federated identity in practice mike beach the boeing company
TRANSCRIPT
Michael Beach, The Boeing Company - 2 -
Federated Identity
Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation.
This applies both within the corporation and across the Internet.
Michael Beach, The Boeing Company - 3 -
The Boeing Environment
Three user communities
150,000 employees, contractors
80,000 partners, suppliers, customers
1,000,000+ ex-employees, beneficiaries
Three enterprise directories
Comprehensive Sun ONE directory (all people of interest)
Microsoft Active Directory (most employees)
RACF (most employees – but not same employees as MS AD)
Many Boeing web servers
Apache, IPlanet, IIS, ColdFusion, Shadow, Oracle
Over 350 web server platform/version variations
Multiple versions of both Netscape and IE browsers
Michael Beach, The Boeing Company - 4 -
WSSO Objectives
Simple, consistent user experience
Improved security through centralized access management
Reduction in user accounts and passwords, thus reductions in account administration costs
Applications isolated from authentication mechanisms and authentication technology insertions
Applications agnostic to origin of user’s access (internal or external)
Single sign on across Boeing business domain, including partners, suppliers, customers…
Michael Beach, The Boeing Company - 5 -
WSSO Key Solution Differentiators
Web Single Sign-on (WSSO) across Boeing and external web sites
Common infrastructure supporting internal and external access, for internal and external users
No control over desktop configuration and no ability to deploy components to the desktop
Leverage existing Boeing infrastructure
Michael Beach, The Boeing Company - 6 -
The Deployment
Oblix Netpoint infrastructure with 12 Access Servers deployed across 3 geographic regions (plus sand box, development, test, and integration environments – about 50 machines total)
Primarily authentication today, limited authorization
No Identity Management or delegated administration
Custom integration with 5 authentication mechanisms
MS Active Directory
RACF
X.509 personal certificates
Proximity badge
Customer/supplier reverse web proxy user ID and password
Michael Beach, The Boeing Company - 7 -
IdentityAnd
Policy Stores
Customers,Suppliers
AccessServer
CustomerAuthenticator
Service
WebGate
Web ServerContent
3rd PartyWeb Server
Content
WebGate
Login Hub
WebBrowser
LogonW2K
RACFCertificate
PINAuthentication
RemoteAccessService
BoeingReverse
Proxy
SAMLServices
WSSOProxy
Services
Login Hub
LogonPIN
WebBrowser
Boeing Plugin
Boeing Plugin
Major WSSO Components
CorporateSun ONEDirectory
AD
RACF
X.509
Groups
OblixPolicy
AllPeople
DMZ
Michael Beach, The Boeing Company - 8 -
IdentityAnd
Policy Stores
AccessServer
CustomerAuthenticator
Service
BoeingReverse
Proxy
WSSOProxy
Services
SAMLServices
RemoteAccessService
WebGate
Web ServerContent
3rd PartyWeb Server
Content
WebGate
Login Hub
WebBrowser
LogonW2K
RACFCertificate
Login Hub
LogonPIN
WebBrowser
Boeing Plugin
Boeing Plugin
WSSO Authentication Sources
CorporateSun ONEDirectory
AD
RACF
X.509
W2K
RACF
X.509 Personal Certificates
Customers,Suppliers
DMZExternal PIN
Groups
AllPeople
OblixPolicy
PINAuthentication
Michael Beach, The Boeing Company - 9 -
AccessServer
CustomerAuthenticator
Service
BoeingReverse
Proxy
WSSOProxy
Services
SAMLServices
RemoteAccessService
WebGate
Web ServerContent
3rd PartyWeb Server
Content
WebGate
Login Hub
WebBrowser
WebBrowser
LogonW2K
RACFCertificate
Login Hub
LogonPIN
Boeing Plugin
Boeing Plugin
WSSO Authorization Sources
DMZ
PINAuthentication
IdentityAnd
Policy Stores
Customers,Suppliers
CorporateSun ONEDirectory
AD
RACF
X.509
Groups
OblixPolicy
AllPeople
LDAP Group Authorization
LDAP People Branch
Customer/Supplier Authorization
Michael Beach, The Boeing Company - 10 -
AccessServer
CustomerAuthenticator
Service
WebGate
Web ServerContent
3rd PartyWeb Server
Content
WebGate
Login Hub
WebBrowser
WebBrowser
LogonW2K
RACFCertificate
Login Hub
LogonPIN
BoeingReverse
Proxy
WSSOProxy
Services
SAMLServices
RemoteAccessService
Login Hub
LogonPIN
Boeing Plugin
Boeing Plugin
WSSO Perimeter Access Components
DMZ
PINAuthentication
IdentityAnd
Policy Stores
AD
RACF
X.509
Customers,Suppliers
Groups
AllPeople
OblixPolicy
CorporateSun ONEDirectory
Typical customers, suppliers
Employees (VPN, Dial)
Federated customers, suppliers
External employees, retirees
Michael Beach, The Boeing Company - 11 -
AccessServer
Boeing Plugin
Boeing Plugin
CustomerAuthenticator
Service
BoeingReverse
Proxy
WSSOProxy
Services
SAMLServices
RemoteAccessService
Web ServerContent
WebGate
Login Hub
WebBrowser
WebBrowser
LogonW2K
MyInfoCertificate
Login Hub
LogonPIN
3rd PartyWeb Server
Content
WebGate
Web ServerContent
WSSO-protected Components
DMZ
PINAuthentication
IdentityAnd
Policy Stores
AD
RACF
X.509
Customers,Suppliers
Groups
AllPeople
OblixPolicy
CorporateSun ONEDirectory
Internal Boeing
External third party suppliers
Michael Beach, The Boeing Company - 12 -
WebBrowser
AccessServer
Boeing Plugin
Boeing Plugin
CustomerAuthenticator
Service
BoeingReverse
Proxy
WSSOProxy
Services
SAMLServices
RemoteAccessService
WebGate
Web ServerContent
3rd PartyWeb Server
Content
WebGate
Login Hub
LogonW2K
MyInfoCertificate
Login Hub
LogonPIN
WebBrowser
WebBrowser
WSSO Users
DMZ
PINAuthentication
IdentityAnd
Policy Stores
AD
RACF
X.509
Customers,Suppliers
Groups
AllPeople
OblixPolicy
CorporateSun ONEDirectory
External employees, retirees, customers, suppliers
Internal employees
Michael Beach, The Boeing Company - 13 -
Started RFP 3/2001
Vendor selection 8/2001
Production 12/2001
100,000 logins per day100,000 logins per day 2/2003
100+ applications in production 4/2003
3rd party web site integration 5/2003
External user integration 5/2003
SAML production 6/2003
Role-based access control Q3/2003
Complete deployment (1000+ applications) End 2004-2005
Milestones
We Are Here
Michael Beach, The Boeing Company - 14 -
SAML Participants
The Boeing Company
A leading manufacturer of commercial airplanes, space technology, defense aircraft and systems, and communication systems.
Southwest Airlines
A major domestic airline that provides primarily shorthaul, high-frequency, point-to-point, low-fare service. Southwest operates over 350 Boeing 737 aircraft in 58 cities.
Oblix Inc.
A leading developer of identity-based security solutions for e-Business networks. The company's flagship product, Oblix NetPoint, is an enterprise identity management and Web access solution that provides an identity infrastructure for dynamic e-Business environments.
Michael Beach, The Boeing Company - 15 -
SAML Deployment Objectives
Significantly increase the user base of MyBoeingFleet, the secure web portal that provides Boeing customers access to all of the information required to operate and maintain their fleets
Embed MyBoeingFleet more deeply in Airline’s businessprocess. Facilitate the deployment of MyBoeingFleet contentdirectly to the customer maintenance hanger
User will authenticate to their local intranet, click on a link to MyBoeingFleet, and seamlessly access the data and services without a secondary Boeing authentication request
Role-based access control targeted for next year
Michael Beach, The Boeing Company - 16 -
The SAML Flow
DOMAIN A: swacorp.com
DOMAIN B: Boeing.com
2.1
SAML ServerReverse Proxy
DM
Z
DM
Z
Target Resource:MyBoeingFleet.com Access Server IN
TE
RN
AL
INT
ER
NA
L 4 2.5
2.4
2.2
3
SAML ServicesSWA User
2.0
SWA Portal
1
2.1
2.3
Michael Beach, The Boeing Company - 17 -
Web Access ManagementGeneral Challenges
Managing
Executive expectation
User experience
Hundreds of applications with even more policies
Complexity and reliability
Browsers, web servers, networks, directories, libraries, versions, custom code
Session management
Existing applications typically have imbedded session management
Anomalies arise from inconsistent session state
Global “logout” is problematic (hurray for SAML 2.0!)
Security
Vulnerability assessment and risk mitigation where possible is appropriate
Michael Beach, The Boeing Company - 18 -
SAML Deployment Considerations
Assertions may need to be constrained to a domain
Boeing defined the authentication mechanism to include both user identity and SAML issuer ID
Support for direct bookmarks
For each web session, prior to a SAML transfer, bookmarks and URL references may not work
Oblix-provided solution creates a persistent “SAML Provider” cookie and implements redirection through SAML services for unauthenticated users
Not a part of SAML standard.
SAML only provides the “introduction”
Boeing content resides inside the Boeing security perimeter.
Had to integrate ObssoCookie intelligence into perimeter before users could actually get to content.
Security considerations of interactions across the Internet AFTER the SAML exchange were significant
Michael Beach, The Boeing Company - 19 -
Recommendations
Focus on communication and marketing
Manage expectations
Educate users
Thoroughly understand and plan user experience (within product capabilities)
Consider limiting scope
Integration of legacy technologies can be costly
Each component integrated adds to complexity and impacts overall reliability
Consider adjusting infrastructure to support IAM
Integration to existing infrastructure required significant custom code
Use of a virtual directory could simplify deployment, but probably with an impact to performance
Michael Beach, The Boeing Company - 20 -
Standards Wish List
Support for direct bookmarks
Bookmarks and URL references (“deep links”) should work, even prior to the initial SAML transfer.
Global logout
Provide the user with an intuitive logout facility that would ensure complete termination of all application sessions and authentication credentials.
Domains of federated security
Users have need for multiple, disconnected federated security domains. For example, separation of business and personal. (Selective logout?)
Security strength of public Internet technologies
Industry needs to deliver technology that prevents cookie vulnerabilities (hijack and replay).
Support for individual application session timeout settings
Several of our application environments consider a session timeout setting (idle time) mandatory.
Authentication State Visibility
It is important for the user to always be aware of their authentication state. Are they authenticated, and to what?