Tivoli Federated Identity Manager

Sven-Erik VestergaardCertified IT SpecialistSecurity architectSWG Nordicsvest@dk.ibm.com

IBM Software Day Vilnius 2009

IBM Software group

2

Agenda

• IBM strategy on IAA• What is a federation from a business perspective• How does it work• Web services severity identity propagation• Customer cases

IBM Software group

3

Identity and Access Assurance

Benefits: Reduce help desk operating

expenses Comply with regulations Improve user productivity Reduce risk from privileged

insiders Respond quickly to business

initiatives (e.g. new applications, M&A, restructuring)

Tivoli Capabilities• User provisioning & role

management

• Unified single-sign-on

• Privileged user activity audit & reporting

• Directory and integration services

• Log Management

• Self-service password reset

• Identity Assurance / Strong authentication management

IBM Software group

4

Getting started with Identity and Access Assurance

Single Sign On

& Password Management

User Provisioning / Role Management

Access Attestation Security log management & reporting

Cisco Secure

ACS

Cisco Secure

ACS

Business Applications

Authoritative Identity Source

(Human Resources, Customer Master, etc.)

TIM Trusted Identity Store

Accounts

jcd0895jdoe03

doej

John C. Doe

Sarah K. Smith

smiths17

Sarah_s4

ackerh05

nbody

Sarah’s Manager

RecertificationRequest

Access Revalidated and Audited

11

22

33

44

55

Tivoli Identity Manager

Identitychange

(add/del/mod)

HR Systems/ Identity Stores

Approvals gathered

Accounts updated

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals

Databases

OperatingSystems

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Networks &Physical Access

Access policy

evaluated

Detect and correct local privilege settings

Tivoli Identity Manager

Identitychange

(add/del/mod)

HR Systems/ Identity Stores

Approvals gathered

Approvals gathered

Accounts updated

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals

Databases

OperatingSystems

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Networks &Physical Access

Accounts updated

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals

Databases

OperatingSystems

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Accounts updated

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals

Accounts on 70 different types of systems managed. Plus, In-House Systems &

portals

DatabasesDatabases

OperatingSystemsOperatingSystems

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Networks &Physical Access

Access policy

evaluated

Detect and correct local privilege settings

Access policy

evaluated

Access policy

evaluated

Detect and correct local privilege settingsDetect and correct local privilege settings

ID stores

IBM Software group

5

Agenda

• What is a federation from a business perspective

IBM Software group

6

Key Business Models Driving Federation

Mergers and Acquisitions Success of a merger is often related to how quickly disparate systems

can be integrated to meet the needs of the business.

Collaboration between autonomous Business Units Many companies maintain separate autonomous business units for

political, competitive, and regulatory reasons but still require cross-unit access for management and customers.

Collaborative development with Partners Some organizations are working more with partners on new strategic

developments, thereby increasing the need for federated access to partner systems.

Employee access to Outsourced Services Costs of building and maintaining point-to-point solutions for access to

outsourced solutions can dilute benefits of outsourcing.

IBM Software group

7

Key Business Models Driving Federation (cont)

Service Provider Automation Service providers can incur significant costs in managing user accounts

across their customer base – federated technologies can dramatically reduce these costs.

Government collaboration Government security based initiatives to gain access to law enforcement

and a wide range of other personal data in a secure, efficient manner.

Improved Corporate Governance Key issue with audit/compliance is management of external access to

systems.

IBM Software group

8

Federated Identity Management

Objectives Lower Identity Management costs Improve user experience Provide end-to-end security and trust foundation for inter-organization application integration

Leverages concept of a portable identity Identity is “asserted” from a trusted third-party

Passport Credit / ATM Card Drivers License

Service ProviderSP

Identity ProviderIdP

Federation

Service ProviderSP

Service ProviderSP

business agreements, technical agreements, and

policy agreements

End to end user lifecycle management

IBM Software group

9

What does IBM Tivoli Federated Identity Manager (TFIM) bring to table? Ability to handle identity/attribute transformation as part of token

handling

Ability to exchange token types as part of validation of request at edge Enables advanced “intermediary” type functionality

Ability to do authorization decisions at abstract WSDL level Independent of WSDL binding

Integrates with TAM Authorization Access allowed? (Yes/No) Protected Object Policies (e.g. Time of Day) Authorization Rules (authorization policies based on client attributes)

Audit All of this in a standards-based manner!

IBM Software group

10

Agenda

• How does it work

IBM Software group

11

TFIM Architecture OverviewFederated Single Sign -On

Secure user interactionFederated Web Services

Secure application interaction

Trust infrastructure

Tokens :sign /encrypt

Message :sign/

encrypt

Business agreements

Legal agreements

Technical implementation

Transport :SSL/TLS, WS -Sec

Web Application

Web PortalWeb Portal

ESBApp

App

App

Portal

Gateway

Federated Provisioning

Open

Standards

Provisioning SystemProvisioning

SystemDatabase

IBM Software group

12

Identity Federation – SSO with OOB Acct Linking (cont)

Mapping between identities is not defined by the specification.

SAML 1.x use-case

Source Web Sitewww.ibm.com

Destination Web Sitemy.travel.com

1. Authenticate

3. Access Resource

Identity Provider

Service Provider

2. Assert Identity svest

….

svest|…

Sven_Erik|…

Assertion

?

IBM Software group

13

svest svest@ibm.co

m

Identity Federation – Attribute Federation

Identity mapping based on some shared attribute

SAML 1.x use-case

Source Web Sitewww.ibm.com

Destination Web Sitemy.travel.com

1. Authenticate

3. Access Resource

Identity Provider

Service Provider

2. Assert Identity

svest|svest@ibm.com|…

Sven_Erik|svest@ibm.com|…

Assertion

IBM Software group

14

A Quick, Practical Example — Partner Case

HTTPS

Access ManagerEnd User

Myportal.com

1. User logs on MyHR.com - TAMeb authenticates user, creates session

- TAMeb controls user access & session mgmt.

1

4. Options.com maps token to local identity

*** User has transparent SSO to third-party ***

User x

4

3. FIM initiates SSO with 3rd party site - FIM creates SSO Token user session

Myrecord

HRservices.com

3

SSOSSO SAMLSAML LibertyLiberty WS-FederationWS-Federation

2

HRservices.com

Trust Broker / Trust Service

Identity BrokerSecurity Token Service

Kerberos,SAML,X.509v3

SSO ServiceUser

ProvisioningServiceCustom

Tokens

PartnerKey

Mgmt

Federated Identity Management

2. User clicks on third-party link Options.com - Link configured for Liberty, WS-Fed, or SAML

TAM consults FIM

IBM Software group

15

Agenda

• Web services severity identity propagation

IBM Software group

16

Use Case – Services Integration

Application Service

Enterprise Service Bus

Service Requesto

r

Service Requesto

r

Service Requesto

r

Business Service

Infrastructure Service

Partner Service

Identity & Authentication Authorization & Privacy Confidentiality & Integrity

Propagate identity: Cross domain/realm identity mapping and token transformation Reflect business relationships: Trust Management (for data, identity, etc) Protect business information Governance, Risk & Compliance

IBM Software group

17

ISC

WebSphere

TFIM Components for Web Services Security Management

TrustService

LDAP UserRegistry

TFIMConsole

Access Manager Policy Server

& Authorization Server

Key EncryptionSigning Service

TFIM Web ServicesTrust Handler

Web Services RequestsClient App

Trust ServiceSTS

WS AppWebSphere

Web ServicesHandler

Auth Service

IBM Software group

18

TFIM WSSM – Generic Design Overview

Web Service Server/Gateway

Web Services SecurityProcessingWSSM Token Module

/itfim-wssm/Container

/Container

/Service-1

TFIM Runtime

TFIM Trust Service

SOAP Request SecurityToken

ApplicationAdmin

FIM Admin

WS-Trust

SOAP RequestSecurityToken

token to

ken

Authorization

TAM Admin

TAM

Pro

tect

edO

bjec

t Spa

ce

User Directory/Datastore

Local Credential

/operation

/PortType

mod

ule

mod

ule

mod

ule

IBM Software group

19

Internet • Web Service

• Firewall

• Gatew

ay

InvokeApplication

Web Service Security Management : Solution Architecture

Company A User

Web SecurityServer

•Identity Mapping•Attribute Mapping•Token Management•Authorization Control

local ID Token

SOAPRequest

Token

SOAP Request

local IDToken

•Identity Mapping•Attribute Mapping•Token Management•Authorization Control

Web S

erviceA

pplication

local ID

IBM Software group

20

IBM Tivoli Federated Identity Manager

Federated Single Sign-On Integration with IBM Tivoli Access Manager Supported Protocols:

SAML 1.0 / 1.1 / 2.0 WS-Federation Liberty 1.1 / 1.2

Federated Web Services WS-Trust based integration with Enterprise Service Buses, XML Gateways Integration with WebSphere Application Server

SOAP, JCA and JDBC integration SAML modules to allow WAS to generate/consume SAML assertions in WS-

Security headers of SOAP message Evolving into Identity Propagation in SOA

Federated Provisioning Provides linking of local provisioning systems Supported Protocol:

WS-Provisioning

IBM Software group

21

Agenda

• Customer cases

IBM Software group

22

SSO Architecture

INTERNET INTERNET

Member Life InsuranceB2C Portal

Member BankMy Bank

Member SecuritiesMy Securities

Member FuturesMy Futures

SP

SP

SP

SP

IdP

User Registry

Financial Services CompanyRichPortal

UserTom Bear

Request, Ass

ertion

Request, Assertion

Request, Assertion

Request, Assert ion

UID/UserCode/Pwd Login

(tbear)

User Registry

User Registry

User Registry

User Registry

SSO Module

SSO Module

SSO Module

SSO Module

SSO ModuleSingle Sign-On Links

Single Sign-On(tomgreat)

Single Sign-On(tombear)

Single Sign-On(beartom)

Member Securities Investment TrustMySIT

SP

User RegistrySSO Module

Single Sign-On(tom_bear)

Request, Assertion

Single Sign-On(bear123)

TFIM/SAML1.1

TFIM/SAML1.1

SAML1.1Customized application

SAML1.1Customized application

SAML1.1Customized application

SAML1.1Customized application

IBM Software group

23

Internet Logon – TFIM Solution

Internet Zone

Internet DMZ

Web Server Zone

Internet UserWebSeal

WEB AD

TDS

MOSS

Mgmt Zone

SIGNICAT

1

2

6

3

1. User accesses protected page – no session defined

2. Reroute to Signincat

3. Signicat authenticates user and sends SAML 2.0 encrypted assertion through browser picked up by WebSeal

4. Single Protocol Service - TFIM called to create HTTP HDR based on SAML 2.0 assertions

5. Single Token Service – WS-Trust used to create KBS token

6. Request sent to Moss with correct KBS token

TFIMSTS4

KBS

SAML 2.0

SAML 2.0

KBS

5

TFIMSPS

IBM Software group

24

SOA Security Overview

WebSealReverse Proxy

WebSealReverse Proxy

Internet Zone

Intranet ZoneWeb Server Zone

Service Zone

Internet DMZ

MOSS 2007 portal

framework

Backend Zone

Other Clients e.g.

Z/OS

Z/OS

Z/OS

Z/OS

....

PartnerApplication

Web Services Security Gateway

Internet User

Intranet User(employeeor Agent)

Management Zone

TAM Policy Server

TFIM Server

Business Service

Integration layerTDS

WEBAD

IntranetAD

Employees (Master)

Customers (Master) Employees

Customers Employees

IBM Software group

25

Does This Also Help with Compliance?

You bet.

One of the hardest compliance issues to solve is:

“Prove to me that your external users still need access to the current system, including all their current privileges.”

Questions ?

IBM Software group

27

IBM Software group

28

Trust Service Composed of Module Chains

mod

ule

mod

ule

mod

ule

module chain-1

module chain-2

module chain-3

web serviceinterface

WhichChain?

STS message

RequestSecurityTokenelements:

<RequestType>, <Issuer>, <AppliesTo>, <TokenType>

Select Chain based on: 1. properties of STS message 2. trust service configuration

= module instance

1

23

mod

ule

mod

ule

mod

ule

mod

ule

mod

ule

mod

ule