Liberty ID Federation Framework Web Services Framework

1
Liberty IDFederation FrameworkWeb Services
Framework

• Kailash Bhoopalam
• Dept. of Computer Science
• Old Dominion University

2
Some Concepts

• What is a federation?
• A union of organizations (M-W), that co-operate
  for the sole purpose of maximizing their
  business.
• E.g., Airlines cooperate with hotels and rental
  cars to maximize revenues or distribute risk.
• Issues
• User information privacy
• Protocol to exchange user information in the
  federation

3
An Example Federation.
ID Provider (VeriSign)
Jimmy
4
Liberty ID - Goals

• Enable consumers (a.k.a. web users) to protect
  privacy and manage their network identity
• Enables businesses to provide(or) advertise more
  value based services by leveraging the customers
  behavior in a trust community
• Provides a single sign-on standard to include
  decentralized authentication and authorization
• Create a controlled network-identity sharing
  mechanism that would be supported and would
  support current and emerging network access
  devices (use SSL, XML, X.509)

5
Premise for the Goals

• Id of the user is fractured in the WWW across a
  number of service providers(sp) (banks, utlities,
  entertainment, etc)
• No Process Policy or Technology Standard that
  informs the user about the following
• To which sps is the identity shared
• What information is being shared
• Policy practices of identity providers(who ever
  they are)
• WWW attributes become cumbersome when user
  attributes change
• When partnerships between service providers
  exist, it is harder to maximize the utility of
  services
• Provide anonymity to users when using certain
  services

6
Stakeholders views of liberty Views

• Business (Service Provider) View
• Framework to form circles of trust based on
  common interests
• Allows for the registration of services
• Support for anonymous services, usage directives
• Support for gathering consent from the user.
• User Views
• Control over privacy information
• Probable better service from service providers
• Less fractured identity information

7
Trust Community! Circle of trust! why? why? why?

• By logical reasoning and some empirical evidence
  its has been agreed that a GUIDs, do not work
  when used in large numbers!
• GUIDs (A unique certificate for every person)
• Verification is expensive in large hierarchies.
• Certificate revocation is difficult to
  communicate.
• An IBM employee working in USA gets a discount at
  Vodofone and Harrods!
• If the US govt was the authority on the
  principals ID, would harrods or the british
  govt always believe in it?
• It makes more sense to have IBM, vodofone and
  harrods form a trust circle by exchanging keys,
  CPS, and IDS endpoints.

8
Liberty ID Specifications

• Federation Framework (FF)
• Communication of identity information
• Authentication
• Single Sign On
• Global logout
• Web Services Framework (WSF)
• Service registration
• Service Discovery
• Gathering user consent
• Usage Directives

9
Functional Requirements (FF)

• Protocols for Identity Federation
• Provide user notice of id federation and
  defederation
• SPs and IDS providers notify each other of
  id-federation
• Notification of ID providers to SPs about account
  termination
• User awareness of federated ids
• Temporary identity/ Anonymity for services
• Authentication
• Authentication of IDS Providers
• Mutual Authentication of IDS, SP and Principal.
• Confidentiality and Integrity of information
• Support for multiple authentication methods.
• Exchange of Authentication status, instant,
  method, pseudonym.
• Re-authentication/ Multi-level authentication
• Transitive authentication
• Single Sign On, Global Logout

10
Architecture (FF)

• Delegated Authentication/Authorization using Web
  Redirection
• HTTP based redirection to ID providers
• Limits of URL size
• Content of URL (cleartext vs. encrypted)
• Storing Authentication information state
• Usage of session cookies if necessary (but not
  often)

11
Architecture (FF) contd.

• Single Sign-On
• Id federation and defederation
• 1 ID and many SPs
• 1 SP and many Ids
• Linking of IDSs to enable re-authentication.
• Metadata and Schema
• Id as opaque handle (linked UIs)
• Multiple authentication mechanisms
• Allow for apriori exchange of X509 certs, service
  endpoint information, CPSs etc.

12
Functional Requirements (WSF)

• Service Discovery
• Mechanism for SPs to query discovery services for
  relevant providers of services or attribute
  classes within a service for a particular
  principal
• User prompt by the discovery service during
  registration
• Registration of Service
• Allows service providers to register( deregister)
  with discovery service a list of services and
  service attributes

13
Functional Requirements (WSF) contd.

• Support for Gathering Consent
• Mechanisms for SPs to utilize LECP communications
  channel for querying and obtaining principal
  consent and response.
• Mechanism to share (after user consent) a subset
  of principals attributes with other providers
• Mechanism to partially fulfill requests for
  attributes if consent not given for all requested
  attributes.

14
Functional Requirements (WSF) contd.

• Support for Anonymous Services
• Ability for an SP to make anonymous attribute
  requests and receive anonymous attribute
  responses
• Ability to share attributes without disclosing
  identity.
• Mechanism to prevent pseudonyms with Principal
  Ids
• Usage Directives
• Communicate intended usage of attributes
• Communicate agreed upon usage of attributes
• Mechanism that allows an RP SP to list the usage
  directives to an authorizing SP if required

15
References

• Liberty Alliance
• http//www.projectliberty.org/specs/index.html
• Advanced Web Services Framework
• http//www-106.ibm.com/developerworks/webservices
  /library/ws-secure/ (WS Security)
• http//www-106.ibm.com/developerworks/webservices
  /library/ws-fed/ (WS Federation)
• http//www-106.ibm.com/developerworks/library/ws-
  polfram/ (WS Policy)
• http//www-106.ibm.com/developerworks/library/ws-
  trust/ (WS Trust)