Upload
celeste-summerson
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Dan Houser, MBA, CISSP, CCP
Security Architect
Nationwide
Web Single Sign-On: Federated Identity
Nationwide
Fortune 500 company
A leading US financial company & insurer• Life Insurance• Automobile Insurance• Property & Casualty Insurance• Liability Insurance• Annuities• Retirement Products• Investment Services• Mortgages
Objectives
How a Fortune 500 company implemented SAML for
cross-company authentication (CCA)
Under the covers: how artifact and signed SAML
authentication works between business partners
Building an extensible, enterprise architecture
implementation with alpha and beta tools
Lessons learned, challenges, and surprises when
extending authentication and authorization to 3rd
parties
Identity, cryptography, and assertions, oh my!
Web services authentication and authorization
challenges
Web servicesPhenomenal Business acceleration since 1990
Transformation of business:
• From business at the club to EDI brokering
• From book binding to e-books to books on demand
• Supply chain management
Rapid changes in business and trust models
• Outsourcing, resourcing, insourcing
• Hosting, co-location, managed services, ASPs
• Intense, cyclical Acquisition & Divestiture activity
• Global markets & economies
Web services (2)
Generations of the Internet
1st Gen: Isolation Research
2nd Gen: Information Storefront
3rd Gen: Transaction eCommerce
4th Gen: Integration Web Services
Quick Web services primer
Web Services• Uses open, lightweight protocols:
• Provides a direct connection to business logic and
core objects through Internet protocols
• Instead of COM, DCOM and RPC, now invoke a Web
service over HTTP
HTTP XML SOAP
WSDL UDDI
Federated identity
What is federated identity?• The agreements, standards and technologies that
make identity and entitlements portable across
autonomous domains.§
Cross-company authentication (CCA)• Authentication & authorization between organizations
and companies.
Essentially, same thing under the covers
§ Source: RSA Security, http://www.rsasecurity.com/go/google/fed_id/redirect.html
A
Federated identity Use case 1: Travel model
• A conducts business with B on behalf of end user• Traditional back-office functions, but in real time
Reference model: Travelocity®
Internet /intranet
End userB2B, B2C, B2E
Web Page
Internet /intranet B
3rd-partyWeb Services
Provider
BusinessLogic
HTTP XMLSOAP
HTTP
Federated identityUse case 2: Portal model
• B provides service or collaborative content for A
• Transparent to the end user.
Reference model: MapQuest® in Yahoo!® portal
BusinessLogic
HTTP
HTTPXML
SOAP
End userB2B, B2C, B2E
Internet /intranet
A
Web Page
B3rd-party
Web ServicesProvider
B
Internet /intranet
Federated identity Use case 3: Single sign-on model
End userB2B, B2C , B2E
In ternet /in tranet A
W eb Page
redirect
B3rd-party
W eb ServicesProvider
2
34
1
• A redirects user to B
• B trusts A’s authentication
• “Single sign-on” (a.k.a. Cross-company authentication, federated identity.)
Reference model:
Private label banking
HTTPXML
SOAPSAML
HTTPXML
SOAPSAML
HTTPXML
SOAPSAML
Web services implications
Extensible access portals for legacy business logic and processes
Ability to react to the market very quickly
Changes to core business applications are immediately available to trading partners, vendors, customers and regulators
Business velocity without roadblocks of building extensive GUI presentation layers
Web services introduces Cross-company authentication
For selected interfaces:
Other business partners trust
your authentications, and…
Your organization trusts the
authentications provided by
others.
SAML provides framework for cross-company authentication
SAML: Security Assertions Markup Language
Lightweight protocol to exchange security assertions &
artifacts
Can be signed for self-validating assertion
Permits partners to exchange assertions about
authentication and authorization of users
SAMLSAML has 4 major components:
1. Assertions
• Authentication assertions
• Attribute assertions
• Authorization decision assertions
2. Request / response protocol – SOAP over HTTP
3. Bindings – how SAML requests maps to transport
protocols (such as SOAP)
4. Profiles – how SAML assertions are embedded or
transported between parties
SAML (2)POST /SamlService HTTP/1.1
Host: www.example.com
Content-Type: text/xml
Content-Length: nnn
SOAPAction: http://www.oasis-open.org/committees/security
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>
<SOAP-ENV:Body>
<samlp:Request xmlns:samlp:=”…” xmlns:saml=”…” xmlns:ds=”…”>
<ds:Signature> … </ds:Signature>
<samlp:AuthenticationQuery>
…
</samlp:AuthenticationQuery>
</samlp:Request>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Source: OASIS - http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-00.doc
SAML provides transaction trust
Messages / Transactions
Session
Business function
Line of business
Enterprise
Session
No existing protocol
Protocols providing trust
SSL / TLS / IPsec / Kerberos
SAML / WS-SecurityXML-DSig / Passport
Nationwide & CCA timeline
2000-2001• Implemented several federated identity solutions
• Used proprietary artifacts & communication session
solutions
• Worked well, but….
• Unique “one-off” solutions
• Lacked standards for standard implementation,
extensive re-work
Nationwide & CCA timeline (2)
2002• Resolved to adopt a standards-based federated
identity solution
• Investigated several federated identity standards
• SAML selected as best SSO authentication solution
at the time
• Joined Liberty Alliance as Associate Member
Nationwide & CCA Timeline (3)
2002• Determined three viable directions:
Web Access Mgmt (WAM) middleware
Adding SAML parsing to existing application(s)
Building own assertion generator & parser
• Investigated the market for vendor best suited to
deliver SAML-based solution
• Established contract with WAM vendor
• Built first SAML implementation for SSO
Nationwide
AuthN
AuthZ
Nationwide:First SAML cross-company SSO
End userB2B, B2C, B2E
Financial Aggregator
2
3
1
4
• Launched January, 2003
• First commercial use of SAML for SSO
• Three business partners
• Nationwide provides portal, authentication & authorization for both other partners
Internet /intranet
redirect
redirect
FinancialServicesCompany
Link
Nationwide:First SAML cross-company SSO
End userB2B, B2C, B2E
Internet /intranet
Nationwide
FinancialAggregator
FinancialServicesCompany
redirect
Link
2
1
3
4redirect
5
AuthN
AuthZ
6
• Launched January, 2003
• First commercial use of SAML for SSO
• Three business partners
• Nationwide provides portal, authentication & authorization for both other partners.
Challenges
Complexity
Business issues
Federation
Weakest link
Business trust models
Complexity
Corporate 3-tier Web architectures are already complex
Federated SSO adds significant complexity in coupling:Existing infrastructureWeb Access Mgmt (WAM) middlewareWeb services interfacesNew infrastructureCross-company functionality
Complexity (2)
Complexity requires technical sophistication on both sides of the relationshipDevelopers need to understand:
SAML
Web services
WAM
Encryption
Architects need to understand:
Identity Management
Authentication/authorization models
Complexity (3)
Complexity extends to privacy and identity
issues
• Privacy policy aggregation, demarcation
• Need to involve CPO, General Counsel
• Identity management issues
• Legal contract & business agreement:
Roles & responsibilities
Vendor management
Procedures for validating trust
The technology is moderately complex.
Trust & policies are harder.
Closer to a wedding than a business relationship
Nationwide’s solution:
Certification & accreditation process
Reference Architecture
Strong 3-tier infrastructure architecture
Forward-looking standards for trust governance
Business issues
Federation
Interoperability of identity frameworks
Tough to do between existing corporate legacy applications
Even tougher between disparate organizations
Deep dive on assumptions, standards, vetting
Must scale and scope to business context
Weakest link
Security posture differences must be
determined & governed.
• Alignment of reference architecture
• Policy & standards matrix comparison
• Establishment of CCA standards
SLA & performance weakest link
• If your SLA is 7x24, and your partner’s SLA is 5x10,
how will you provide 7x24?
SAML provides transaction trust
Messages / Transactions
Session
Business function
Line of business
Enterprise
Session
No existing protocol
Protocols providing trust
SSL / TLS / IPsec / Kerberos
SAML / WS-SecurityXML-DSig / Passport
Web services introduces cross-company authentication
For selected interfaces:
Other business partners trust
your authentications, and…
Your organization trusts the
authentications provided by
others.
What now?
The Interconnectedness of all things…
Business trust models
Recognized needs:Ongoing contractual complianceContinual determination of trustworthinessLegal implications of trust model
Result:
CCA standards
Development of XotaSM protocol
XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.
XotaSM
Combination of protocol & methodology
Permits determination of trustworthiness in
real time between business partners
Trust governance at the transaction level
Continuous assessment of contractual and
regulatory compliance
Nationwide is establishing a consortium
XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.
Surprises
Troubleshooting with ½ the data
Missing standards & solutions
Interoperability
Human factors
Troubleshooting
SAML consists of HALF transactions:Asserting party Relying party
Troubleshooting with only half the data!
Complexity and cross-disciplinary issues
Coordinated helpdesk an issue
Log sharing, aggregation
Time synchronization an issue
Missing standards & solutions
SAML has some gapsNo SAML session managementNo support for timeout, logoff “rollup”Had to develop own session management and session
timeout protocol
Middleware gapsNo signed SAML support in middlewareLack of 3-tier architecture support
Session management issues
End userB2B, B2C, B2E
Internet /intranet
Nationwide
FinancialAggregator
FinancialServicesCompany
redirect
Link
2
1
3
4redirect
5
AuthN
AuthZ
6
• Cookie forces session timeout – user must re-authenticate
• User is redirected back to Nationwide gets SAML assertion
• Goes through SAML authentication process again
Interoperability
Authentication & authorization required
for both the business partners and users
SAML provides user authentication
No protocol support for partner connection
authentication, authorization
Each partner connection model unique
Bleeding-edge implementation preceded Web services
protocol standards
Human factorsCommunications Issues
Users unaware of SSO implementation:
• Sensitive to performance lag
• Multiple resubmits
• Question lack of sign-on –
“Is security broken?”
Deep bookmarking
Users will bookmark relying party sites
Persistent cookie that identifies user as CCA user?
Lessons learned
Have a good partner relationship with
WAM vendor(s)
Business issues as significant as
technology issues
Lightweight implementation toolkit
required for smaller partners
Trust modeling important consideration
Benefits achieved
Federated identity provides flexible,
adaptable solutions for SSO
Ability to use infrastructure for
affiliates, other contexts
If you build it, they will come
Federated identity works reliably
Use of standards, such as SAML, pays
off in 2nd, 3rd implementations
Q&A
Questions?
Further information
Contact information:
Dan Houser, MBA, CISSP, CCP
Security Architect
Nationwide
(614) 249-6639
Best resources:OASIS http://xml.coverpages.org/saml.htmlLiberty Alliance http://projectliberty.org
Thank you.
Questions, comments?
Mr. Houser will not be available to answer questions
at the Ask-the-Experts booth in the Exhibit Hall.
Please send question to [email protected].