Archive for May, 2007

SAML (Security Assertion Markup Language )

May 28, 2007

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee.

The single most important problem that SAML is trying to solve is the Web Browser Single Sign-On (SSO) problem. Single sign-on solutions are abundant at the intranet level (using cookies, e.g.) but extending these solutions beyond the intranet has been problematic and has led to the proliferation of non-inter-operable proprietary technologies. SAML has become the definitive standard underlying many web Single Sign-On solutions in the enterprise identity management problem space.

SAML assumes the principal (often a user) has enrolled with at least one identity provider. This identity provider is expected to provide local authentication services to the principal. However, SAML does not specify the implementation of these local services; indeed, SAML does not care how local authentication services are implemented (although individual service providers most certainly will).

Thus a service provider relies on the identity provider to identify the principal. At the principal’s request, the identity provider passes a SAML assertion to the service provider. On the basis of this assertion, the service provider makes an access control decision.

Advertisements

Challenges in Identity and Access Management

May 24, 2007

Challenges in Identity and Access Management

Single Sign-On

A typical enterprise user has to login multiple times in order to gain access to the various business applications that they use in their jobs. From the user’s point of view, multiple logins and the need to remember multiple passwords are some of the leading causes of bad application experiences. From the management point of view, forgotten password incidents most definitely increase management costs, and when combined with bad user password management habits (such as writing passwords down on yellow sticky notes,) can often lead to increased opportunities for security breaches. Because of the seemingly intractable problems that multiple identities present, the concept of single sign-on (SSO); the ability to login once and gain access to multiple systems, has become the ‘Holy Grail’ of identity management projects.

Single Sign-On Solutions

Broadly speaking, there are five classes of SSO solutions. No one type of solution is right for every application scenario. The best solution is very much dependent on factors such as where the applications requiring SSO are hosted, limitations placed by the infrastructure (e.g. firewall restrictions), and the ability to modify the applications. These are the five categories of SSO solutions:

  1. Web SSO
  2. Operating System Integrated Sign-On
  3. Federated Sign-On
  4. Identity and Credential Mapping
  5. Password Synchronization

Web SSO solutions are designed to address web application sign-on requirements. In these solutions, unauthenticated browser users are redirected to login websites to enter in user identifications and credentials. Upon successful authentication, HTTP cookies are issued and used by web applications to validate authenticated user sessions. Microsoft Passport is an example of Web SSO solutions.

Operating system integrated sign-on refers to authentication modules and interfaces built into the operating system. The Windows security subsystem provides such capability through system modules such as Local Security Authority (LSA) and Security Specific Providers (SSP) SSPI refers to the programming interfaces into these SSP. Desktop applications that use the SSPI APIs for user authentication can then ‘piggyback’ on Windows desktop login to help achieve application SSO. GSSAPI on various UNIX implementations also provide the same application SSO functionality.

Federated sign-on requires the application authentication infrastructures to understand trust relationships and interoperate through standard protocols. Kerberos and the future Active Directory Federation Service are examples of federation technologies. Federated sign-on means that the authentication responsibility is delegated to a trusted party. Application users need not be prompted to sign-on again as long as the user has been authenticated by a federated (i.e. trusted) authentication infrastructure component.

Identity and credential mapping solutions typically use credential caches to keep track of the identities and credentials to use for accessing a corresponding lists of application sites. The cache may be updated manually or automatically when the credential (for example password) changes. Existing applications may or may not need to be modified to use identity-mapping solutions. When the application cannot be modified, a software agent may be installed to monitor application login events. When the agent detects such events, it finds the user credential in the cache and automatically inputs the credential into the application login prompt.

The password synchronization technique is used to synchronize passwords at the application credential databases so that users and applications do not have to manage multiple passwords changes. Password synchronization as a silo-ed technology does not really provide single sign-on, but results in some conveniences that applications can take advantage of. For example, with password synchronization, a middle tier application can assume that the password for an application user is the same at the various systems it need access to so that the application does not have to attempt looking up for different passwords to use when accessing resources at those systems.

Identity and Access Management Framework

May 24, 2007

Identity and Access Management Framework

As implied in the previous sections, identity and access management is a very broad topic that covers both technology and non-technology areas. We will focus the rest of this paper around the technology aspects of identity and access management.

To further contain the technical scope of this topic that is still sufficiently broad, it is useful to abide by some structure for our discussions. We will use the framework shown in Figure 3, which illustrates several key logical components of I&AM to lead the discussions on this subject.

This particular framework highlighted three key “buckets” of technology components:

  • Identity life cycle management
  • Access management
  • Directory services

The components in these technology buckets are used to meet a set of recurring requirements in identity management solutions. We will describe the roles that these components play in the next few sections.

Directory Services

As mentioned previously, a digital identity consists of a few logical types of data—the identifier, credentials and attributes. This data needs to be securely stored and organized. Directory services provide the infrastructure for meeting such needs. Entitlements and security policies often control the access and use of business applications and computing infrastructure within an organization. Entitlements are the rights and privileges associated with individuals or groups. Security policies refer to the standards and constraints under which IT computing resources operate.

A password complexity policy is an example of a security policy. Another example is the trust configuration of a business application which may describe the trusted third party that the application relies upon to help authenticate and identify application users. Like digital identities, entitlements and security policies need to be stored, properly managed and discovered. In many cases, directory services provide a good foundation for satisfying these requirements.

Access Management

Access management refers to the process of controlling and granting access to satisfy resource requests. This process is usually completed through a sequence of authentication, authorization, and auditing actions. Authentication is the process by which identity claims are proven. Authorization is the determination of whether an identity is allowed to perform an action or access a resource. Auditing is the accounting process for recording security events that have taken place. Together, authentication, authorization, and auditing are also commonly known as the gold standards of security. (The reasoning behind this stems from the periodic symbol for Gold, ‘Au’; the prefix for all three processes.)

There are several technical issues that solutions architects may encounter when designing and integrating authentication, authorization, and auditing mechanisms into the application architecture:

  • Single Sign-On
  • Trust and Federation
  • User Entitlements
  • Auditing

What is Identity and Access Management

May 24, 2007
What is Identity and Access Management

Identity and Access Management IAM has recently emerged as a critical foundation for
realizing the business benefits in terms of cost savings, management control, operational
efficiency, and, most importantly, business growth for eCommerce. Enterprises need to
manage access to information and applications scattered across internal and external
application systems. Moreover, they must provide this access for a growing number of
identities, both inside and outside the organization, without compromising security or
exposing sensitive information.
IAM comprises of people, processes and products to manage identities and access to
resources of an enterprise. Additionally, the enterprise shall have to ensure the
correctness of data in order for the IAM Framework to function properly. IAM
components can be classified into 4 major categories: authentication, authorization, user
management and central user repository (Enterprise Directory). The ultimate goal of
IAM Framework is to provide the right people with the right access at the right time
see below diagram

Authentication
This area is comprised of authentication management and session management.
Authentication is the module through which a user provides sufficient credentials to gain
initial access to an application system or a particular resource. Once a user is
authenticated, a session is created and referred during the interaction between the user
and the application system until the user logs off or the session is terminated by other
means (e.g. timeout). The authentication module usually comes with a password service
module when the userid / password authentication method is used. By centrally
maintaining the session of a user, the authentication module provides Single Sign-On
service so that the user needs not logon again when accesses another application or
system governed under the same IAM Framework.

Authorization
Authorization is the module that determines whether a user is permitted to access a
particular resource. Authorization is performed by checking the resource access request,
typically in the form of an URL in web-based application, against authorization policies
that are stored in an IAM policy store. Authorization is the core module that implements
role-based access control. Moreover, the authorization model could provide complex
access controls based on data or information or policies including user attributes, user
roles / groups, actions taken, access channels, time, resources requested, external data and
business rules.

User Management
This area is comprised of user management, password management, role/group
management and user/group provisioning. User management module defines the set of
administrative functions such as identity creation, propagation, and maintenance of user
identity and privileges. One of its components is user life cycle management that enables
an enterprise to manage the lifespan of a user account, from the initial stage of
provisioning to the final stage of de-provisioning.
Some of the user management functions should be centralized while others should be
delegated to end-users. Delegated administration allows an enterprise to directly
distribute workload to user departmental units. Delegation can also improve the accuracy
of system data by assigning the responsibility of updates to persons closest to the
situation and information.
Self-service is another key concept within user management. Through self-profile
management service an enterprise benefits from timely update and accurate maintenance
of identity data. Another popular self-service function is self-password reset, which
significantly alleviates the help desk workload to handle password reset requests.
User management requires an integrated workflow capability to approve some user
actions such as user account provisioning and de-provisioning.

Central User Repository
Central User Repository stores and delivers identity information to other services, and
provides service to verify credentials submitted from clients. The Central User
Repository presents an aggregate or logical view of identities of an enterprise. Directory
services adopting LDAPv3 standards have become the dominant technology for Central
User Repository. Both Meta-directory and Virtual directory can be used to manage
disparate identity data from different user repositories of applications and systems. A
meta-directory typically provides an aggregate set of identity data by merging data from
different identity sources into a meta-set. Usually it comes with a 2-way data
synchronization service to keep the data in sync with other identity sources. A virtual
directory delivers a unified LDAP view of consolidated identity information, behind the
scene multiple databases containing different sets of users are combined in real time.