orange's id selector a new tool in the authentication scheme the european e-identity management...
Post on 19-Dec-2015
214 views
TRANSCRIPT
Orange's ID SelectorA New tool in the Authentication Scheme
The European e-Identity Management Conference, London June 10th 2010
Philippe Clément Head of Identity Marketing, Orange-FT Group Strategic Marketing [email protected]
EEMA 2010 June 10th - page 2
Agenda
1. General Overview
2. The Business and Identity Evolutions
3. Orange ID Selector• A necessary Evolution in Authentication Tools
• What is it ?
• Benefits
• The foundations
• How it works
• RP integration
• Where to get it ?
EEMA 2010 June 10th - page 3
Agenda
1. General Overview
2. The Business and Identity Evolutions
3. Orange ID Selector• A necessary Evolution in Authentication Tools
• What is it ?
• Benefits
• The foundations
• How it works
• RP integration
• Where to get it ?
EEMA 2010 June 10th - page 4
Orange / FT Group Worldwide
• Worldwide:
• 182M customers on 5 continents
• 122M mobile customers
• 53.5 b€ consolidated sales
• World leader in telco services for Enterprises
• In Europe:
• 3rd mobile operator
• 1st Internet Services provider
• 12,7M broadband customers
• 6.5M VoIP customers
• In France:
• 25M mobile customers
• 21.8M fixed-lines customers
• 8.8M internet customers
• 6.5M livebox sold (internet, voice-over-IP, ADSL TV and domestic Liveservices)
• 4.1M VoIP customers
• 23,7 million of uv on www.orange.fr
• FTTH pre-deployment
EEMA 2010 June 10th - page 5
Agenda
1. General Overview
2. The Business and Identity Evolutions
3. Orange ID Selector• A necessary Evolution in Authentication Tools
• What is it ?
• Benefits
• The foundations
• How it works
• RP integration
• Where to get it ?
EEMA 2010 June 10th - page 6
TV
Internet - VoIP
Mobiles
Fixed-lines
Business Evolution
From the original landline … to multi-screen services
EEMA 2010 June 10th - page 7
• Phase 1: The Internet Identity (1996)– Identities are created for contract holders and other identities for the household
• Phase 2: The Mobile Identity (2002)– Identities are created for mobile users
• Phase 3: The convergence of Internet and Mobile Identities (Q2 07)– Convergent offers are provided for mobile and internet users– Ability for an Internet+Mobile user to merge his 2 identities
• Phase 4: The externalization of the Orange Identity (Q3 07)– Orange users can authenticate on 3rd party services
• Phase 5: Opening Orange Services to external Identities (Q3 2008)– Users can authenticate on Orange Portals with their usual Identities (Google, Yahoo, MSN, OpenID
• Phase 6: Orange allows any user to authenticate on any site with any Identity (Q2 2010)
Building the Identity Management
• Phase 1: The Internet Identity (1996)– Identities are created for contract holders and other identities for the household
• Phase 2: The Mobile Identity (2002)– Identities are created for mobile users
• Phase 3: The convergence of Internet and Mobile Identities (Q2 07)– Convergent offers are provided for mobile and internet users– Ability for an Internet+Mobile user to merge his 2 identities
• Phase 4: The externalization of the Orange Identity (Q3 07)– Orange users can authenticate on 3rd party services
• Phase 5: Opening Orange Services to external Identities (Q3 2008)– Users can authenticate on Orange Portals with their usual Identities (Google, Yahoo, MSN, OpenID
• Phase 6: Orange allows any user to authenticate on any site with any Identity (Q2 2010)
• Phase 1: The Internet Identity (1996)– Identities are created for contract holders and other identities for the household
• Phase 2: The Mobile Identity (2002)– Identities are created for mobile users
• Phase 3: The convergence of Internet and Mobile Identities (Q2 07)– Convergent offers are provided for mobile and internet users– Ability for an Internet+Mobile user to merge his 2 identities
• Phase 4: The externalization of the Orange Identity (Q3 07)– Orange users can authenticate on 3rd party services
• Phase 5: Opening Orange Services to external Identities (Q3 2008)– Users can authenticate on Orange Portals with their usual Identities (Google, Yahoo, MSN, OpenID
• Phase 6: Orange allows any user to authenticate on any site with any Identity (Q2 2010)
EEMA 2010 June 10th - page 8
Identity figures
• Orange Identity today:– 100M+ reliable Identities worldwide– 45M identities in France
• 185+ services federated to Identity Platform covering:– Web portal services, Widgets, desktop applications, VoIP, IPTV
– WAP and Mobile applications
– Other device-based applications around the Livebox® home gateway
• Due to network-based authentication mechanisms, Orange delivers enhanced user experiences– On mobile: SIM cards fully transparent authentication
– On web: DSL-based implicit authentication + multi-level “last known users” management
– 90% of Orange users do not need to enter a user name/password to access their accounts because of these advanced identification mechanisms based on device recognition
– When introduced in France, this feature doubled service usage of the Orange communication services
– SSO and APIs for internal and external use (based on Liberty Alliance principles)– 7 countries (and growing) use Orange Group Identity :
• France, UK, Belgium, Spain, Switzerland, Slovaquia, Romania
EEMA 2010 June 10th - page 9
Agenda
1. General Overview
2. The Business and Identity Evolutions
3. Orange ID Selector• A necessary Evolution in Authentication Tools
• What is it ?
• Benefits
• The foundations
• How it works
• RP integration
• Where to get it ?
EEMA 2010 June 10th - page 10
Announcement
Orange presented its ID Selectorin Trial mode
At the Kuppinger Cole EIC, Munich May 6th 2010
EEMA 2010 June 10th - page 11
Orange ID SelectorA Necessary Evolution in Authentication Tools
• Historical Approach in Normalization Bodies
The COT (Circle Of Trust) defines the relationship between the User, The RP (Relying Party) and the IdP (Identity Provider)
RelyingParty
IdentityProvider
A strong relationship exists between one RP and one IdP
The RP addresses one IdP The user authenticates through one
IdP at the RP
User
EEMA 2010 June 10th - page 12
Orange ID Selector A Necessary Evolution in Authentication Tools
• Trends and Needs
In the real life, a user visits many RPs and have different identities
RelyingParty
IdentityProviders
The User want to keep a simple way to authenticate with their preferred IdP, whatever the RP
The RP want to leverage the diversity of IdPs to grow and maintain its audience…
And has to manage the diversity of different protocols…
One IdP can be in relation with many RPs…
The selection of the IdP for a user becomes crucialUser
EEMA 2010 June 10th - page 13
Orange ID SelectorWhat is it ?
RelyingParty
IdentityProvider
ISA*
* ISA: Identity Provider Selection Agent
RP addresses easily the majority of main IdPs to increase their audience
IdPs extend their footprint on many RPs
The user uses easily the same tool to access IdPs whatever the RP
Orange ID Selector reconciles the expectations of the 3 actors
• What is Orange ID Selector ?
A graphical tool aimed at facilitating the authentication phase
User
EEMA 2010 June 10th - page 14
Orange ID SelectorBenefits
• The Benefits for the User– Standard and friendly User
Interface
– Reuse of existing and usual identity, no need to create yet another login and password on third party websites
– Ease registration process on RP
• The Benefits for the RP– Quick and easy integration (< 1 day)– No need to manage/integrate many IdPs with different protocols => Significant reduction of IdPs integration costs– Improve users registration rate (~ x2) – GUI control
• The Benefits for the IdP– Extend their footprint to many RPs– Reliable tool with ad'hoc protocols
management– Due the architecture, the IDP
keeps a direct business relationship with the RP
EEMA 2010 June 10th - page 15
Orange ID SelectorThe Foundations
• Orange ID Selector is issued of Identity Normalization Bodies
Previous work in Liberty Alliance BMEG (Business and Marketing Expert Group) and Kantara Initiative (IdP Selection WorkGroup) resulted in the introduction of this new actor : the ISA*, without preconceived ideas on the nature of such actor (software installed on the user's device or entity in the network accessed through vanilla browsers or …).
This work has led to the production of a Marketing Requirement Document that describes particular Use Cases for organizing exchanges between the different actors and generic requirements that are derived from these use-cases.
Concrete work has already been initiated in Liberty Alliance and now in Kantara Initiative based on this MRD in order to deliver :
– GUI and UX guidelines for ISAs*,
– Technical specifications to standardize the exchanges between all involved actors (beginning with a Gap Analysis that identified required evolutions in existing specifications taking into account SAML, OpenID and Infocard specs),
– Implementation guidelines.
Orange ID Selector will comply to these specifications and benefit from this standardization effort.
* ISA: Identity Provider Selection Agent
EEMA 2010 June 10th - page 17
Orange ID SelectorThe User Journey
(Optional for registration)
(Optional if memorized)
EEMA 2010 June 10th - page 18
Orange ID SelectorFlows
1. The end user clicks on the partner site on a personalized zone that needs authentication
2. The partner site redirects him to Orange ID Selector GUI. O
ran
ge I
D S
ele
cto
rO
ran
ge I
D S
ele
cto
r
Partnerwebsite
Partnerwebsite
IdentityProvider
IdentityProvider
1 2 34
56
3. Orange ID Selector redirects the end user to the appropriate IDP.
4. The end user authenticates on his favorite IDP.
5. The IDP redirects the end user to Orange ID Selector with the result of the authentication.
6. Orange ID Selector redirects the end user to the partner web site.
The partner can fetch more info about the user (authentication result, profile, social network, OAuth token, PAPI token, etc.) with a server to server call.
The partner can authenticate or register the user if he is a new user.
EEMA 2010 June 10th - page 19
Orange ID SelectorFlows
Relying party ID Selector IDPUser agent
1. Request RP page
2. Get RP Page, containing an URL to the selector
3. Request the selector.
4. Get the selector code and ressources.
5. Ask to authenticate with an IDP.
6. Redirect to the IDP
7. Redirect to ID Selector
8. Redirect to the RP9. Ask authentication result
10. Send authentication result
11. Serve an authenticated page
Load the selector from the RP page
Trigger IDP request
IDP Response
+ Application ID
+ Application ID+ Return URL+ Choosen IDP with options
+ Authentication result (OK/KO)+ Response ID
+ Application ID+ Partner Password+ Response ID
If needed : User authentication / privacy management
EEMA 2010 June 10th - page 20
Orange ID SelectorRP integration
• User Guide– We provide two user guides for the RP.– A "quick start guide" to integrate and test Orange ID Selector in less than half
a day. – A "Reference integration guide" which contains all integration details. – These documents will be available online on the web site.
• Process– You apply for using Orange ID Selector and get your credentials by sending a
message to:[email protected]
– You register on our ID selector website.– You create and configure your own Orange ID Selector instance. It's ready to
use with a minimal set of IdPs. – You add and configure additional IdPs as needed. – We provide a pre-production / production configuration system to fit your
integration / production platform.
EEMA 2010 June 10th - page 21
Orange ID SelectorRP integration
• Some Code Example– To load the JavaScript API just add these lines at the bottom of your site (just before the </body>
tag):
• <script src="http://[application-identifier].connect.orange.fr/loadwidget" type="text/javascript" ></script><script type="text/javascript">
// Optional parameters …</script>
– Add a link in the HTML code of your website to trigger the popup when the user click on the link. For example:
• <a class="OrangeConnect"href="http://[application-identifier] .connect.orange.fr/showwidget/popup?return_url=[partner-return-url]">Sign In</a>
• Where to find it running ?– Find all needed information on our website : http://idselector.orange.com/
EEMA 2010 June 10th - page 22
thank youPlease send us an email at [email protected]
to request for implementing Orange's ID Selector
Please visit
http://www.quizagain.com
and
http://idselector.orange.com/
to see how it works
And www.orangepartner.com for
more details on Orange's APIs