Federated Identity in Practice

1
Federated Identity in Practice

• Mike Beach
• The Boeing Company

2
Federated Identity

• Federated Identity allows customers, partners and
  end-users to use Web services without having to
  constantly authenticate or identify themselves to
  the services within their federation.
• This applies both within the corporation and
  across the Internet.

3
The Boeing Environment

• Three user communities
• 150,000 employees, contractors
• 80,000 partners, suppliers, customers
• 1,000,000 ex-employees, beneficiaries
• Three enterprise directories
• Comprehensive Sun ONE directory (all people of
  interest)
• Microsoft Active Directory (most employees)
• RACF (most employees but not same employees as
  MS AD)
• Many Boeing web servers
• Apache, IPlanet, IIS, ColdFusion, Shadow, Oracle
• Over 350 web server platform/version variations
• Multiple versions of both Netscape and IE
  browsers

4
WSSO Objectives

• Simple, consistent user experience
• Improved security through centralized access
  management
• Reduction in user accounts and passwords, thus
  reductions in account administration costs
• Applications isolated from authentication
  mechanisms and authentication technology
  insertions
• Applications agnostic to origin of users access
  (internal or external)
• Single sign on across Boeing business domain,
  including partners, suppliers, customers

5
WSSO Key Solution Differentiators

• Web Single Sign-on (WSSO) across Boeing and
  external web sites
• Common infrastructure supporting internal and
  external access, for internal and external users
• No control over desktop configuration and no
  ability to deploy components to the desktop
• Leverage existing Boeing infrastructure

6
The Deployment

• Oblix Netpoint infrastructure with 12 Access
  Servers deployed across 3 geographic regions
  (plus sand box, development, test, and
  integration environments about 50 machines
  total)
• Primarily authentication today, limited
  authorization
• No Identity Management or delegated
  administration
• Custom integration with 5 authentication
  mechanisms
• MS Active Directory
• RACF
• X.509 personal certificates
• Proximity badge
• Customer/supplier reverse web proxy user ID and
  password

7
Major WSSO Components
Identity And Policy Stores
WebGate
Login Hub
BoeingReverseProxy
WebBrowser
LogonW2KRACFCertificate
AD
RemoteAccessService
RACF
WebGate
Web ServerContent
WebBrowser
X.509
SAMLServices
CorporateSun ONEDirectory
AccessServer
Boeing Plugin
3rd PartyWeb ServerContent
WSSOProxyServices
Login Hub
AllPeople
Boeing Plugin
LogonPIN
OblixPolicy
Groups
Customers,Suppliers
CustomerAuthenticatorService
PIN Authentication
DMZ
8
WSSO Authentication Sources
Identity And Policy Stores
WebGate
Login Hub
BoeingReverseProxy
WebBrowser
LogonW2KRACFCertificate
AD
RemoteAccessService
RACF
WebGate
Web ServerContent
WebBrowser
X.509
SAMLServices
CorporateSun ONEDirectory
AccessServer
Boeing Plugin
WSSOProxyServices
3rd PartyWeb ServerContent
Login Hub
AllPeople
Boeing Plugin
LogonPIN
OblixPolicy
Groups
Customers,Suppliers
CustomerAuthenticatorService
PIN Authentication
DMZ
9
WSSO Authorization Sources
Identity And Policy Stores
WebGate
Login Hub
BoeingReverseProxy
WebBrowser
LogonW2KRACFCertificate
AD
RemoteAccessService
RACF
WebGate
Web ServerContent
WebBrowser
X.509
SAMLServices
CorporateSun ONEDirectory
AccessServer
Boeing Plugin
WSSOProxyServices
3rd PartyWeb ServerContent
Login Hub
AllPeople
Boeing Plugin
LogonPIN
OblixPolicy
Groups
Customers,Suppliers
CustomerAuthenticatorService
PIN Authentication
DMZ
10
WSSO Perimeter Access Components
Identity And Policy Stores
WebGate
Login Hub
BoeingReverseProxy
WebBrowser
LogonW2KRACFCertificate
AD
RemoteAccessService
RACF
WebGate
Web ServerContent
WebBrowser
X.509
SAMLServices
CorporateSun ONEDirectory
AccessServer
Boeing Plugin
3rd PartyWeb ServerContent
WSSOProxyServices
Login Hub
Login Hub
AllPeople
Boeing Plugin
LogonPIN
LogonPIN
OblixPolicy
Groups
Customers,Suppliers
CustomerAuthenticatorService
PIN Authentication
DMZ
11
WSSO-protected Components
Identity And Policy Stores
WebGate
Login Hub
BoeingReverseProxy
WebBrowser
LogonW2KMyInfoCertificate
AD
RemoteAccessService
RACF
WebGate
Web ServerContent
Web ServerContent
WebBrowser
X.509
SAMLServices
CorporateSun ONEDirectory
AccessServer
Boeing Plugin
WSSOProxyServices
3rd PartyWeb ServerContent
Login Hub
AllPeople
Boeing Plugin
LogonPIN
OblixPolicy
Groups
Customers,Suppliers
CustomerAuthenticatorService
PIN Authentication
DMZ
12
WSSO Users
Identity And Policy Stores
WebGate
Login Hub
BoeingReverseProxy
WebBrowser
LogonW2KMyInfoCertificate
AD
RemoteAccessService
RACF
WebGate
Web ServerContent
WebBrowser
WebBrowser
X.509
SAMLServices
CorporateSun ONEDirectory
AccessServer
Boeing Plugin
WSSOProxyServices
3rd PartyWeb ServerContent
Login Hub
AllPeople
Boeing Plugin
LogonPIN
OblixPolicy
Groups
Customers,Suppliers
CustomerAuthenticatorService
PIN Authentication
DMZ
13
Milestones

• Started RFP 3/2001
• Vendor selection 8/2001
• Production 12/2001
• 100,000 logins per day 2/2003
• 100 applications in production 4/2003
• 3rd party web site integration 5/2003
• External user integration 5/2003
• SAML production 6/2003
• Role-based access control Q3/2003
• Complete deployment (1000 applications) End
  2004-2005

14
SAML Participants

• The Boeing Company
• A leading manufacturer of commercial airplanes,
  space technology, defense aircraft and systems,
  and communication systems.
• Southwest Airlines
• A major domestic airline that provides primarily
  shorthaul, high-frequency, point-to-point,
  low-fare service. Southwest operates over 350
  Boeing 737 aircraft in 58 cities.
• Oblix Inc.
• A leading developer of identity-based security
  solutions for e-Business networks. The company's
  flagship product, Oblix NetPoint, is an
  enterprise identity management and Web access
  solution that provides an identity infrastructure
  for dynamic e-Business environments.

15
SAML Deployment Objectives

• Significantly increase the user base of
  MyBoeingFleet, the secure web portal that
  provides Boeing customers access to all of the
  information required to operate and maintain
  their fleets
• Embed MyBoeingFleet more deeply in Airlines
  businessprocess. Facilitate the deployment of
  MyBoeingFleet contentdirectly to the customer
  maintenance hanger
• User will authenticate to their local intranet,
  click on a link to MyBoeingFleet, and seamlessly
  access the data and services without a secondary
  Boeing authentication request
• Role-based access control targeted for next year

16
The SAML Flow
DOMAIN A swacorp.com
2.0
1
2.1
2.1
2.2
SAML Services
SWA User
SWA Portal
2.3
3
DOMAIN B Boeing.com
DMZ
DMZ
SAML Server
Reverse Proxy
4
2.5
INTERNAL
INTERNAL
Target ResourceMyBoeingFleet.com
Access Server
17
Web Access ManagementGeneral Challenges

• Managing
• Executive expectation
• User experience
• Hundreds of applications with even more policies
• Complexity and reliability
• Browsers, web servers, networks, directories,
  libraries, versions, custom code
• Session management
• Existing applications typically have imbedded
  session management
• Anomalies arise from inconsistent session state
• Global logout is problematic (hurray for SAML
  2.0!)
• Security
• Vulnerability assessment and risk mitigation
  where possible is appropriate

18
SAML Deployment Considerations

• Assertions may need to be constrained to a domain
• Boeing defined the authentication mechanism to
  include both user identity and SAML issuer ID
• Support for direct bookmarks
• For each web session, prior to a SAML transfer,
  bookmarks and URL references may not work
• Oblix-provided solution creates a persistent
  SAML Provider cookie and implements redirection
  through SAML services for unauthenticated users
• Not a part of SAML standard.
• SAML only provides the introduction
• Boeing content resides inside the Boeing security
  perimeter.
• Had to integrate ObssoCookie intelligence into
  perimeter before users could actually get to
  content.
• Security considerations of interactions across
  the Internet AFTER the SAML exchange were
  significant

19
Recommendations

• Focus on communication and marketing
• Manage expectations
• Educate users
• Thoroughly understand and plan user experience
  (within product capabilities)
• Consider limiting scope
• Integration of legacy technologies can be costly
• Each component integrated adds to complexity and
  impacts overall reliability
• Consider adjusting infrastructure to support IAM
• Integration to existing infrastructure required
  significant custom code
• Use of a virtual directory could simplify
  deployment, but probably with an impact to
  performance

20
Standards Wish List

• Support for direct bookmarks
• Bookmarks and URL references (deep links)
  should work, even prior to the initial SAML
  transfer.
• Global logout
• Provide the user with an intuitive logout
  facility that would ensure complete termination
  of all application sessions and authentication
  credentials.
• Domains of federated security
• Users have need for multiple, disconnected
  federated security domains. For example,
  separation of business and personal. (Selective
  logout?)
• Security strength of public Internet technologies
• Industry needs to deliver technology that
  prevents cookie vulnerabilities (hijack and
  replay).
• Support for individual application session
  timeout settings
• Several of our application environments consider
  a session timeout setting (idle time) mandatory.
• Authentication State Visibility
• It is important for the user to always be aware
  of their authentication state. Are they
  authenticated, and to what?