introduction to identity management systems · 2 outline 1. reasons for idm 2. idm roadmap 3....
TRANSCRIPT
1
Ajay DaryananiMiddleware Engineer, RedIRIS / Red.es
Kopaonik, 13th March 2007
Introduction to Identity Management Systems
1
2
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
2
3
Peter Steiner. The New Yorker, 5th July 1993
3
4
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
4
5
Reasons for IdM: User’s view
• Users WANT to:
Check their reports Use the email Register for a course Borrow a book from the library Use university’s Internet connection Read the documentation of a course …
5
6
Reasons for IdM: User’s view
• … and they WANT all this:
Easily Safely Quickly In a flexible way Remotely Personalized any more?
6
7
Reasons for IdM: Admin’s view
• System administrators HAVE to:
Provide advanced services to their customers Safely Quickly Within the budget In a flexible way Improving corporative image … and according to national laws!
7
8
Reasons for IdM: Admin’s view
• …and for this, they HAVE to:
Manage hundreds/thousands of entries Manage several services Map users to services (1..N, 1..M) Use standards Include all possible use cases Understand and apply the law … without losing their private lifes :-D
8
9
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
9
10
IdM Roadmap: First steps
• The simplest case
- Few users
- One application
- Solutions:
- DB
- Whitelist
- BasicAuth
10
11
IdM Roadmap: Childhood
• Growing up a bit
- Several users
- One/more applications
- May require different access roles (admin, student, professor)
- Solution: directories
11
12
IdM Roadmap: Maturity
• And more…
- Several users
- Several applications
- Same login for all services: Unified Login
- Avoiding re-authentication: Single Sign-On
12
13
IdM Roadmap: Going beyond
• And more… (out of scope of this workshop)
- Several users / apps
- Several domains
- Example: different universities, same country
- Solution: federations
13
14
IdM Roadmap: The last border (?)
• And even more… (far beyond this workshop)
- Several users / apps / domains
- Several federations
- Example: different countries
- Solution: “con-federations”
14
15
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
15
16
Definitions: (Digital) Identity
• Represents the digital personality of a subject
• Subject represents a user (human/machine)
• Personality is defined by means of attributes
• MUST be unique for a given domain• MUST preserve user privacy!• It’s your key for accessing the digital world
16
17
Definitions: (Digital) Credentials
• Identity is proved through credentials• Examples:
Real life: Birth certificateFingerprint
Digital life:PasswordX.509 certificate
17
18
Definitions: Attribute
• Models a characteristic of the subject’s personality
• It is often viewed as a name/value(s) pair• Valid attribute names (and values) are defined in
a schema• Used for access control, personal information,
privacy, …• Example:
namespace: urn:mace:terena:org:schac Attribute name: schacsn1 Attribute value: Daryanani
18
19
Definitions: Authentication
• Process of proving that a subject is who he claims to be
• It verifies user identity • Conveyed by means of credentials…• … and obtaining authentication token(s)• Example of tokens:
Real life: ID cardPassport
Digital life:CookieKerberos ticket
19
20
Definitions: Authorization
• Process of deciding if a user A is entitled to access service B
• 3 main profiles: Authentication = authorization Identity + attributes Negotiation on attributes to be exchanged
• Authorization can be simple… Profile 1 If (group = X) then accept
• Or as complex as you want
20
21
Definitions: Unified Login
• System that allows using the same identity for several services
• Does not imply unified authentication• Example: Using same username/password for
webmail and Intranet• Improves usability• Eases identity management• Targeted mainly for intra-domain services
21
22
Definitions: SSO
• Single Sign-On (SSO) is the process of authenticating once for all the accessible services
• Can also be interpreted as the mechanism for not reauthenticating Between sessions on same application Between different applications
• Authentication status is usually maintained through cookies (in web environment)
22
23
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
23
24
Components: Simple picture
Borrowed from: JISC (UK)
24
25
Components: Complex picture
Borrowed from: JISC (UK)
25
26
Components: Identity Management Architecture
Borrowed from: Enterprise directory implementation Roadmap, NMI (US)
26
27
Components: Metadirectory
• Used to synchronize information from different data sources
• Provides unified view of records maintained at data sources
• Feeds the directory/directories• Other features
Control flow of information Data transformation Data correlation Person identification
27
28
Components: Directory
• Centralized information repository Deep hierarchy Optimized for read access Can provide different views of the same
information
• Directories need Schema Attribute values Identifiers
28
29
Components: Data Sources
• Repositories where data is actually written• An institution may have several sources
Alumni Payroll Departamental DBs
• Relational databases are an example of data sources Offer better write/update perfomance (vs.
directories)
29
30
Components: Provisioning
• Its the process of managing an identity• Includes
Adding an account Modifying Suspending Resuming
• De-provisioning implies ending the lifecycle of an identity
• Resources can also be provisioned
30
31
Components: Trust
• Do not trust anyone…• … until it proves to be trustworthy!• Should be maintained between a user and
his identity holder• But also between your identity holder and
identity consumers• Implies:
Dependance on the trusted party Reliability of the trusted party Risk!!!
31
32
Components: Management Interfaces
• Administrators also have needs!• Provide means for information
homogeneization Component from different parties are not
always meant for cooperating with others Administrators may need tailored functionality IdM can be overwhelming :-D
• Allow users to manage (partially) their data => self-service
32
33
Components: Diagnostics
• What if something fails?• IdM comprises different data sources and
interaction between them• Useful mechanisms for diagnostics are auditing
and logging• IdMs lack features on diagnostics
Although some propietary solutions include diagnostic tools
Recommendations:Log, log, log!!!Create custom management interfacesDo a good design
33
34
Components: Security and usability
• IdMs enhance security For identities
ARPsData protection rules
For applicationsTrustCryptography
• De-provision• But users are humans (and make mistakes:
phishing!)• IdMs improve user experience and satisfaction
34
35
Components: AAIs
• Authentication and Authorization Infrastructures (AAIs)
• All we have seen up to now is now viewed as an IdP (Identity Provider) …
• As an opposition to an SP (Service Provider)
• New actor: Attribute Authorities• AAIs include communication protocols and
profiles to connect these components Usually include SSO, federation capabilities…
35
36
Components: AAIs
• No user registration and user data maintenance at resource needed
• Single login process for the users• Enlarged user communities for resources• Efficient implementation of inter-
institutional access
36
37
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
37
38
Tools and protocols: Provisioning
• Resource provisioning is the provisioning of identities to systems and services where the identity has access to use
• SPML Open standard protocol for the integration and
interoperation of service provisioning requests It’s an OASIS standard http://www.oasis-open.org/ http://www.openspml.org/
38
39
Tools and protocols: Trust
• Public Key Infrastructures (PKIs)• Certificates are based on public key• Enables for a digital certificate identifying an individual or
an organization to be: Issued Revoked Validated
• Composed of: Root CA Certificate Authority (CA) Registration Authority (RA) Directory to store user certificates Certificate revocation lists (CRLs)
39
40
Tools and protocols: Feds and more
• Software for building federations Shibboleth: http://shibboleth.internet2.edu/ PAPI: http://papi.rediris.es A-Select: http://a-select.surfnet.nl Liberty Alliance protocols
http://www.projectliberty.org/
• Federation interoperability software eduGAIN
http://www.terena.nl/activities/eurocamp/april06/slides/day2/eduGAIN.ppt
40
41
Tools and protocols: IdM suites
• Sun Microsystems http://www.sun.com/software/products/identity/
offerings.jsp
• Oracle http://www.oracle.com/products/middleware/identity-
management/identity-management.html
• IBM http://www-306.ibm.com/software/sw-bycategory/
• Novell http://www.novell.com/solutions/securityandidentity/
41
42
IdM References
• The Open Group: Identity Management http://www.opengroup.org/projects/idm/uploads/
40/9784/idm_wp.pdf• Identifiers, Authentication, and Directories: Best
Practices for Higher Education http://middleware.internet2.edu/internet2-mi-best-
practices-00.html
• Wikipedia http://en.wikipedia.org/wiki/Identity_management
• … and Google, of course
42
43Edificio BroncePlaza Manuel Gómez Moreno s/n28020 Madrid. España
Tel.: 91 212 76 20 / 25Fax: 91 212 76 35www.red.es
43