Liberty Specifications Tutorial

1
Liberty Specifications Tutorial

• WWW.PROJECTLIBERTY.ORG

Alexandre Stervinou Technical Consultant, RSA
Security astervinou_at_rsasecurity.com
2
Tutorial Outline

• Introduction to Liberty Alliance
• Overview Key Concepts
• Resources
• Architecture and Specification documents
• Phase 1 - ID-FF
• Federated identity life-cycle
• Metadata
• SCR Interoperability Conformance/Validation
• Security Mechanisms
• Phase 2 - ID-WSF ID-SIS
• Personal profile scenario
• Privacy Security Guidelines
• Business Guidelines

3
Identity Crisis
4
Open Interaction and Participation
Standards Bodies
Other technologies
IETF W3C OASIS OMA
MS Passport WS-Federation
Utilize Influence
Co-operate
Liberty AllianceandMembers
PR
Government
PR
LobbyGroups
Develop Deploy
PR
Develop Deploy
Sun AOL HP Nokia
Media
Requirements
Apache
Users
Open SourceCommunity
Vendors/Providers
5
Key Concepts and Terminology

• Identity
• Simplified Sign-On
• Single Logout
• Network Identity / Federated Identity
• Circle of Trust
• Principal
• Identity Provider (IdP)
• Service Provider (SP)
• Liberty Enabled Clients or Proxies (LECP)
• Pseudonyms Anonymity
• Authentication Assertion (SAML)

6
Key ConceptsNetwork Identity Concepts
7
Circle of Trust Model

• Identity Service Provider(e.g. Financial
  Institution, HR)
• Trusted entity
• Authentication infrastructure
• Maintains Core Identity attributes
• Offers value-added services(optional)

Network IdentityHub Provider

• Affiliated Service Providers
• Offer complimentary service
• Don't (necessarily) invest inauthentication
  infrastructure

• Circle of Trust
• Business agreements
• SLAs
• Policies/Guidelines/AUP

8
Key ConceptsAuthentication Assertion (SAML)
Authentication Assertion
Assertion ID
Issuer
Issue Instant (timestamp)
Validity time limit
Audience Restriction
Authentication Statement
Authentication Method
Authentication Instant
User account info (IdP pseudonym)
User account info (SP pseudonym)
Digital Signature of assertion
9
Resources

• Liberty Developer Resource Centerwww.projectliber
  ty.org/resources/resources.html
• SAMLwww.oasis-open.org/committees/security
• SOAPwww.w3.org/2000/xp/Group/
• SSL/TLSwww.ietf.org/html.charters/tls-charter.htm
  l

10
Complete Liberty Architecture
Liberty Identity Services Interface
Specifications (ID-SIS)
Liberty Identity Federation Framework (ID-FF)
Enables interoperable identity services such as
personal identity profile service, alert service,
calendar service, wallet service, contacts
service, geo-location service, presence service
and so on.
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Liberty Identity Web Services Framework (ID-WSF)
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
Liberty specifications build on existing
standards
11
Liberty Specifications
ID-SIS
ID-FF
ID-Personal Profile Implementation Guidelines 1.0
ID-Employee Profile Implementation Guidelines 1.0
ID-Personal Profile 1.0
ID-Employee Profile 1.0
ID-FF Architectural Overview 1.2
ID-WSF
ID-FF Implementation Guidelines 1.2
ID-WSF Security Privacy Overview 1.0
ID-WSF Architecture Overview 1.0
Liberty Glossary
ID-FF Static Conformance Req. 1.2
ID-WSF Implementation Guidelines 1.0
Liberty Trust Model Guidelines
ID-WSF Static Conformance Req. 1.0
ID-WSF Data Services Template 1.0
Identity Services Templates
ID-FF Protocols and Schemas 1.2
ID-WSF Discovery Service 1.0
ID-WSF Interaction Service 1.0
Core Identity Services Protocols
ID-WSF Security Mechanisms 1.0
ID-WSF SOAP Binding 1.0
ID-FF Bindings and Profiles 1.2
ID-WSF Client Profiles 1.0
Web Services Bindings Profiles
Liberty Authentication Context 1.2
Liberty Reverse HTTP Binding 1.0
Liberty SASL-basedSOAP AuthN 1.0
Liberty Meta Data 1.2
Normative
Non-Normative
Coming Soon
12
Phase 1 - ID-FF

• Federated identity life-cycle
• Metadata
• SCR Conformance
• Security Mechanisms
• Authentication Context

13
Federated Identity Life-Cycle
14
Metadata

• Metadata specification extensible framework for
  describing
• cryptographic keys
• service endpoints information
• protocol and profile support in real time
• Metadata exchange options
• In-band DNS based discovery
• In-band URI based discovery
• Out-of-band
• Classes of metadata
• Entity provider metadata
• Entity affiliation metadata
• Entity trust metadata
• Origin and document verification through use of
  signatures

15
Identity Provider Introduction

• Optional profile
• Common Domain Cookie
• MUST be named _liberty_idp
• MUST be base-64 encoded list of IdP succinct Ids
• Session or Persistent
• Common domain established within the identity
  federation network for use with introduction
  protocol

16
Single Sign On and Federation
User
IDP
SP
Login/Authenticate
Introduction cookie
Login/Authenticate
You have a cookie from IDP, federate accounts?
Yes, federate my accounts
Redirect to IDP with Authentication Request
AuthnRequest
Authentication Assertion Issued
Redirect to SP
Here is my SAML Assertion or SOAP endpoint _at_ IDP
SOAP
SOAP
Process Assertion
Start service
17
Federating an Identity
Airline, Inc Welcome to Fly Right Airline
Group Do you want to federate your Car Rental,
Inc. account?
IdP A
Yes
Cancel
Airline, Inc
Perform federation
SP 1
CarRental, Inc Fly Right Airline Group Welcome
John12 Youre signed on.
Access afterFederation
CarRental, Inc
18
Account Federation Details (1)

• User connects to IdP and authenticates

Identity Provider
User
IDP
SP
Airline, Inc Fly RightAirline Group Login Passw
ord
Enter URL,connect toIdP
Other authentication methods are possible (e.g.
certificate-based, Kerberos, etc.
AuthenticationRequest
John
xxx
User authentication (e.g., ID and password)
AuthenticationCheck
User goes to IdP of his choosing and
authenticates himself. For example, using ID and
password.
Web page is displayed
19
Account Federation Details (2)

• User can choose to federate accounts with the IdP

Identity Provider
Airline, Inc Fly Right Airline Group Welcome,
John You can link thefollowing accounts Car
Rental, Inc
User
IDP
SP
Initial authentication
AuthenticationCompleted
Yes
FederationRequest
Service Provider
Begin Federation
After authenticating with the IdP other accounts
that can be federated are listed
20
Account Federation Details (3)

• Federation initiated at the IdP

Identity Provider
User
IDP
SP
Federation requires connecting to the SP and
authenticating once
Redirect toSP for federation
Redirect
Userauthentication
Car Rental, Inc Fly Right Airline
Group ID Password Federate with Airline,
Inc
SP login and federation opt-in
Service Provider
AuthenticationCheck
FederationProcessing
OK
21
Account Linking and Identity Federation

• User handles (name identifiers)
• Eliminates need for global ID
• Prevents collusion between SP1 and SP2

SP1 account
John_s_at_sp1
Federate account
IDP account
Alias dTvIiR Domain IDP_A.com Namemr3tTJ
John123_at_idp
Federate account
Alias mr3tTJ Domain SP_1.com Name
dTvIiR Alias xyrVdS Domain SP_2.com Name
pfk9uz
SP2 account
John_0811_at_sp2
Federate account
Alias pfk9uzDomain IDP_A.com Name xyrVdS
22
Single Sign-on

• Instead of the SP directly authenticating the
  user the SP queries the IdP and the IdP issues an
  authentication assertion

Identity Provider
(1) Initial authentication
(3) Authentication Assertion issued
(4) Authentication Assertion sent
HTTPredirect
Service Provider
(2) User authenticationrequest (from SP)
23
Single Sign-On (1)

• User connects to IdP and authenticates

Identity Provider
User
IDP
SP
Airline, Inc Fly RightAirline Group Login Passw
ord
Enter URL,connect toIdP
AuthenticationRequest
Other authentication methods are possible
John
xxx
User authentication (e.g., ID and password)
AuthenticationCheck
User goes to IdP of his choosing and
authenticates himself. For example, using ID and
password.
Web page is displayed
24
Single Sign-On (2)

• User chooses an SP

Airline, Inc Fly Right Airline Group Welcome,
John Federated SPs Car Rental, Inc Hotels, Inc
Identity Provider
User
IDP
SP
IdP web page is displayed
Choose SP or enter URL
Service Provider
AuthenticationRequest
User is connected to the SP he chooses
25
Single Sign-On (3)

• User redirected to IdP based on authentication
  request from SP

Identity Provider
User
IDP
SP
AuthenticationRequest
HTTPRedirect
AuthenticationRequest(redirect)
SP can specify the authentication level it
requires
AuthenticationRequest
Service Provider
User authentication request results in redirect
to IdP
26
Single Sign-On (4)

• IdP issues an authentication assertion

Identity Provider
User
IDP
SP
Assertion is generated if user is authenticated
and identity at the SP is federated
AuthenticationRequest(redirect)
If user is not already authenticated at IdP then
initial authentication is performed
Issuance of authentication assertion
Service Provider
AuthenticationAssertion Issued
Airline.inc Fly Right Airline Group Login Passwo
rd
27
Single Sign-On (5)

• Authentication assertion sent from IdP to Sp

Identity Provider
User
IDP
SP
AuthenticationAssertion Issued
AuthenticationAssertion sent
HTTPRedirect
Authentication Assertion Sent (redirect)
AuthenticationAssertion sent
Service Provider
Only Browser Postprofile
Secure communicationchannel (SSL)is required
In Browser-artifactprofile the IdP and
SPwould exchange theauthentication
assertionbetween themselves(back-channel)
AuthenticationAssertion sent(SOAP)
28
Single Sign-On (6)

• SP checks the authentication assertion and allows
  access to service

Identity Provider
Car Rental.inc Fly Right Airline
Group Welcome, John123 Authenticated
User
IDP
SP
Check authentication assertion
Start service
Service Provider
Service started
Check authentication assertion
29
Single Sign-On

• Available profiles
• Browser Artifact
• Browser POST
• LECP

30
Browser Artifact Single Sign-On Profile
31
Browser POST Single Sign-On Profile
32
LECP Single Sign-On Profile
33
Single Logout (1)

• Single logout initiated at the IdP

Identity Provider
Airline, Inc Fly Right Airline Group Do you want
tologout? Logout from allService Providers
User
IDP
SP
IdP logout web page is displayed
AuthenticationCompleted
Single logoutrequest
Yes
Logout Request Sent
Only SOAP/HTTP-based profile. With HTTP
Redirect and HTTP GET profiles the user agent
contacts each SP directly
Single logoutrequest
Service Provider
Process logout
Single logoutresponse
The IdP can offer to logout the user from all
sessions that were authenticated by this IdP
Single logout confirmed
34
Single Logout

• Can be initiated at either the IdP or SP
• Available profiles
• HTTP-Based
• For IdP-initiated HTTP-Redirect or HTTP GET
• For SP-initiated HTTP-Redirect
• SOAP/HTTP-based

35
IdP-initiated Single LogoutSOAP/HTTP-based
36
Federation Termination NotificationDefederation

• Can be initiated at either the IdP or SP
• Available profiles
• HTTP-Redirect-Based
• SOAP/HTTP-based

37
IdP-initiated Federation Termination
NotificationHTTP-Redirect
38
IdP-initiated Federation Termination
NotificationSOAP/HTTP-based
39
Static Conformance Requirements

• SCR (ID-FF 1.1) describes four profiles and the
  specific features (required or optional) for each
  profile
• IDP
• SP Basic
• SP Complete
• LECP

40
Static Conformance Requirements
41
Interoperability Validation

• A vendor becomes eligible to be licensed to use
  the Liberty Interoperable Logo by asserting
  compliance against one or more Liberty Alliance
  SCR conformance profiles and then participating
  in a Liberty Alliance InterOp event to validate
  the assertion(s).

42
Security Mechanisms

• Channel Security
• SPs authenticate IdPs using IdP server-side
  certificates
• Mutual authorization SPs configured with list of
  authorized IdPs and IdPs configured with list of
  authorized SPs
• Before user presents personal authentication data
  to IdP the authenticated identity of IdP must be
  presented to the user

• Message Security
• Digital signatures should use key pairs distinct
  from those used for TLS and SSL, also suitable
  for long-term
• Request protected against replay and responses
  checked for correct correspondence with issued
  requests

43
Authentication Context

• Not all SAML assertions are created equally
• Different Authorities will issue SAML assertions
  of different quality
• How will a consumer of these assertions
  discriminate?
• Authentication Context is the information extra
  to the SAML assertion itself that describes
• Identification, e.g. Physical verification
• Physical Protection, e.g. Private Key in hardware
• Operational Protection, e.g. N of M controls
• Authentication Mechanisms e.g. Smartcard with PIN
• Gives a consumer of a SAML assertion the
  information they need in order to determine how
  much assurance to place in the assertion

44
Authentication Context

• Liberty defined an XML Schema by which the
  Authority can assert the context of the SAML
  assertions it issues
• Liberty also defined Authentication Context
  classes patterns against which an IdP can
  claim conformance
• Classes are designed to be representative of
  todays (and future) authentication technologies,
  for instance
• Password over SSL
• Smartcard
• Pre-paid Mobile Login
• Biometric

45
Authentication Context

• SPs have a means to say
• I require that the User be authenticated with
• Smart card with private key,
• Password or better,
• Any mechanism, you decide, I trust your opinion
• The assertion you previously sent is insufficient
  for my current transaction, authenticate the user
  again
• IDPs have a means to indicate to the SP the
  specific details
• Password policy requires 8 characters minimum,
  e.g.
• The User was physically present at registration

46
Phase 2 - Basic Flow
In this scenario, IS is provided with redirect
profile and thus, strictly speaking, IS is not an
entity, i.e., IS is one of the functions of AP.
In many case, these two entities is co-located,
i.e., disco is the part of IDP
User
SP
IDP
Disco
AP
IS
Single Sign-On
Access Site
Shipping Address?
Use my personal profile
Where is attribute provider?
Use this attribute provider
check permission
Give me attributes
Redirect UA to AP URL
Redirect to AP URL
HTTP GET to AP URL
Request permission
save permission
Give permission
Redirect to SP
HTTP GET
check permission
Give me attributes
Provide attributes
47
Security Privacy Guidelines

• ID-WSF Security Privacy Overview
• An overview of the security and privacy issues in
  ID-WSF technology and briefly explains potential
  security and privacy
  ramifications of the technology used in ID-WSF
• Privacy and Security Best Practices
• Highlights certain national privacy laws, fair
  information practices and implementation guidance
  for organizations using the Liberty Alliance
  specifications.

48
Business Guidelines

• Federated Identity cannot be successful based on
  technology alone
• Address business issues that need to be
  considered when implementing circles of trust and
  enabling federated network identity
• Mutual confidence
• Risk
• Liability
• Compliance
• Application Mobile Deployments Guideline

49
Liberty-enabled products services
Communicator (available) Computer Associates (Q4
2003) DataKey (available) DigiGan (Q3
2003) Ericsson (Q4 2003) Entrust (Q1 2004) France
Telecom (Q4 2003) Fujitsu Invia
(available) Gemplus (TBD) HP (available) July
Systems (available) Netegrity (2004) NeuStar
(available) Nokia (2004) Novell (available)
NTT (TBD) NTT Software (available) Oblix
(2004) PeopleSoft (available) Phaos Technology
(available) Ping Identity (available) PostX
(available) RSA (Q2 2004) Salesforce.com
(TBD) Sigaba (available) Sun Microsystems
(available) Trustgenix (available) Ubisecure
(available) Verisign (Q4) Vodafone
(2004) WaveSet (available)
Delivery dates being confirmed
50
For more information

• WWW.PROJECTLIBERTY.ORG