similarities– scenarios for their composition
● Personal goal, not say 'user-centric' once
Bits● An Identity Chat● Overviews
– SAML– OpenID– Infocards– Liberty ID-WSF
● Slicing/Dicing
1) IR->Sub: I need some identity2) Sub->IR: Here are candidate IPs3) IR<->Sub: Let's use IPa 4) IR->IPa: Can I have identity X for Subject?
5) IR<->Sub: Allow/deny?6) IPa->IR: Here is the identity
An identity chat
1. IRs can indicate their desire for identity data2. Candidate IPs that can provide the relevant
identity can be discovered3. Subject and IR can together select an IP.4. IR can make an identity request of IP.5. Subject and IP can together grant/dent request. 6. If approved, identity data can be delivered to RP.7. Security & privacy throughout.
Required Bits
Different ID systems do these bits differently (and with varying emphasis) but they all do them
What is SAML?
● According to its designers, it is:
• Strives to be the “universal solvent” of identity– Especially SAML V2.0 – based on Liberty ID-FF– Has out-of-the-box profiles for interoperability, but can be
extended and profiled further● Driven primarily by 'serious' scenarios where trust, liability,
value, and privacy are at stake– B2B, B2C, G2C...
● What sorts of adopters does it have?– Governments, telcos, financials, aerospace, Google Search
Appliance...
“an XML-based framework for marshaling security and identityinformation and exchanging it across domain boundaries”
At SAML's core: assertions● An assertion is a declaration of fact...
– ...according to someone– You have to determine if you trust them
● SAML assertions contain one or more statements about a subject:– Authentication statement: “Joe authenticated with a smartcard
PKI certificate at 9:07am today”– Attribute statement (which can contain multiple attributes): “Joe is
a manager and has a £5000 spending limit”– Authorization decision statement (use XACML instead for more
than simple needs here)– Your own customised statements...
SP-initiated/redirect/POST
Browser
Service Providersp.example.com
Resource
Identity Provideridp.example.org
Accesscheck
Accessresource?
1
User or UA action
Signed<Response>in HTML form
5
SingleSign-OnService
User or UA action
GET using<AuthnRequest>
Redirect with<AuthnRequest>
2 3
Challengefor
credentialsUserlogin
4
AssertionConsumer
Service
POST signed<Response>
6
Supplyresource
7
What is OpenID?
● According to its designers, it is:
• Deeply rooted in World Wide Web philosophy:– You identify yourself with a URL (or XRI) – a single universal namespace– Authentication consists of proving you “own” the corresponding web
resource● Deeply committed to Internet-scale adoption
– Lots of scripty open source● Driven by “Web 2.0” scenarios:
– Blog commenting, contributing to wikis, social networking● Accepted at, e.g. ...
“an open, decentralized, free framework for user-centric digital identity”
How does OpenID work?● An OpenID is simultaneously:
– A unique publicly known identifier string by which your online activities can be correlated
– A URL or XRI for some machine-readable information that redirects an “OpenID Consumer” site (RP) to your “OpenID Provider” site (IdP) – you can host your own or delegate to a chosen provider
– Often, a URL or XRI for a human-readable web page about you
● The provider does authentication and may also send back a small set of attributes set by you– Through the Simple Registration extension– Nickname, email, full name, date of birth, gender, postcode, country,
language, timezone● You can host an authentication service on your own web server
– E.g., connectid.blogspot.com (theoretically!)● You can use delegation to “chain” OpenIDs
SP-initiated simplifiedsign-on with OpenID
Browser
OpenID Consumer RP(e.g. projectconcordia.org)
OpenID Provider (OP)(e.g. prooveme.com)
4
DiscoversOP thruOpenID
resolution
Optionallyset up
symmetricsession
key (can beremembered
for futureinteractions)
5
User or UA action
Redirectto OP
6
Challengefor
credentials
Userlogin
7
8
10
Allowaccess
User or UA action
1
2
POSTOpenID
3
DisplayOpenIDpromptpage
Accesssite?
9
Authenticationresponse
(and maybeSimple Regattributes)sent with
GET or POST
What is Windows CardSpace?● According to its designers, it is:
• Uses software “cards” to let users manage identities– Card selector can mediates a “trust no one” IdP/RP relationship
– Serves up or obtains claims – authentication and attribute data – associated with a card
● Driven by web authentication security concerns– Hardened against tampering and phishing attempts
– Prepared to tie closely into OS and hardware platform
– Functions as an identity agent● Accepted at, e.g. ...
“a Microsoft .NET Framework version 3.0 component that providesthe consistent user experience required by the identity metasystem”
How does CardSpace work?● You initially use the identity selector client
component to:– Install managed cards from IdPs (security token services or
STSs) after having authenticated to them● Your card only points to claims made by the IdP; identifiers come from CoT-
specific namespaces
– Create self-asserted cards that store your own claims about yourself
● The identity selector functions as an on-board IdP, with “profile management” features
● Later, when you access a card-accepting RP:– You choose from among your cards that satisfy the RP's and
IdP's policy requirements/abilities
RP-initiated simplified sign-on with a CardSpace managed card
CardSpaceidentityselector
Information card-accepting RP STS that is amanaged-card
identity provider (IP)for particular card
Card 1 Card 2 ...
Accessresource?
1
2
SendRP
policyreqmts
3 Match RP policy requirementsto available IP policy capabilities
User action
4 Select one card out of those available that match policyintersection and select any optional claims asked for
Authn andrequest
claims fromappropriateIP based on
card selection
5
6
Send claims
7 Optionally encrypt claims for RP
Conveyclaims to RP
8
9
Supplyresource
26
Not the only game in townOther compatible (WS-Trust based) selector implementations emerging
Shamefully out of date
27
Liberty ID-WSF A SOAP-based framework for locating and
invoking identity based Web services Identity-based Web services:
Are associated with a Principal's Identity (e.g. My Calendar Service)
Typically invoked using a Principal’s Identity Permissions-based Attribute Sharing
Invoking Services under control of user Service Requestor doing so on behalf (either
directly or indirectly) of user.
28
ID-WSF & WS-*
29
SAML and ID-WSF together
SAML ID-WSF
SAML: The SP uses SAML to obtain the identity credential
for Jane.
ID-WSF: The SP (acting as a WSC) uses IF-WSF to invoke
services at the WSPs on Jane’s behalf..
SP/WSC
IdP DS
WSP
WSP
SSO World Identity Services World
Slicing/Dicing● Lots of different ways to analyze these identity
systems● I'm going to attempt doing so
– In terms of the identity functions they support– In terms of the characteristics they share– In terms of how their support for different portions of
a ''Fear of Big Brother' scale● Inevitably, any scheme will artificially
– Blur real distinctions– Over emphasize relatively minor differences
In Theory
1.Authentication (Subject lays claim to an identity at an IdP)
2.Single Sign On (fact of #1 is asserted to an RP)3.Front-channel attribute exchange
(accompanying #2 can be attributes)4.Back-channel attribute exchange (other
attributes retrieved through direct channel)5.Single Log Out (synchronizing session
terminations)
In principle, a given federated identity operation consists of the following steps
Infocards
Infocards
The Venn of Identity
“The Venn of Identity”, Eve Maler/Drummond Reed
Infocards
Big Brother● The various identity systems make different
assumptions about the necessity/appropriateness of a 3rd party IdP's involvement in transactions
● We get a 'Big Brother Paranoia' scale1) Why you look like a nice IdP.2) OK, but I'm watching you!3) Stop staring at me!4) I don't need you!
Fear of Big BrotherWhy you look like a nice IdP.
OK, but I'm watching you!
Stop staring at me! I don't need you!●User relies on 3rd party IdPto assert identity attributes●Consent for release can be obtained a priori or real-time through out-of-band interactions●IdP does the 'right thing' because of business drivers & legal constructs●Varying assumptions about correlation
●User relies on 3rd party IdPto assert identity attributes ● User able to enforce real-time control over identity sharing through active mediation of identity flow.●Implies smart client
●User relies on 3rd party IdP to assert identity attributes●User's SP activities/visits obfuscated from IdP●Implies smart client
●User asserts their own identity attributes●Can be client or network hosted●Ultimate control●Credibility hurdle
SAML
OpenID
idemix
Cardspace
ID-WSF
Infocards
Summary● We confront/enjoy a plethora of identity systems
today● Notwithstanding their commonalities, the
differences in driver use cases, philosophy, and functionality ensure that each has value
● Encouraging signs that subsequent development will happen in a cohesive & consistent manner.
