SiG „ Identity Management Technology ” Version 1.0 2004-10-20 Lefkosia / Cyprus Dr. Horst...
-
date post
19-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of SiG „ Identity Management Technology ” Version 1.0 2004-10-20 Lefkosia / Cyprus Dr. Horst...
SiG
„Identity Management Technology ”Version 1.0
2004-10-20 Lefkosia / Cyprus
Dr. Horst Walther, SiG Software Integration GmbH,
SiG
Technology
Evolution – how did we get here?
Directory services Metadirectory services Virtual directory services Provisioning systems Web Access Tools Standards
SiG
Independent sources …Independent sources …
Evolution of Identity Management.
Historically 3 independent streams ... The idea of a public key
infrastructure (PKI) for a certificate base strong authentication can be tracked back to 1976,
The CCITT[1] today ITU-T[2] published its 1st specification of a X.500- directory service in 1988.
Today common directory services are influenced by this development.
5 years later the NIST[3] startet its work on role based access control (RBAC)[4].
Later mechanisms for role based access are based on these works.
[1] Comite Consultatif Internationale de Télégraphie et Téléphonie
[2] International Telecommunications Union-Telecommunication
[3] National Institute of Standards & Technology [4] RABC: Role Based Access Control
Components show a considerable functional overlap and can’t easily be combined to form a full function Identity Management Infrastructure.
1996 PKI
1988 X.500
1993 RBAC
2001 IDM
SiG
The need for integration
The typical Fortune 500 company reports that it maintains over 180 directories,
like address repositories, phonebooks ... (Source: Forrester Research).
Many Applications and Systems maintain their own Identity-stores ... Operating systems: Windows NT, 2003, XP, ... Database management systems: ORACLE, DB2, .. Mail-Systems: Outlook, Lotus NOTES, ... Service-Systems: RACF, Firewalls, ... E-business-Systems: Internet-Portals, e-Banking-
Systems, ... Home-grown business applications.
SiG
Specialisations of database systems
OLTP- database systems Transaction processing frequent Updates, short records,
OLAP-database systems Analysis of pre-
consolidated, redundant bulk data
Directory Services, frequent read accesses, Special-DBMS optimised to
(short) single record look-up.
Despite all confusion on what directory services really are – They are just specialised Database systems.
SiG
Integration via directory services
A directory service offers a unified view on Identity Information …
TelephoneTelephone
VideoConference
VideoConference
ApplicationSharing
ApplicationSharing
Electronic Mail
Electronic Mail
MultimediaWWW
MultimediaWWW
GroupwareGroupware
Network-Administration
Network-Administration
WorkflowWorkflow
CalendarCalendar
SecuritySecurityCertification
AuthorityCertification
Authority
Directory-service
Directory-service
The directory ...
Used by many applications
Enables the maintenance of Information at a single point.
Offers a universal, easily usableinterface for access.
Is the backbone of Intranet applications.
Many systems maintain their own directory …
SAP: HR, User management, accounts payable, accounts receivable, etc.
RACF: administration of privileges, Identities and Roles.
Windows : Active Directory / MS Exchange
Lotus Notes: Notes name and address book, ACLs per Notes-DB..
SiG
Evolution of directory services
Triggers for further development ... In early times the Implementation was too demanding for
the existing Hardware. Result: Lightweight-DAP (X.500-access protocol), LDAP. Later war Hardware became less a bottleneck. A large amount of the identity information was stored in
non-LDAP-Repositories already. Chance for virtual directory services ...
Deliberately skipping the read optimisation. The directory access is simulated only The original data sources are accessed instead
Increasing bandwidth of public networks led to a decreasing relevance of X.500-Protocols like DSP or DISP.
Today XML-Dialects may turn out as an competitors to LDAP.
Most Directory services originate from auf the X.500-Standards.
SiG
X.500 and LDAP – How did it happen?
LDAP offers 90% of the DAP-functionality at 10% of the ‘Costs’
LDAP advantages over X.500-DAP are: Runs directly over TCP eliminating the overhead of the OSI
session and presentation layers required by DAP. Simplifies the X.500 functional model , Uses string encoding rather than the ASN.1 notation Frees clients from the burden of chasing referrals .
LDAP hence offers A unifies access and A unified communication with directory services
LDAP
DAP
Functionality Costs
Demand for standardisation-
still.
SiG
X.500 vs. LDAP
X.500 ...
The first standard - published in 1993.
Is a ISO- (International Standards Organisation) und ITU- (International Telecommunications Union) Standard.
Defines how global directories should be structured.
Follows a hierarchical organisation e.g.: country, city, organisational unit, ...
Supports X.400 Systems. Is the result of a long-winded
work in the standardisation boards of the national Telecoms.
(top-down-approach)
LDAP ...
The pragmatic approach of the Internet-community towards X.500.
Stands for Lightweight Directory Access Protocol .
Replaces X.500 / DAP. Was developed to enable
access to X.500 to „lean“ Clients (PC’s).
Skips X.500’s communication basis, the (mighty) OSI-Protocol
Uses the widely used TCP/IP. Is taken care by the Internet
Engineering Task Force (IETF). They communicate via RFP’s. (Bottom-Up- approach)
The all encompassing standard -- vs. -- The easy access
SiG
X.500 11/93 Overview over Concepts, Models and Services X.501 11/93 Models X.509 11/93 Authentication-Framework X.511 11/93 Abstract Service Definition X.518 11/93 Services for distributed processing X.519 11/93 Protocol Specification X.520 11/93 Selected Attribute Types X.521 11/93 Selected Object Classes X.525 11/93 Replication X.581 11/95 Directory-Access Protocol X.582 11/95 Directory-System Protocol
Source: http://www.itu.ch/itudoc/itu-t/rec/x/x500up.html
X.500 - The Standards-Series
Auch außerhalb von In use outside theX.500-world too.
SiG
1995 1996 1997 199819941993 1999 2000
X.500 Concepts, Models and ServicesX.501 ModelsX.509 Authentication-FrameworkX.511 Services DefinitionX.518 Distributed ProcessingX.519 Protocol SpecificationX.520 Attribute TypesX.521 Object ClassesX.525 Replication
X.581 Access Protocol (DAP)
X.582 System Protocol (DSP)
Working Group LDAPext
Working Group LDUP
RFC1487 X.500 LDAP v1RFC1488 String Representation
RFC1777 LDAP v2RFC1788 String Representation for AttributesRFC 1779 String Representation for DN
RFC1823 LDAP API
RFC1959 LDAP URLRFC1960 String Representation for Search Filters
RFC2164 X.500/LDAP MIXER address mappingRFC2247 Domains in X.500/LDAP DN
RFC2251 LDAPv3RFC2252 Attribute Syntax DefinitionRFC2253 UTF-8 String Representation of DNRFC2254 String Representation for Search FiltersRFC2255 URL FormatRFC2256 X.500 User Schema for use with LDAPv3
RFC2307 LDAP as Network Information Service
RFC2559 X.509 - LDAPv2
DRAFT LDIFinetOrgPerson
X.530 Access Protocol
Evolution of the Standards
SiG
Data and Directory Integration
The Data and Directory Integration solution also serves as the foundation for security applications, such as: Single Sign-On Password Management PKI Digital Certificate Services User Provisioning
“The consolidation of user data stores could result in increases in consistency by 44%, accuracy by 36% and actual security by 33%.”—META Group
SiG
Synchronisation of directory services (1)
IBMRACF
Sec.WaySAPR/3
LotusNotes
MSADS
z.B.SunOne
C/S UnixHost
Non coordinatedSchema’s
No automated synchronisation amongDirectories
(effort rises exponential)
Horizontal
Coordination
Tivoli,TME10
Netw./SystemManagement
SiG
Synchronisation of directory services(2)
IBMRACF
Sec.WaySAPR/3
LotusNotes
MSADS
z.B.SunOne
C/S UnixHost
CommonSchema
CommonSchema plus.system specificExtensions
. . .
mutual synchronisation amongDirectories
(effort rises quadratically)
Horizontal
Coordination
Tivoli,TME10
Netw./SystemManagement
SiG
Synchronisation of directory services(3)
IBMRACF
Sec.WaySAPR/3
LotusNotes
MSADS
z.B.SunOne
Synchronisation via
Meta-Directory
C/S UnixHost
CommonSchema
CommonSchema plussystem specificExtensions
Horizontal
Coordination
Tivoli,TME10
Netw./SystemManagement
SiG
Provisioning workflowProvisioning workflow
Architecture of an Identity Management System
Directory service
Audit &Reconciliation
Audit &Reconciliation
Application workflowApplication workflow
Human ResourceHuman Resource SuperiorSuperior EmployeeEmployee
central storefor
identities,groups,
rolesand policies
Target Systems
applicants
Role AdministrationRole Administration
ID AdministrationID Administration
SiG
Integration via Federation
Central-Model Network-Identity and user
information in a single store, Centralised control, Single point of failure, Connects uniform Systems.
Federated Model Network-Identity und user
information in different stores No central Control No Single point of failure Connects uniform and non-
uniform Systems
SiG
Federated Identity
Managing and brokering trust relationships across multiple organizations with support for federated identities
Federated scenarios: Consumer convenience Related industry groupings Self-contained, highly
distributed organizations
Strategic B-to-B relationships
Via opt-in to heterogeneous single sign on – federation provides the link.