Simplify Don’t SacrificeOpen Standard Security

We absolutely need to solve our Single Sign On challenge

But doing so doesn’t improve the user experience

It is like making this shot...

If you think it is confusing hereWe are not making it any easier for our users

370,000,000

But there is hope...There is a common thread for these major players

370,000,000

R-Card

Portable user id and password

Offers additional layers of authentication

works with Securid

can be extended

Vidoop Imageshield meets two factor authentication needs

works with LDAP

http://www.openid-ldap.org/releases.php

works with SAML

- The Terminology

OpenID Identity

OpenID Consumer OpenID Provider

“I am my URL”

A web site eg. AOL, Yahoo etc.

OpenID is not providing Trust.OpenID lets a site know that you are the identity that registered an account.

A How to

Users use a URL to identify themselves

eg. http://ekive.blogspot.com

That URL needs two lines of HTML code to support OpenID

<link href='https://api.screenname.aol.com/auth/openidServer' rel='openid.server'/><link href='http://openid.aol.com/My_ScreenName' rel='openid.delegate'/>

Be an Provider

PHP & OpenLDAP

Be an Provider

JavaEE & OpenDS

OAuth addresses a different need

OAuth is likehanding overa valet parkingkey rather thanthe master key

- The Terminology

Consumer

Consumer Application Service Provider

OAuth allows consumers to connect services and share information WITHOUT giving away their userid and password

eg. Photo printer eg. Flickr photo service

is a standard for website API authentication

is consistent for developers

is open source

Implementing

Register a consumer application with a Service Provider

Provide information about the application

Name, creator, url etc.

Service Provider assigns a key and secret to consumers

Service Provider documents authorization URLs and methods

Authorization Process

Parameters

oauth_consumer_key

oauth_token

oauth_signature

oauth_signature_method

oauth_timestamp

oauth_nonce

Why is good for security

Tokens aren’t passing Username and password

Time stamp and nonce verify unique requests

Encrypted parameters provide unique signature to recognize consumer applications

User or Provider have the ability to revoke access to a consumer application

Multiple signature methods are supported

HMAC-SHAI, RSA-SHAI, Plaintext over over secure channel (eg. SSL)

http://www.eclipse.org/higgins/

Just like a wallet

containing Identity cards

Q: What is Higgins?A: Higgins is an open source Internet identity framework designed to integrate identity, profile, and social relationship information across multiple sites, applications, and devices. Higgins is not a protocol, it is software infrastructure to support a consistent user experience that works with all popular digital identity protocols, including WS-Trust, OpenID, SAML, XDI, LDAP, and so on.

Relationship Cards aka R-Cards

Managed Relationships

R-Cards can define groupsManaging Broker

Broker

Member

Employer

Managing Provider

Provider

Managed R-Cards for Groups

Provides an open, extensible mechanism for defining and administering group memberships across business partners

Loosely coupled, standards based security integration

An Information hub could act as the Identity Manager issuing the relevant R-Cards

A user may have more than one R-Card

Open Standard Security

Is rapidly being established as a reliable, open mechanism for managing security between sites

Is an extension of, and not a competitor to, existing security mechanisms

Provides additional low cost integration options that will strengthen the role of an industry information hub

Provides a viable route to improved security and an enhanced Internet experience for our users

32