SiG

„Identity Management Technology ”Version 1.0

2004-10-20 Lefkosia / Cyprus

Dr. Horst Walther, SiG Software Integration GmbH,

SiG

Technology

Evolution – how did we get here?

Directory services Metadirectory services Virtual directory services Provisioning systems Web Access Tools Standards

SiG

Independent sources …Independent sources …

Evolution of Identity Management.

Historically 3 independent streams ... The idea of a public key

infrastructure (PKI) for a certificate base strong authentication can be tracked back to 1976,

The CCITT[1] today ITU-T[2] published its 1st specification of a X.500- directory service in 1988.

Today common directory services are influenced by this development.

5 years later the NIST[3] startet its work on role based access control (RBAC)[4].

Later mechanisms for role based access are based on these works.

[1] Comite Consultatif Internationale de Télégraphie et Téléphonie

[2] International Telecommunications Union-Telecommunication

[3] National Institute of Standards & Technology [4] RABC: Role Based Access Control

Components show a considerable functional overlap and can’t easily be combined to form a full function Identity Management Infrastructure.

1996 PKI

1988 X.500

1993 RBAC

2001 IDM

SiG

An Identity Management Architecture

SiG

The need for integration

The typical Fortune 500 company reports that it maintains over 180 directories,

like address repositories, phonebooks ... (Source: Forrester Research).

Many Applications and Systems maintain their own Identity-stores ... Operating systems: Windows NT, 2003, XP, ... Database management systems: ORACLE, DB2, .. Mail-Systems: Outlook, Lotus NOTES, ... Service-Systems: RACF, Firewalls, ... E-business-Systems: Internet-Portals, e-Banking-

Systems, ... Home-grown business applications.

SiG

Specialisations of database systems

OLTP- database systems Transaction processing frequent Updates, short records,

OLAP-database systems Analysis of pre-

consolidated, redundant bulk data

Directory Services, frequent read accesses, Special-DBMS optimised to

(short) single record look-up.

Despite all confusion on what directory services really are – They are just specialised Database systems.

SiG

Integration via directory services

A directory service offers a unified view on Identity Information …

TelephoneTelephone

VideoConference

VideoConference

ApplicationSharing

ApplicationSharing

Electronic Mail

Electronic Mail

MultimediaWWW

MultimediaWWW

GroupwareGroupware

Network-Administration

Network-Administration

WorkflowWorkflow

CalendarCalendar

SecuritySecurityCertification

AuthorityCertification

Authority

Directory-service

Directory-service

The directory ...

Used by many applications

Enables the maintenance of Information at a single point.

Offers a universal, easily usableinterface for access.

Is the backbone of Intranet applications.

Many systems maintain their own directory …

SAP: HR, User management, accounts payable, accounts receivable, etc.

RACF: administration of privileges, Identities and Roles.

Windows : Active Directory / MS Exchange

Lotus Notes: Notes name and address book, ACLs per Notes-DB..

SiG

Evolution of directory services

Triggers for further development ... In early times the Implementation was too demanding for

the existing Hardware. Result: Lightweight-DAP (X.500-access protocol), LDAP. Later war Hardware became less a bottleneck. A large amount of the identity information was stored in

non-LDAP-Repositories already. Chance for virtual directory services ...

Deliberately skipping the read optimisation. The directory access is simulated only The original data sources are accessed instead

Increasing bandwidth of public networks led to a decreasing relevance of X.500-Protocols like DSP or DISP.

Today XML-Dialects may turn out as an competitors to LDAP.

Most Directory services originate from auf the X.500-Standards.

SiG

X.500 and LDAP – How did it happen?

LDAP offers 90% of the DAP-functionality at 10% of the ‘Costs’

LDAP advantages over X.500-DAP are: Runs directly over TCP eliminating the overhead of the OSI

session and presentation layers required by DAP. Simplifies the X.500 functional model , Uses string encoding rather than the ASN.1 notation Frees clients from the burden of chasing referrals .

LDAP hence offers A unifies access and A unified communication with directory services

LDAP

DAP

Functionality Costs

Demand for standardisation-

still.

SiG

X.500 vs. LDAP

X.500 ...

The first standard - published in 1993.

Is a ISO- (International Standards Organisation) und ITU- (International Telecommunications Union) Standard.

Defines how global directories should be structured.

Follows a hierarchical organisation e.g.: country, city, organisational unit, ...

Supports X.400 Systems. Is the result of a long-winded

work in the standardisation boards of the national Telecoms.

(top-down-approach)

LDAP ...

The pragmatic approach of the Internet-community towards X.500.

Stands for Lightweight Directory Access Protocol .

Replaces X.500 / DAP. Was developed to enable

access to X.500 to „lean“ Clients (PC’s).

Skips X.500’s communication basis, the (mighty) OSI-Protocol

Uses the widely used TCP/IP. Is taken care by the Internet

Engineering Task Force (IETF). They communicate via RFP’s. (Bottom-Up- approach)

The all encompassing standard -- vs. -- The easy access

SiG

X.500 11/93 Overview over Concepts, Models and Services X.501 11/93 Models X.509 11/93 Authentication-Framework X.511 11/93 Abstract Service Definition X.518 11/93 Services for distributed processing X.519 11/93 Protocol Specification X.520 11/93 Selected Attribute Types X.521 11/93 Selected Object Classes X.525 11/93 Replication X.581 11/95 Directory-Access Protocol X.582 11/95 Directory-System Protocol

Source: http://www.itu.ch/itudoc/itu-t/rec/x/x500up.html

X.500 - The Standards-Series

Auch außerhalb von In use outside theX.500-world too.

SiG

1995 1996 1997 199819941993 1999 2000

X.500 Concepts, Models and ServicesX.501 ModelsX.509 Authentication-FrameworkX.511 Services DefinitionX.518 Distributed ProcessingX.519 Protocol SpecificationX.520 Attribute TypesX.521 Object ClassesX.525 Replication

X.581 Access Protocol (DAP)

X.582 System Protocol (DSP)

Working Group LDAPext

Working Group LDUP

RFC1487 X.500 LDAP v1RFC1488 String Representation

RFC1777 LDAP v2RFC1788 String Representation for AttributesRFC 1779 String Representation for DN

RFC1823 LDAP API

RFC1959 LDAP URLRFC1960 String Representation for Search Filters

RFC2164 X.500/LDAP MIXER address mappingRFC2247 Domains in X.500/LDAP DN

RFC2251 LDAPv3RFC2252 Attribute Syntax DefinitionRFC2253 UTF-8 String Representation of DNRFC2254 String Representation for Search FiltersRFC2255 URL FormatRFC2256 X.500 User Schema for use with LDAPv3

RFC2307 LDAP as Network Information Service

RFC2559 X.509 - LDAPv2

DRAFT LDIFinetOrgPerson

X.530 Access Protocol

Evolution of the Standards

SiG

Data and Directory Integration

The Data and Directory Integration solution also serves as the foundation for security applications, such as: Single Sign-On Password Management PKI Digital Certificate Services User Provisioning

“The consolidation of user data stores could result in increases in consistency by 44%, accuracy by 36% and actual security by 33%.”—META Group

SiG

Synchronisation of directory services (1)

IBMRACF

Sec.WaySAPR/3

LotusNotes

MSADS

z.B.SunOne

C/S UnixHost

Non coordinatedSchema’s

No automated synchronisation amongDirectories

(effort rises exponential)

Horizontal

Coordination

Tivoli,TME10

Netw./SystemManagement

SiG

Synchronisation of directory services(2)

IBMRACF

Sec.WaySAPR/3

LotusNotes

MSADS

z.B.SunOne

C/S UnixHost

CommonSchema

CommonSchema plus.system specificExtensions

. . .

mutual synchronisation amongDirectories

(effort rises quadratically)

Horizontal

Coordination

Tivoli,TME10

Netw./SystemManagement

SiG

Synchronisation of directory services(3)

IBMRACF

Sec.WaySAPR/3

LotusNotes

MSADS

z.B.SunOne

Synchronisation via

Meta-Directory

C/S UnixHost

CommonSchema

CommonSchema plussystem specificExtensions

Horizontal

Coordination

Tivoli,TME10

Netw./SystemManagement

SiG

Provisioning workflowProvisioning workflow

Architecture of an Identity Management System

Directory service

Audit &Reconciliation

Audit &Reconciliation

Application workflowApplication workflow

Human ResourceHuman Resource SuperiorSuperior EmployeeEmployee

central storefor

identities,groups,

rolesand policies

Target Systems

applicants

Role AdministrationRole Administration

ID AdministrationID Administration

SiG

Integration via Federation

Central-Model Network-Identity and user

information in a single store, Centralised control, Single point of failure, Connects uniform Systems.

Federated Model Network-Identity und user

information in different stores No central Control No Single point of failure Connects uniform and non-

uniform Systems

SiG

Federated Identity

Managing and brokering trust relationships across multiple organizations with support for federated identities

Federated scenarios: Consumer convenience Related industry groupings Self-contained, highly

distributed organizations

Strategic B-to-B relationships

Via opt-in to heterogeneous single sign on – federation provides the link.

SiG

Questions, Suggestions, Hints?

Thank You !!

SiG

Stop,

Appendix

From here on the back-up-slides follow ...