orange's id selector a new tool in the authentication scheme the european e-identity management...

Orange's ID SelectorA New tool in the Authentication Scheme

The European e-Identity Management Conference, London June 10th 2010

Philippe Clément Head of Identity Marketing, Orange-FT Group Strategic Marketing [email protected]

mailto:[email protected]

mailto:[email protected]

EEMA 2010 June 10th - page 2

Agenda

1. General Overview

2. The Business and Identity Evolutions

3. Orange ID Selector• A necessary Evolution in Authentication Tools

• What is it ?

• Benefits

• The foundations

• How it works

• RP integration

• Where to get it ?


Agenda

1. General Overview



• What is it ?

• Benefits

• The foundations

• How it works

• RP integration



Orange / FT Group Worldwide

• Worldwide:

• 182M customers on 5 continents

• 122M mobile customers

• 53.5 b€ consolidated sales

• World leader in telco services for Enterprises

• In Europe:

• 3rd mobile operator

• 1st Internet Services provider

• 12,7M broadband customers

• 6.5M VoIP customers

• In France:

• 25M mobile customers

• 21.8M fixed-lines customers

• 8.8M internet customers

• 6.5M livebox sold (internet, voice-over-IP, ADSL TV and domestic Liveservices)

• 4.1M VoIP customers

• 23,7 million of uv on www.orange.fr

• FTTH pre-deployment


Agenda

1. General Overview



• What is it ?

• Benefits

• The foundations

• How it works

• RP integration



TV

Internet - VoIP

Mobiles

Fixed-lines

Business Evolution

From the original landline … to multi-screen services


• Phase 1: The Internet Identity (1996)– Identities are created for contract holders and other identities for the household

• Phase 2: The Mobile Identity (2002)– Identities are created for mobile users

• Phase 3: The convergence of Internet and Mobile Identities (Q2 07)– Convergent offers are provided for mobile and internet users– Ability for an Internet+Mobile user to merge his 2 identities

• Phase 4: The externalization of the Orange Identity (Q3 07)– Orange users can authenticate on 3rd party services

• Phase 5: Opening Orange Services to external Identities (Q3 2008)– Users can authenticate on Orange Portals with their usual Identities (Google, Yahoo, MSN, OpenID

• Phase 6: Orange allows any user to authenticate on any site with any Identity (Q2 2010)

Building the Identity Management














Identity figures

• Orange Identity today:– 100M+ reliable Identities worldwide– 45M identities in France

• 185+ services federated to Identity Platform covering:– Web portal services, Widgets, desktop applications, VoIP, IPTV

– WAP and Mobile applications

– Other device-based applications around the Livebox® home gateway

• Due to network-based authentication mechanisms, Orange delivers enhanced user experiences– On mobile: SIM cards fully transparent authentication

– On web: DSL-based implicit authentication + multi-level “last known users” management

– 90% of Orange users do not need to enter a user name/password to access their accounts because of these advanced identification mechanisms based on device recognition

– When introduced in France, this feature doubled service usage of the Orange communication services

– SSO and APIs for internal and external use (based on Liberty Alliance principles)– 7 countries (and growing) use Orange Group Identity :

• France, UK, Belgium, Spain, Switzerland, Slovaquia, Romania


Agenda

1. General Overview



• What is it ?

• Benefits

• The foundations

• How it works

• RP integration



Announcement

Orange presented its ID Selectorin Trial mode

At the Kuppinger Cole EIC, Munich May 6th 2010


Orange ID SelectorA Necessary Evolution in Authentication Tools

• Historical Approach in Normalization Bodies

The COT (Circle Of Trust) defines the relationship between the User, The RP (Relying Party) and the IdP (Identity Provider)

RelyingParty

IdentityProvider

A strong relationship exists between one RP and one IdP

The RP addresses one IdP The user authenticates through one

IdP at the RP

User


Orange ID Selector A Necessary Evolution in Authentication Tools

• Trends and Needs

In the real life, a user visits many RPs and have different identities

RelyingParty

IdentityProviders

The User want to keep a simple way to authenticate with their preferred IdP, whatever the RP

The RP want to leverage the diversity of IdPs to grow and maintain its audience…

And has to manage the diversity of different protocols…

One IdP can be in relation with many RPs…

The selection of the IdP for a user becomes crucialUser


Orange ID SelectorWhat is it ?

RelyingParty

IdentityProvider

ISA*

* ISA: Identity Provider Selection Agent

RP addresses easily the majority of main IdPs to increase their audience

IdPs extend their footprint on many RPs

The user uses easily the same tool to access IdPs whatever the RP

Orange ID Selector reconciles the expectations of the 3 actors

• What is Orange ID Selector ?

A graphical tool aimed at facilitating the authentication phase

User


Orange ID SelectorBenefits

• The Benefits for the User– Standard and friendly User

Interface

– Reuse of existing and usual identity, no need to create yet another login and password on third party websites

– Ease registration process on RP

• The Benefits for the RP– Quick and easy integration (< 1 day)– No need to manage/integrate many IdPs with different protocols => Significant reduction of IdPs integration costs– Improve users registration rate (~ x2) – GUI control

• The Benefits for the IdP– Extend their footprint to many RPs– Reliable tool with ad'hoc protocols

management– Due the architecture, the IDP

keeps a direct business relationship with the RP


Orange ID SelectorThe Foundations

• Orange ID Selector is issued of Identity Normalization Bodies

Previous work in Liberty Alliance BMEG (Business and Marketing Expert Group) and Kantara Initiative (IdP Selection WorkGroup) resulted in the introduction of this new actor : the ISA*, without preconceived ideas on the nature of such actor (software installed on the user's device or entity in the network accessed through vanilla browsers or …).

This work has led to the production of a Marketing Requirement Document that describes particular Use Cases for organizing exchanges between the different actors and generic requirements that are derived from these use-cases.

Concrete work has already been initiated in Liberty Alliance and now in Kantara Initiative based on this MRD in order to deliver :

– GUI and UX guidelines for ISAs*,

– Technical specifications to standardize the exchanges between all involved actors (beginning with a Gap Analysis that identified required evolutions in existing specifications taking into account SAML, OpenID and Infocard specs),

– Implementation guidelines.

Orange ID Selector will comply to these specifications and benefit from this standardization effort.

* ISA: Identity Provider Selection Agent


Orange ID SelectorHow it works

• GUI– User GUI

– RP Admin GUI


Orange ID SelectorThe User Journey

(Optional for registration)

(Optional if memorized)


Orange ID SelectorFlows

1. The end user clicks on the partner site on a personalized zone that needs authentication

2. The partner site redirects him to Orange ID Selector GUI. O

ran

ge I

D S

ele

cto

rO

ran

ge I

D S

ele

cto

r

Partnerwebsite

Partnerwebsite

IdentityProvider

IdentityProvider

1 2 34

56

3. Orange ID Selector redirects the end user to the appropriate IDP.

4. The end user authenticates on his favorite IDP.

5. The IDP redirects the end user to Orange ID Selector with the result of the authentication.

6. Orange ID Selector redirects the end user to the partner web site.

The partner can fetch more info about the user (authentication result, profile, social network, OAuth token, PAPI token, etc.) with a server to server call.

The partner can authenticate or register the user if he is a new user.


Orange ID SelectorFlows

Relying party ID Selector IDPUser agent

1. Request RP page

2. Get RP Page, containing an URL to the selector

3. Request the selector.

4. Get the selector code and ressources.

5. Ask to authenticate with an IDP.

6. Redirect to the IDP

7. Redirect to ID Selector

8. Redirect to the RP9. Ask authentication result

10. Send authentication result

11. Serve an authenticated page

Load the selector from the RP page

Trigger IDP request

IDP Response

+ Application ID

+ Application ID+ Return URL+ Choosen IDP with options

+ Authentication result (OK/KO)+ Response ID

+ Application ID+ Partner Password+ Response ID

If needed : User authentication / privacy management


Orange ID SelectorRP integration

• User Guide– We provide two user guides for the RP.– A "quick start guide" to integrate and test Orange ID Selector in less than half

a day. – A "Reference integration guide" which contains all integration details. – These documents will be available online on the web site.

• Process– You apply for using Orange ID Selector and get your credentials by sending a

message to:[email protected]

– You register on our ID selector website.– You create and configure your own Orange ID Selector instance. It's ready to

use with a minimal set of IdPs. – You add and configure additional IdPs as needed. – We provide a pre-production / production configuration system to fit your

integration / production platform.


Orange ID SelectorRP integration

• Some Code Example– To load the JavaScript API just add these lines at the bottom of your site (just before the </body>

tag):

• <script src="http://[application-identifier].connect.orange.fr/loadwidget" type="text/javascript" ></script><script type="text/javascript">

// Optional parameters …</script>

– Add a link in the HTML code of your website to trigger the popup when the user click on the link. For example:

• <a class="OrangeConnect"href="http://[application-identifier] .connect.orange.fr/showwidget/popup?return_url=[partner-return-url]">Sign In</a>

• Where to find it running ?– Find all needed information on our website : http://idselector.orange.com/


thank youPlease send us an email at [email protected]

to request for implementing Orange's ID Selector

Please visit

http://www.quizagain.com

and

http://idselector.orange.com/

to see how it works

And www.orangepartner.com for

more details on Orange's APIs

[email protected]

orange's id selector a new tool in the authentication scheme the european e-identity management...

Documents

mobile identity

internet identity

identities phase

orange users

mobile users phase

mobile customers

orange identity q3

internet customers