Federated Identity Management

{LANG_NAVORIGIN} Authentication
Ajoy Kumar 12/20/2004



Introduction

What is Identity?
Iden•ti•ty [noun]: The set of behavioral or personal characteristics by which an individual is recognizable as a member of a group [1].

From the moment a child is born, he has an identity. Identity starts with a name on birth certificate and an SSN and evolves over time. Labels, interactions, relationship grow as person interacts with larger group of individuals and organizations. While the family and friends of person understand him deeply, to organizations he is just a number. In current world pieces of identity are all spread around in endless entities: banks, schools, insurance companies, credit card providers, and medical service providers, work related companies and pension funds etc. In more recent times Internet has caused explosion to these entities – multiple emails, multiple member web sites, multiple ISP, content providing web sites, bulletin boards, instant messengers, e-commerce, multiple computer systems and networks. This all happens with almost no coordination causing a huge frustration to people involved as there is repeatability (and lack of discipline causes huge issues such as identity theft) and issues with overall management of roles and identities [1,3,5,6]. More frustrations are added to this as personal relationship, business relationship and identities continuously change. An individual is at core of all identities.

All users create personalized identities to use internet. Enterprises/Web-sites they interact with create their own digital identities to provide individuals with secure access to services and online resources. Identities are required for access to specific resources and personalized service. Resource lists include merchandise web sites, banks, brokerage houses, tax services, payroll services, email service, results of doctor’s testing (new but in now), list is really long. Multiple identities are a norm and proliferation of identities creates a major challenge. Practically it is seen that whenever user of company or user take short cuts, the results are increased management costs and increased security risks.

Challenges of Identities:
Identity not only proves individual’s claim of identity (Authentication) it extends to tell what a person can do (authorization) or what resources it can access. Identities are posing a challenge in all walks of life; they span individual, organizations, government. Identity is at the core of any information-sharing transaction: government to citizen, government to business, or government to government [2]. Challenges of identity may be categorized as:

Individual:
Individual’s identity is vital and is driven mostly by birth certificate, SSN, driver’s licensees, employment record, tax records, pension records, marriage and death records. Any compromise results in major concerns in one’s life. Most of these documents are secure with government.

Government:
Government is faced with enormous challenge for providing services to individuals, states, corporations, different countries and challenge is multi-fold. Government probably faces this challenge in every field; some recent initiatives in identity protection are worth noting: Homeland Security Directive 12, US-VISIT and the Registered Traveler Program. E-government initiatives are highly dependent on identity management.

Enterprise:
Enterprises also have multi fold challenges but they can be broadly classified as intra and extra (outside) challenges. Extra (outside) challenges are primarily in the areas of e-commerce, b-to-b, regulatory compliances (HIPPA, SOX etc.). Internally an individual may rely on multiple identities: an employee may need to authenticate to a database, an application or a service using completely different mechanisms. Once outside the organization, the problem is compounded. Multiple organizations will hold multiple instances of identity and attribute information. The problem of effectively managing all these identities is enormously complex, resulting in an ineffective identity management and complexity [3].


Purpose of this paper:

In this paper I will be discussing industry initiatives on Federated Identity Management. I will also cover multipurpose need of using FIM.

An identity consists of traits, attributes, and preferences upon which one may receive personalized services. Such services could exist online, on mobile devices, at work, or in many other places [2].


Federated Identity Management:

“Federated Identity”- The standards for federation established by OASIS and the Liberty Alliance Project, define mechanisms for companies to share identity information between domains. As a result of federation, companies are now able to create identity-based applications (such as federated single sign-on) that enable increased access to cross-boundary information [17].

Federated Identity management makes it possible for an authenticated identity to be recognized and take part in personalized services across multiple domains. It avoids pitfalls of centralized storage of personal information, while allowing users to link identity information between different accounts. Users control linking of account management (to an extent) and personalization of services. Federated identity requires two key components: trust and standards [2]. Trust model of Federated Identity management is based on Circle of Trust.

Picture Adapted from White Paper Federated Identity Management [18]

In above example person Mr. X has one identity (for keeping it simple) and 2 profiles Work Profile (WP) and Home Profile (HP). In work profile he is known to Identity Server (ID1) under work profile and based on his Circle of Trust he has access to Supplier Services (SS); which enable him to interact with Supplier 1 and Supplier 2 (they can be supplier’s websites). He also has access to other Office Services (OS) which enable him to use email/calendar and other services based on his circle of trust. In his home profile he is identified by Identity Server (ID2) and has access to Family Services (FS) which in turn may be providing other Name Services (NS). He also has access to Integrated Service (SI) which may enable him to interact to banks, credit cards etc [4].

This demonstrates partial identities of an individual. Partial identity enables controlled disclosure. Circle of trust is a concept that identifies that this user is well known in this community for a certain services. Circle of trust has it’s origin from days of Lloyd’s club of London.


Example of Travel Federation

In example below [18] as consumers are able to move between companies by using shared sign on. This pushes companies need to do adequate authentication, trusting, provisioning and identity management. Federated Identity Management (FIM), or the management of identities between corporate boundaries, has recently emerged in response to the desires to simplify the way in which individuals (consumers) are able to move between companies [18].

FIM allows management of identities intra enterprise and between organizations.

Picture Adapted from White Paper Federated Identity Management [18]

FIM between multiple enterprises is becoming norm. Furthermore, the hard boundaries of today’s corporate firewalls are at least becoming semi-transparent. This raises needs for transparent movement of identities (individuals) between controlled perimeters.

IBM has integrated FIM to provide standardized mechanism for simplifying identity management and identity transformation across boundaries of an enterprise. IBM’s solution leverages federation of services. These services provide as building blocks of an enterprise.

FIM functionality is logically represented by services in picture below. IBM Tivoli FIM functionality is built around the trust infrastructure implemented by the FIM Trust Service. The individual services may exist as distinct services or as logical services within the overall trust service. In here Authorization Services, SSO Services, Trust Services, Provisioning services and Identity Services become part of circle of trust and offer a model of trust federation. A user once authenticated and based on his/her provisioning has ability to traverse all services in an enterprise with a single sign on operation. [19].

Picture from IBM’s Redbook on Federated Identity Management [19]

FIM functionality is logically represented by services in above picture. IBM Tivoli FIM functionality is built around the trust infrastructure implemented by the FIM Trust Service. The individual services may exist as distinct services or as logical services within the overall trust service. In here Authorization Services, SSO Services, Trust Services, Provisioning services and Identity Services become part of circle of trust and offer a model of trust federation. A user once authenticated and based on his/her provisioning has ability to traverse all services in an enterprise with a single sign on operation. [19].

Industry Initiatives:
There are a number of initiatives in this direction to simplify challenges of Identity management and facilitate Single Sign On. Here are three major initiatives [1, 2, 3, 6, 8, 9, 10, 13 and 14]:

1. OASIS and SAML
   The Security Assertions Mark-up Language (SAML) is an XML-based specification developed by the Organization for the Advancement of Structured Information Standards (OASIS). SAML [10] provides a common language for three kinds of assertions:
   1. Authentication assertions: declarations about a user’s identity
   2. Attribute assertions containing particular details about a user
   3. Authorization decision assertions, which specify what the user is allowed to do at particular site.
   Assertions are issued by SAML authorities (Sever based applications). When a individual or a machine successfully requests access to a resource under protection (of access control), a SAML authority issues a digitally signed token that individual or machine can use for further requests with out getting re-authentication on any domain that trusts SAML authority (issuer of token).
   
   
2. Microsoft, IBM, and the WS- Roadmap
   Microsoft and IBM jointly published white paper outlining a roadmap for development of a set of Web service security specifications. WS-Security – first jointly developed specification offers methods attaching security token to messages. These token include tokens for identity.
   
   
3. Liberty Alliance
   The Liberty Alliance is an initiative from majority of industry for development of Federated Identity Management. It broadly covers three specifications [4]:
   1. Liberty Identity Federation Framework (ID-FF): It allows features for SSO, account linkages, anonymity, affiliations and options for meta-data exchange.
   2. Liberty Identity Web Services Framework (ID-WSF): It allows features for Permission Based Attribute Sharing, Identity Service Discovery, Interaction Service Security Profiles and Identity Services Templates.
   3. Liberty Identity Services Interfaces Specifications (ID-SIS): This allows for interoperable services to be built over ID-WSF. These services could be as simple as contact book, calendar to much sophisticated like geo-location etc. Interoperability is offered through use of context dependent agreed schemas.
      
      

These specifications can be used independently as well as in combination. IBM has lately (late Oct 2004) joined Liberty Alliance [13] and there is possibility of synergy between SAML and Liberty on developing an accepted converged standard.


FIM Solves:

FIM solves very complex industry problem of managing identities. It offers benefit of simplified sign-on to users by granting a quick access to resources they are authorized to use. It does not require attributes of users to be centrally stored. It increases security and delivers better identity control. It allows business to interact with other businesses on the trust relationships.

1. It offers improved alliances; both within governments and between governments. It offers secure communications of vital information with other nations; yet enabling them to retain control on information. It enhances collaboration while preserving confidentiality and privacy. It offers fine grained security, support for multi factor authentication, non-repudiation support. It offers faster response time for critical communications.
2. It offers regulatory support.
3. It offers conveniences and productivity to business by establishing circles of trust.
4. It facilitates SSO (federated SSO).
5. It offers users/business partners enhanced user experience and increased satisfaction.
6. FIM offers distributed management of user profiles. Different pieces of information forming an identity can be distributed amongst several parties. Partial identities support distributed information disclosure and secrecy.
7. FIM allows cross domain identity communication.
8. A digital identity protects users against forgery and related attacks. Mobility support is also available.
9. A single enterprise solution helps reduce the cost of deploying and managing disparate user management systems.
10. Management of identities is simpler; they can be brought on line and offline based on the need.
    
    Federating identity data allows enterprises to operate independently and yet cooperate for business purposes. Time and cost of connecting different applications reduces significantly. It enhances user experience, meets requirement of compliance. Web users do not have to enter multiple identities on partner web-sites. It increases security and removes need of administrators to replicate multiple identity databases. Due to such huge overall benefits use of FIM is increasing.

Conclusion:

FIM is an elegant protocol with roots developed on basis of circle of trust. It is necessity of today’s enterprise. Companies are reaping multifold benefits of FIM architecture. FIM has given companies option for secure and less complex collaboration services. Businesses are able to implement consistent, reliable and policy based requirements. For example as passwords can be shared, they are not considered auditable for compliance purposes, making it difficult to establish accountability; with FIM; provisioning services make possible use of separate identity for each user and hence increasing compliance. Use of FIM in enterprises is on steady rise. Use of FIM in wide scale federations is increasing.

Roadmap of Federated Identity Management (Reference [18])

FIM benefits are enormous and it is becoming de facto industry standard.

FIM is affecting individual users on every day basis. For example Yahoo’s implementation of Identity management and SSO has greatly enhanced user experience. Microsoft’s implementation of passport net service ropes in benefits of single identity between MSN and participating services (web-sites). In this model users get a great benefit of personalizing their services. Provisioning is done mutual agreement between vendors and users.

According to The National Electronic Commerce Coordinating Council’s white paper on identity management “The drive toward e-government has become one of the drivers for better identity management and authentication of customers. Tying the various usernames and numbers of customers from different agency systems together becomes one of the keys to achieving integration.” Government has been involved in this effort as having one core identity per individual is fundamental requirement to e-government [15].

There are costs associated with new technology. Current applications/services are to adapt to this model; this pushes cost of existing products. There are still many standards in Federated Identities; interoperability between these standards is not achieved. Interoperability between different models of identity management is not achieved. Standards for identity management solution should consider important items such as Privacy, Emergency response, Law enforcement and Anonymity. There are chances of Profile data inconsistency possible [16].

Peering ‘n’ – Nth degree of paired relationship put a challenge on existing/perceived models. Collaboration between 15-20 partners is practical. Partnering with N partners could raise legal issues; as N legal contracts would make the cost of partnering impractical. New social/legal models will have to evolve on that front.

Liability identification may not be trivial due to complex nature of relationship management across entities. Dispute resolution could prove out to be length and costly procedures. How would fraudulent identities be blocked from propagating in the network? Who will be responsible for validating particular identity to an individual? If a user is making a stock transaction using MSN (for example) web portal using SSO and transaction is time sensitive and if for some reason there is a delay in execution of trade causing financial losses to individual; pining down party for this loss is not trivial task.

Privacy Compliance for identity authentication could be another challenge- as identities are shared within a federation, companies are to abide by privacy legislation and not to disclose, use individual’s preference to their benefit. Identity federation would require all members to abide by same privacy policies – which could be impractical. Individuals using such federations using SSO may not themselves be aware of such issues. Recent legislations such as Gramm Leach Bliley (GLB) and HIPPA require stricter models for authentication and identification.

Finally- even though organizations are moving rapidly in this direction; setting up large number of collaborations; lack of standards and interoperability may cause patchwork approach to take over process which will inhibit the real growth. There is a need for organized effort for standards to represent needs of individuals and business community together. There is need for regulations and standard business process for ensuring security and reliability of identities.


References:

1. Definition from www.dictionary.com
   
   
2. Whitepaper: Benefits of Federated Identity to Government, March 2004 http://www.projectliberty.org/resources/whitepapers/liberty_government_business_benefits.pdf
   
   
3. Introduction to the Liberty Alliance, Identity Architecture, Revision 1.0, March, 2003 www.projectliberty.com
   
   
4. Liberty ID-FF Architecture Overview Version: 1.2-errata-v1.0, www.projectliberty.com
   
   
5. An overview of Federated Identity Architecture, www.oblix.com
   
   
6. Federated Identity Management for University of California by David Walker
   
   
7. White paper on Federated Identity Management - PingID Network, Inc 2002 by Eric Norlin and Andre Durand.
   
   
8. http://www.microsoft.com/technet/security/topics/identity/idmanage/default.mspx
   
   
9. http://www.insideid.com/id_management/article.php/3350541
   
   
10. http://www.opensaml.org/faq.html
    
    
11. http://www.sourceid.org/content.do?page=Basics
    
    
12. http://www.insideid.com/id_management/archives.php
    
    
13. IBM joins Liberty, http://www.insideid.com/id_management/article.php/3424461
    
    
14. http://www.rsa.com
    
    
15. Identity Management – white paper by The National Electronic Commerce Coordinating Council, www.ec3.org, Dec 4 -6 2002
    
    
16. Identity Management & Liberty Project by Sang Shin, www.javapassion.com/webservices/IdentityAndLiberty4.pdf
    
    
17. Overview of Federated Identities, http://www.pingidentity.com/downloads/Overview_of_Federation.pdf
    
    
18. White Paper Federated Identity Management, http://www.pingid.net/misc/Whitepaper_Identity_Federation.pdf
    
    
19. Federated Identity Management with IBM Tivoli Security Solutions, http://www.redbooks.ibm.com

FEDERATED IDENTITY MANAGEMENT
BY: AJOY KUMAR
CLASS: CS 573
PROF. ED AMOROSO


More Authentication tutorials and guides














Your IP address will be sent with this e-mail

From e-mail to e-mail