Tivoli Federated Identity Manager
Sven-Erik VestergaardCertified IT SpecialistSecurity architectSWG [email protected]
IBM Software Day Vilnius 2009
IBM Software group
2
Agenda
• IBM strategy on IAA• What is a federation from a business perspective• How does it work• Web services severity identity propagation• Customer cases
IBM Software group
3
Identity and Access Assurance
Benefits: Reduce help desk operating
expenses Comply with regulations Improve user productivity Reduce risk from privileged
insiders Respond quickly to business
initiatives (e.g. new applications, M&A, restructuring)
Tivoli Capabilities• User provisioning & role
management
• Unified single-sign-on
• Privileged user activity audit & reporting
• Directory and integration services
• Log Management
• Self-service password reset
• Identity Assurance / Strong authentication management
IBM Software group
4
Getting started with Identity and Access Assurance
Single Sign On
& Password Management
User Provisioning / Role Management
Access Attestation Security log management & reporting
Cisco Secure
ACS
Cisco Secure
ACS
Business Applications
Authoritative Identity Source
(Human Resources, Customer Master, etc.)
TIM Trusted Identity Store
Accounts
jcd0895jdoe03
doej
John C. Doe
Sarah K. Smith
smiths17
Sarah_s4
ackerh05
nbody
Sarah’s Manager
RecertificationRequest
Access Revalidated and Audited
11
22
33
44
55
Tivoli Identity Manager
Identitychange
(add/del/mod)
HR Systems/ Identity Stores
Approvals gathered
Accounts updated
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Networks &Physical Access
Access policy
evaluated
Detect and correct local privilege settings
Tivoli Identity Manager
Identitychange
(add/del/mod)
HR Systems/ Identity Stores
Approvals gathered
Approvals gathered
Accounts updated
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Networks &Physical Access
Accounts updated
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Accounts updated
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
DatabasesDatabases
OperatingSystemsOperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Networks &Physical Access
Access policy
evaluated
Detect and correct local privilege settings
Access policy
evaluated
Access policy
evaluated
Detect and correct local privilege settingsDetect and correct local privilege settings
ID stores
IBM Software group
6
Key Business Models Driving Federation
Mergers and Acquisitions Success of a merger is often related to how quickly disparate systems
can be integrated to meet the needs of the business.
Collaboration between autonomous Business Units Many companies maintain separate autonomous business units for
political, competitive, and regulatory reasons but still require cross-unit access for management and customers.
Collaborative development with Partners Some organizations are working more with partners on new strategic
developments, thereby increasing the need for federated access to partner systems.
Employee access to Outsourced Services Costs of building and maintaining point-to-point solutions for access to
outsourced solutions can dilute benefits of outsourcing.
IBM Software group
7
Key Business Models Driving Federation (cont)
Service Provider Automation Service providers can incur significant costs in managing user accounts
across their customer base – federated technologies can dramatically reduce these costs.
Government collaboration Government security based initiatives to gain access to law enforcement
and a wide range of other personal data in a secure, efficient manner.
Improved Corporate Governance Key issue with audit/compliance is management of external access to
systems.
IBM Software group
8
Federated Identity Management
Objectives Lower Identity Management costs Improve user experience Provide end-to-end security and trust foundation for inter-organization application integration
Leverages concept of a portable identity Identity is “asserted” from a trusted third-party
Passport Credit / ATM Card Drivers License
Service ProviderSP
Identity ProviderIdP
Federation
Service ProviderSP
Service ProviderSP
business agreements, technical agreements, and
policy agreements
End to end user lifecycle management
IBM Software group
9
What does IBM Tivoli Federated Identity Manager (TFIM) bring to table? Ability to handle identity/attribute transformation as part of token
handling
Ability to exchange token types as part of validation of request at edge Enables advanced “intermediary” type functionality
Ability to do authorization decisions at abstract WSDL level Independent of WSDL binding
Integrates with TAM Authorization Access allowed? (Yes/No) Protected Object Policies (e.g. Time of Day) Authorization Rules (authorization policies based on client attributes)
Audit All of this in a standards-based manner!
IBM Software group
11
TFIM Architecture OverviewFederated Single Sign -On
Secure user interactionFederated Web Services
Secure application interaction
Trust infrastructure
Tokens :sign /encrypt
Message :sign/
encrypt
Business agreements
Legal agreements
Technical implementation
Transport :SSL/TLS, WS -Sec
Web Application
Web PortalWeb Portal
ESBApp
App
App
Portal
Gateway
Federated Provisioning
Open
Standards
Provisioning SystemProvisioning
SystemDatabase
IBM Software group
12
Identity Federation – SSO with OOB Acct Linking (cont)
Mapping between identities is not defined by the specification.
SAML 1.x use-case
Source Web Sitewww.ibm.com
Destination Web Sitemy.travel.com
1. Authenticate
3. Access Resource
Identity Provider
Service Provider
2. Assert Identity svest
….
svest|…
Sven_Erik|…
Assertion
?
IBM Software group
13
svest [email protected]
m
Identity Federation – Attribute Federation
Identity mapping based on some shared attribute
SAML 1.x use-case
Source Web Sitewww.ibm.com
Destination Web Sitemy.travel.com
1. Authenticate
3. Access Resource
Identity Provider
Service Provider
2. Assert Identity
svest|[email protected]|…
Sven_Erik|[email protected]|…
Assertion
IBM Software group
14
A Quick, Practical Example — Partner Case
HTTPS
Access ManagerEnd User
Myportal.com
1. User logs on MyHR.com - TAMeb authenticates user, creates session
- TAMeb controls user access & session mgmt.
1
4. Options.com maps token to local identity
*** User has transparent SSO to third-party ***
User x
4
3. FIM initiates SSO with 3rd party site - FIM creates SSO Token user session
Myrecord
HRservices.com
3
SSOSSO SAMLSAML LibertyLiberty WS-FederationWS-Federation
2
HRservices.com
Trust Broker / Trust Service
Identity BrokerSecurity Token Service
Kerberos,SAML,X.509v3
SSO ServiceUser
ProvisioningServiceCustom
Tokens
PartnerKey
Mgmt
Federated Identity Management
2. User clicks on third-party link Options.com - Link configured for Liberty, WS-Fed, or SAML
TAM consults FIM
IBM Software group
16
Use Case – Services Integration
Application Service
Enterprise Service Bus
Service Requesto
r
Service Requesto
r
Service Requesto
r
Business Service
Infrastructure Service
Partner Service
Identity & Authentication Authorization & Privacy Confidentiality & Integrity
Propagate identity: Cross domain/realm identity mapping and token transformation Reflect business relationships: Trust Management (for data, identity, etc) Protect business information Governance, Risk & Compliance
IBM Software group
17
ISC
WebSphere
TFIM Components for Web Services Security Management
TrustService
LDAP UserRegistry
TFIMConsole
Access Manager Policy Server
& Authorization Server
Key EncryptionSigning Service
TFIM Web ServicesTrust Handler
Web Services RequestsClient App
Trust ServiceSTS
WS AppWebSphere
Web ServicesHandler
Auth Service
IBM Software group
18
TFIM WSSM – Generic Design Overview
Web Service Server/Gateway
Web Services SecurityProcessingWSSM Token Module
/itfim-wssm/Container
/Container
/Service-1
TFIM Runtime
TFIM Trust Service
SOAP Request SecurityToken
ApplicationAdmin
FIM Admin
WS-Trust
SOAP RequestSecurityToken
token to
ken
Authorization
TAM Admin
TAM
Pro
tect
edO
bjec
t Spa
ce
User Directory/Datastore
Local Credential
/operation
/PortType
mod
ule
mod
ule
mod
ule
IBM Software group
19
Internet • Web Service
• Firewall
• Gatew
ay
InvokeApplication
Web Service Security Management : Solution Architecture
Company A User
Web SecurityServer
•Identity Mapping•Attribute Mapping•Token Management•Authorization Control
local ID Token
SOAPRequest
Token
SOAP Request
local IDToken
•Identity Mapping•Attribute Mapping•Token Management•Authorization Control
Web S
erviceA
pplication
local ID
IBM Software group
20
IBM Tivoli Federated Identity Manager
Federated Single Sign-On Integration with IBM Tivoli Access Manager Supported Protocols:
SAML 1.0 / 1.1 / 2.0 WS-Federation Liberty 1.1 / 1.2
Federated Web Services WS-Trust based integration with Enterprise Service Buses, XML Gateways Integration with WebSphere Application Server
SOAP, JCA and JDBC integration SAML modules to allow WAS to generate/consume SAML assertions in WS-
Security headers of SOAP message Evolving into Identity Propagation in SOA
Federated Provisioning Provides linking of local provisioning systems Supported Protocol:
WS-Provisioning
IBM Software group
22
SSO Architecture
INTERNET INTERNET
Member Life InsuranceB2C Portal
Member BankMy Bank
Member SecuritiesMy Securities
Member FuturesMy Futures
SP
SP
SP
SP
IdP
User Registry
Financial Services CompanyRichPortal
UserTom Bear
Request, Ass
ertion
Request, Assertion
Request, Assertion
Request, Assert ion
UID/UserCode/Pwd Login
(tbear)
User Registry
User Registry
User Registry
User Registry
SSO Module
SSO Module
SSO Module
SSO Module
SSO ModuleSingle Sign-On Links
Single Sign-On(tomgreat)
Single Sign-On(tombear)
Single Sign-On(beartom)
Member Securities Investment TrustMySIT
SP
User RegistrySSO Module
Single Sign-On(tom_bear)
Request, Assertion
Single Sign-On(bear123)
TFIM/SAML1.1
TFIM/SAML1.1
SAML1.1Customized application
SAML1.1Customized application
SAML1.1Customized application
SAML1.1Customized application
IBM Software group
23
Internet Logon – TFIM Solution
Internet Zone
Internet DMZ
Web Server Zone
Internet UserWebSeal
WEB AD
TDS
MOSS
Mgmt Zone
SIGNICAT
1
2
6
3
1. User accesses protected page – no session defined
2. Reroute to Signincat
3. Signicat authenticates user and sends SAML 2.0 encrypted assertion through browser picked up by WebSeal
4. Single Protocol Service - TFIM called to create HTTP HDR based on SAML 2.0 assertions
5. Single Token Service – WS-Trust used to create KBS token
6. Request sent to Moss with correct KBS token
TFIMSTS4
KBS
SAML 2.0
SAML 2.0
KBS
5
TFIMSPS
IBM Software group
24
SOA Security Overview
WebSealReverse Proxy
WebSealReverse Proxy
Internet Zone
Intranet ZoneWeb Server Zone
Service Zone
Internet DMZ
MOSS 2007 portal
framework
Backend Zone
Other Clients e.g.
Z/OS
Z/OS
Z/OS
Z/OS
....
PartnerApplication
Web Services Security Gateway
Internet User
Intranet User(employeeor Agent)
Management Zone
TAM Policy Server
TFIM Server
Business Service
Integration layerTDS
WEBAD
IntranetAD
Employees (Master)
Customers (Master) Employees
Customers Employees
IBM Software group
25
Does This Also Help with Compliance?
You bet.
One of the hardest compliance issues to solve is:
“Prove to me that your external users still need access to the current system, including all their current privileges.”
IBM Software group
28
Trust Service Composed of Module Chains
mod
ule
mod
ule
mod
ule
module chain-1
module chain-2
module chain-3
web serviceinterface
WhichChain?
STS message
RequestSecurityTokenelements:
<RequestType>, <Issuer>, <AppliesTo>, <TokenType>
Select Chain based on: 1. properties of STS message 2. trust service configuration
= module instance
1
23
mod
ule
mod
ule
mod
ule
mod
ule
mod
ule
mod
ule