Olli Jussila Adaptive R&D TeliaSonera. TERENA EuroCAMP 2007 Helsinki 23/02/07 Page 2 Agenda...

Olli JussilaAdaptive R&DTeliaSonera

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 2

Agenda

• TeliaSonera at a glance• Project presentation• Technical results• Business model and actor benefits• End user experience• Dissemination activities• Conclusion

The Nordic and Baltic leader in telecommunications

E S T O N I A

L A T V I A

L I T H U A N I A

F I N L A N D

S W E D E N

D E N M A R K

N O R W A Y

23.5 million customers

Number of Customers as of December, 2006

Number of employees: 28,000

Net sales 2006EUR 9790 million

Strong positions in mobile in Eurasia, Russia and Turkey through subsidiaries and associated companies

Mobile services launched in Spain at the end of 2006

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 4

Identity Management

Nightmare !Multiple accounts, multiple credentials everywhere

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 5

Circle of trust

WSPAttribute Provider

Profiles

The Liberty solution

Identifiers

IDP Identity Provider

SP Service Provider

SP Service Provider

Sign on SPs with

my IDP account

1

Id-ff

3

Share My personal

information

Id-wsf

2 Single Sign On

To other website

Id-ff

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 6

FIDELITY –project assumptions

• Potential Identity Providers and Circles of Trust are numerous

• Users will navigate among these Circles of Trust

• One CoT should be able to establish trust relations with another CoT to allow Identity roaming

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 7

FIDELITY –project in a nutshell

• Set up 4 heterogeneous Circles of Trust

• Deploy strong authentication mechanisms

• Demonstrate the inter-operability of these Circles of Trust regarding:

– Liberty Alliance technical specifications

– Business model

– EU legal constraints

– User experience

• Provide standardisation and implementation contributions

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 8

FIDELITY –project members

• 4 telcos, setting up the CoTs :– France Telecom, Amena, Telenor, TeliaSonera

• 3 industrial partners, providing ID platforms and software– Ericsson, Gemalto, Italtel

• 3 SMEs, and 1 university, providing specific skills and software– TB-Security, Linus, Moviquity, Oslo university college

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 9

FIDELITY final results

Technical results

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 10

Implementation of principal COTs/interCOT infrastructure and services

• The four CoTs in France, Finland, Norway and Spain have been established.

• Each CoT has – an Identity Provider– some Service Providers with Web service consumers WSC– and some Attribute Providers (Web service providers WSP)

• In each COT:– ID-FF V1.2 (Identity Federation and SSO) has been fully tested– ID-WSF V1.1(Identity Web Service Framework) has been

tested

• Product from different vendors have been used in order to test interoperability of Liberty software implementation

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 11

Architecture and Information flow (simplified view)

Service Provider with WSC V-IdP

V-DS

H-IdP

H-DS

H-WSP

1

V-CoT

H-CoT

2

4

35

6

7

8

9

1011

1. A user access a service

2. SP re-directs user to V-IDP

3. V-IDP re-directs/proxies user to H-IDP

4. H-IDP maps the authentication context request of V-IDP and authenticates a user.

5-6. Auth. assertion including DS info is returned and to V-IDP and V-SP

7-8. SP (WSC) requests end point of H-WSP from H-DS.

9-10. SP (WSC) requests service from H-WSP

11. According privacy settings H-WSP initiates user-consent process via SP and Interaction service. WSP is also able to request stronger authentication via WSC/SP

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 12

The French CoT

IDPIdentity Provider

WSPPersonalProfile

WSPGeolocation Profile

WSPWalletProfile

SPWhereRestaurantSP

Student exchange

SPBook a Hotel IDP

Technical

DS

User/passord

EAP/SIM

+ password

Software PKI

SPAttribute registration

SPWallet registration

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 13

The Finnish CoT

IDP / DSIdentity Provider

WSPPersonalProfile

WSPGeoloc Profile

WSPCalendarProfile

WSPWalletProfile

SPWhereRestaurantSP

Registerwith a mobile

SPBookA Hotel

SPPrivacyManager

User/passordOT sms

(+ password)

WPKI

EAP / SIM

GPRS

HLR

WSPStudentProfile

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 14

InterCoT Single Sign On• Authentication Contexts

User Agent

V-SP V-IDP H-IDP

NOMobile TP – ISO – OTP

NOPC + Mobile OTPModerate

NOMobile USB – OTP

YESPC EAP/SIM

NOPC PKIStrongYESMobile WPKI

NOPC eGate EMV

SSL UserID/password

Plain UserID/password

GPRS authentication

PC 3.48/SIM

Methods

NO

YES

YESBasic

NO

Supported?Level

NOMobile TP – ISO – OTP

NOPC + Mobile OTPModerate

NOMobile USB – OTP

YESPC EAP/SIM

NOPC PKIStrongYESMobile WPKI

NOPC eGate EMV

SSL UserID/password

Plain UserID/password

GPRS authentication

PC 3.48/SIM

Methods

NO

YES

YESBasic

NO

Supported?Level

NOMobile TP – ISO – OTP

NOPC + Mobile OTPModerate

YESMobile USB – OTP

NOPC EAP/SIM

YESPC PKIStrongNOMobile WPKI

NOPC eGate EMV

SSL UserID/password

Plain UserID/password

GPRS authentication

PC 3.48/SIM

Methods

YES

YES

NOBasic

NO

Supported?Level

NOMobile TP – ISO – OTP

NOPC + Mobile OTPModerate

YESMobile USB – OTP

NOPC EAP/SIM

YESPC PKIStrongNOMobile WPKI

NOPC eGate EMV

SSL UserID/password

Plain UserID/password

GPRS authentication

PC 3.48/SIM

Methods

YES

YES

NOBasic

NO

Supported?Level

2. PC EAP/SIM please?

8.Authenticated ok, empty context

Or

Requested

context

7. Mobile USB-OTP

4. PC EAP/SIM please?

5. Some other from the same level?

6. Authentication with the user

1. User accesses service provider

3.

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 15

InterCoT attribute sharing (ID-WSF)

• InterCoT Discovery Service

– Direct Access. By using this method, the V-WSC requests directly the Discovery Service of the H-CoT (H-DS)

– DS-proxying. By using this method, the Discovery Service of the V-CoT (V-DS) acts as a DS-proxy between the V-WSC and the H-DS.

– DS-chaining. By using this method, the V-WSC requests first the V-DS which redirects it to the H-DS.

If direct access is used, then we recommend the deployment of a Trust model based on PKI

Teste

d

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 16

ID-WSF trust model for attribute sharing – IntraCoT vs. InterCoT

• In IntraCoT, every (H-)SP – (H-)WSP pair has a direct business agreement implying direct trust relationship– Technically, the trust between ID-WSF entities is established by

exchanging metadatas on a bilateral basis

• In InterCoT, the business agreements are established only between IDPs but there is no direct business relationship between V-SP and H-WSP– Technically, exchanging metadatas between every V-SP – H-WSP

pair would be far too exhaustive → provisioning of metadatas would require too much effort

• Fidelity PKI trust model enables business model for InterCoT attribute sharing between V-SP and H-WSP– Technically, this is implemented by using hierarchical certificate

path validation (RFC3280)

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 17

IDP 2WSP IDP 1

-------

--

-------

--

CoT CA

-------

--

-------

--

Root

InterCoT Relationship Establishment

• CA certificate exchange

-------

--

-------

--

CoT CA

-------

--

-------

--

RootSP

WSP

SP

• IDPs exchange the CA certificate chains, and delivers them to their other IntraCoT entities (SPs and WSPs)

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 18

WSP

-------

--

-------

--

CoT CA cert

-------

--

-------

--

Root CA cert

InterCoT Relationship Establishment

SP / WSC

Visited CoTHome CoT

-------

--

-------

--

Service request

-------

--

-------

--

SP cert

includes CoT CRL

CoT CA

Certification revocation status check

trusts

is associated with

Compliant with

RFC3280

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 19

FIDELITY final results

Business Scenarios, Actors benefits

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 20

Business scenarios

• Closed Scenario:

– Single Company IDP and SP

• Open Scenario:

– Telecom as IDP for external SP

• Inter-CoT Scenario:

– Telecom Operator alliances with internal and external SPs

• Inter-CoT Scenario Multi-domains

– Multi domain IDP alliances with internal and external SPs

IDP

SP

IDs

SP

IDs

IDP

SP

IDs

SP

IDs

IDP

SP

IDs

SP

IDs

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 21

Actors Benefits

• Identity Provider– Large user base – Attract new user – Enforce their trust relation with

the user – Offer (sell) strong and complex

authentication methods

• Service Providers– Attract users– Simplify local user management – Use Strong authentication – Rely on user identity attributes

• User– Simple and secure authentication – Ease of attribute management,

control of data dissemination– Respect of his privacy

More users

More services

The virtuous circle :

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 22

FIDELITY final results

End User Experience

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 23

• Concepts explanation and representation– Explain to the user what is a CoT, what is CoCoT– Represent concepts with pictures:

Circle of Trust (CoT) and Circle of CoT (CoCoT)

CoCoT

logo/brand

CoT logo/brand Key = SP credentials

Master Key = IDP

credentials

• CoT Homepage– Disclaimer– SSO description– Attribute sharing description– List of the SP belonging to the CoT– Map of the CoT and the CoT's partners (CoCoT)– Registration area– Personal area for registered users

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 24

FIDELITY final results

Dissemination activities

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 25

Advisory Boards in each telco Liberty Meetings (plenary, TEG) 3GSM World Congress 2007 IST 2006 E challenge ISSE in Roma Internet Global Congress Barcelona Security and identity management event in Barcelone France Telecom R&D result event in Paris Telecom I+D, Madrid Celtic and Eureka events

Website : www.celtic-fidelity.org Demo Kit : www.celtic-fidelity.org/fidelity/flash/ Public documents :

www.celtic-fidelity.org/fidelity/Documentation.jsp

Standardization activities (Wallet + calendar ID-WSF Serv. Interf. spec)

Fidelity: Dissemination

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 26

Conclusion of the FIDELITY project

• From a technical, business, legal and ergonomic point of view, Liberty solves the IDM issue and can be extended to InterCoT.– But read our public recommendations anyway…

• The very good cooperation and acceptance between all partners was the basis for the success of the project.

• The consortium is satisfied with the results obtained and will now begin to exploit them.

TERENA EuroCAMP 2007 Helsinki

23/02/07 Page 27

Thank you for your attention

Any questions?