federated identity in practice mike beach the boeing company

Federated Identity in Practice

Mike BeachThe Boeing Company

Michael Beach, The Boeing Company - 2 -

Federated Identity

Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation.

This applies both within the corporation and across the Internet.


The Boeing Environment

Three user communities

150,000 employees, contractors

80,000 partners, suppliers, customers

1,000,000+ ex-employees, beneficiaries

Three enterprise directories

Comprehensive Sun ONE directory (all people of interest)

Microsoft Active Directory (most employees)

RACF (most employees – but not same employees as MS AD)

Many Boeing web servers

Apache, IPlanet, IIS, ColdFusion, Shadow, Oracle

Over 350 web server platform/version variations

Multiple versions of both Netscape and IE browsers


WSSO Objectives

Simple, consistent user experience

Improved security through centralized access management

Reduction in user accounts and passwords, thus reductions in account administration costs

Applications isolated from authentication mechanisms and authentication technology insertions

Applications agnostic to origin of user’s access (internal or external)

Single sign on across Boeing business domain, including partners, suppliers, customers…


WSSO Key Solution Differentiators

Web Single Sign-on (WSSO) across Boeing and external web sites

Common infrastructure supporting internal and external access, for internal and external users

No control over desktop configuration and no ability to deploy components to the desktop

Leverage existing Boeing infrastructure


The Deployment

Oblix Netpoint infrastructure with 12 Access Servers deployed across 3 geographic regions (plus sand box, development, test, and integration environments – about 50 machines total)

Primarily authentication today, limited authorization

No Identity Management or delegated administration

Custom integration with 5 authentication mechanisms

MS Active Directory

RACF

X.509 personal certificates

Proximity badge

Customer/supplier reverse web proxy user ID and password


IdentityAnd

Policy Stores

Customers,Suppliers

AccessServer

CustomerAuthenticator

Service

WebGate

Web ServerContent

3rd PartyWeb Server

Content

WebGate

Login Hub

WebBrowser

LogonW2K

RACFCertificate

PINAuthentication

RemoteAccessService

BoeingReverse

Proxy

SAMLServices

WSSOProxy

Services

Login Hub

LogonPIN

WebBrowser

Boeing Plugin

Boeing Plugin

Major WSSO Components

CorporateSun ONEDirectory

AD

RACF

X.509

Groups

OblixPolicy

AllPeople

DMZ


IdentityAnd

Policy Stores

AccessServer


Service

BoeingReverse

Proxy

WSSOProxy

Services

SAMLServices

RemoteAccessService

WebGate

Web ServerContent

3rd PartyWeb Server

Content

WebGate

Login Hub

WebBrowser

LogonW2K

RACFCertificate

Login Hub

LogonPIN

WebBrowser

Boeing Plugin

Boeing Plugin

WSSO Authentication Sources


AD

RACF

X.509

W2K

RACF

X.509 Personal Certificates

Customers,Suppliers

DMZExternal PIN

Groups

AllPeople

OblixPolicy

PINAuthentication


AccessServer


Service

BoeingReverse

Proxy

WSSOProxy

Services

SAMLServices

RemoteAccessService

WebGate

Web ServerContent

3rd PartyWeb Server

Content

WebGate

Login Hub

WebBrowser

WebBrowser

LogonW2K

RACFCertificate

Login Hub

LogonPIN

Boeing Plugin

Boeing Plugin

WSSO Authorization Sources

DMZ

PINAuthentication

IdentityAnd

Policy Stores

Customers,Suppliers


AD

RACF

X.509

Groups

OblixPolicy

AllPeople

LDAP Group Authorization

LDAP People Branch

Customer/Supplier Authorization


AccessServer


Service

WebGate

Web ServerContent

3rd PartyWeb Server

Content

WebGate

Login Hub

WebBrowser

WebBrowser

LogonW2K

RACFCertificate

Login Hub

LogonPIN

BoeingReverse

Proxy

WSSOProxy

Services

SAMLServices

RemoteAccessService

Login Hub

LogonPIN

Boeing Plugin

Boeing Plugin

WSSO Perimeter Access Components

DMZ

PINAuthentication

IdentityAnd

Policy Stores

AD

RACF

X.509

Customers,Suppliers

Groups

AllPeople

OblixPolicy


Typical customers, suppliers

Employees (VPN, Dial)

Federated customers, suppliers

External employees, retirees


AccessServer

Boeing Plugin

Boeing Plugin


Service

BoeingReverse

Proxy

WSSOProxy

Services

SAMLServices

RemoteAccessService

Web ServerContent

WebGate

Login Hub

WebBrowser

WebBrowser

LogonW2K

MyInfoCertificate

Login Hub

LogonPIN

3rd PartyWeb Server

Content

WebGate

Web ServerContent

WSSO-protected Components

DMZ

PINAuthentication

IdentityAnd

Policy Stores

AD

RACF

X.509

Customers,Suppliers

Groups

AllPeople

OblixPolicy


Internal Boeing

External third party suppliers


WebBrowser

AccessServer

Boeing Plugin

Boeing Plugin


Service

BoeingReverse

Proxy

WSSOProxy

Services

SAMLServices

RemoteAccessService

WebGate

Web ServerContent

3rd PartyWeb Server

Content

WebGate

Login Hub

LogonW2K

MyInfoCertificate

Login Hub

LogonPIN

WebBrowser

WebBrowser

WSSO Users

DMZ

PINAuthentication

IdentityAnd

Policy Stores

AD

RACF

X.509

Customers,Suppliers

Groups

AllPeople

OblixPolicy


External employees, retirees, customers, suppliers

Internal employees


Started RFP 3/2001

Vendor selection 8/2001

Production 12/2001

100,000 logins per day100,000 logins per day 2/2003

100+ applications in production 4/2003

3rd party web site integration 5/2003

External user integration 5/2003

SAML production 6/2003

Role-based access control Q3/2003

Complete deployment (1000+ applications) End 2004-2005

Milestones

We Are Here


SAML Participants

The Boeing Company

A leading manufacturer of commercial airplanes, space technology, defense aircraft and systems, and communication systems.

Southwest Airlines

A major domestic airline that provides primarily shorthaul, high-frequency, point-to-point, low-fare service. Southwest operates over 350 Boeing 737 aircraft in 58 cities.

Oblix Inc.

A leading developer of identity-based security solutions for e-Business networks. The company's flagship product, Oblix NetPoint, is an enterprise identity management and Web access solution that provides an identity infrastructure for dynamic e-Business environments.


SAML Deployment Objectives

Significantly increase the user base of MyBoeingFleet, the secure web portal that provides Boeing customers access to all of the information required to operate and maintain their fleets

Embed MyBoeingFleet more deeply in Airline’s businessprocess. Facilitate the deployment of MyBoeingFleet contentdirectly to the customer maintenance hanger

User will authenticate to their local intranet, click on a link to MyBoeingFleet, and seamlessly access the data and services without a secondary Boeing authentication request

Role-based access control targeted for next year


The SAML Flow

DOMAIN A: swacorp.com

DOMAIN B: Boeing.com

2.1

SAML ServerReverse Proxy

DM

Z

DM

Z

Target Resource:MyBoeingFleet.com Access Server IN

TE

RN

AL

INT

ER

NA

L 4 2.5

2.4

2.2

3

SAML ServicesSWA User

2.0

SWA Portal

1

2.1

2.3


Web Access ManagementGeneral Challenges

Managing

Executive expectation

User experience

Hundreds of applications with even more policies

Complexity and reliability

Browsers, web servers, networks, directories, libraries, versions, custom code

Session management

Existing applications typically have imbedded session management

Anomalies arise from inconsistent session state

Global “logout” is problematic (hurray for SAML 2.0!)

Security

Vulnerability assessment and risk mitigation where possible is appropriate


SAML Deployment Considerations

Assertions may need to be constrained to a domain

Boeing defined the authentication mechanism to include both user identity and SAML issuer ID

Support for direct bookmarks

For each web session, prior to a SAML transfer, bookmarks and URL references may not work

Oblix-provided solution creates a persistent “SAML Provider” cookie and implements redirection through SAML services for unauthenticated users

Not a part of SAML standard.

SAML only provides the “introduction”

Boeing content resides inside the Boeing security perimeter.

Had to integrate ObssoCookie intelligence into perimeter before users could actually get to content.

Security considerations of interactions across the Internet AFTER the SAML exchange were significant


Recommendations

Focus on communication and marketing

Manage expectations

Educate users

Thoroughly understand and plan user experience (within product capabilities)

Consider limiting scope

Integration of legacy technologies can be costly

Each component integrated adds to complexity and impacts overall reliability

Consider adjusting infrastructure to support IAM

Integration to existing infrastructure required significant custom code

Use of a virtual directory could simplify deployment, but probably with an impact to performance


Standards Wish List

Support for direct bookmarks

Bookmarks and URL references (“deep links”) should work, even prior to the initial SAML transfer.

Global logout

Provide the user with an intuitive logout facility that would ensure complete termination of all application sessions and authentication credentials.

Domains of federated security

Users have need for multiple, disconnected federated security domains. For example, separation of business and personal. (Selective logout?)

Security strength of public Internet technologies

Industry needs to deliver technology that prevents cookie vulnerabilities (hijack and replay).

Support for individual application session timeout settings

Several of our application environments consider a session timeout setting (idle time) mandatory.

Authentication State Visibility

It is important for the user to always be aware of their authentication state. Are they authenticated, and to what?

federated identity in practice mike beach the boeing company

Documents

boeing company

web services

boeing environment

boeing web servers apache

michael beach

boeing business domain

external access

access servers