Liberty Alliance Project: Impact on Web Services Application Architectures Jason Rouault/Hewlett-Packard Chairman, Liberty Alliance Technology Expert Group
Today s Agenda Business Problem faced by Architects today What approaches are being used? How does Liberty Alliance address the problem? Use case: Federated Identity and Web Services in action Benefits
Web Services, Security, & Identity Trusted 3 rd Party Identity Web services represent a whole new model for integrating applications, which means organizations will have to think in an entirely new way about security in Web services App 1 App 3 App 2 User Identity Invoker Identity Domain 1 Domain 2 Intermediary Identity SOAP XML WSDL UDDI WAP HTTP SSL/TLS XML Enc XML-DSIG WSS SAML
Web Services, Security, & Identity Today if companies want to offer innovative new Web services, they face several stumbling blocks: Lack of interoperability between identity management technology products Lack of technology standards and best practices regarding how companies should manage your identity, a critical component of many Web-based services Lack of a federated model for identity management that enables companies to put control of identity information into the hands of consumers and other end-users and reduce the security risks of a centralized model Lack of established industry best practices regarding how to best respect customer privacy and comply with a wide variety of privacy regulations The Liberty Alliance removes these barriers through an innovative set of frameworks that allow for secure and interoperable identity-based Web services
How many passwords and email addresses do you have? The Problem Multiple, disconnected identities scattered across isolated Internet sites Looks like this User Name: Jason Rouault Email: jrouault48@freemail PIN: wcs@foobar Credit card number Social security number Drivers license Passport Entertainment preferences Notification preferences Employee authorization Business calendar Dining preferences Education history Medical history Financial assets 1
There is a cost of maintaining all those identities Multiple, disconnected identities scattered across isolated Internet sites User acceptance Inconvenient and frustrating for users Unique to each business Distributed identityservices are difficult to develop and deploy High Maintenance Continual re-authentication to disparate systems This applies to any Enterprise managing Employees 1
The Liberty Project Approach Federated Identity Centralized Model Open Federated Model Network Centralized Single Links identity and user information in single repository control point of failure similar systems Network No No Links identity and user information in various locations centralized control single point of failure similar and disparate systems Central Provider Provider Provider Provider Provider Provider Provider
Separate Cards with Each Bank Linked Cards within Bank Networks A Lesson in Value - ATM Networks Seamless Access Across all Networks Bank A ATM Card Bank B ATM Card Bank ATM Network A Bank ATM Network B Bank A ATM Card Bank B ATM Card Bank ATM Network A Bank ATM Network B Bank C ATM Card Bank ATM Network C Bank C ATM Card Bank ATM Network C Individual Accounts with Many Web Sites Federated Accounts within Trust Domain Linkage of Trust Domains
There are a number of approaches in use today B2C Travel Industry Car Rental Hotel B2E Employee Intranet 401k 3d Party Providers Airline Partner Airlines Company Intranet Employee Purchase Plans Cruise Line Livery Health Insurance Dental Insurance B2B Financial Services B2B - Automotive Treasury Debt Suppliers Dealers Commercial Banking Equity Manufacturers Transport Agencies Clearing House Credit Fleet Financing There is Business Value in Network Identity
Federated Opt-in Security Permissions-based Schema/protocols Simplified Delegation Liberty Solution - A Phased Approach Support rapid acceptance and deployment Phases build on each other Enable incremental adoption Phase 1 (Released 15 July 2002) network identity account linking and simplified sign-on within an authentication domain created by business agreements built across all the features and specifications Phase 2 (Drafts Released 15 April 2003) attribute sharing for core identity profile service sign-on across authentication domains created in version 1.0 by business agreements of authority to federate identities/accounts Liberty is delivering on schedule www.projectliberty.org
Liberty Solution - Modular Architecture The Liberty architecture is composed of modules that can be implemented independent of each other and is based on a foundation of open industry standards foundation of open Liberty Identity Federation Framework (ID-FF) Enables identity federation and management through features such as identity/account linkage, simplified sign on, and simple session management Liberty Identity Services Interface Specifications (ID-SIS) The schema, and instantiation of the technical implementation as defined by ID-WSF, to provide for interoperable identity services such as personal identity profile service, alert service, calendar service, wallet service, contacts service, geo-location service, presence service and so on. Liberty Identity Web Services Framework (ID-WSF) This module will provide the framework for building interoperable identity services, permission based attribute sharing, identity service description and discovery, and the associated security profiles SAML HTTP WSS WSDL XML Enc WAP XML SSL/TLS SOAP XML-DSIG
Liberty Solution - Architecture Components Liberty Identity Federation Framework (ID-FF) ID-Personal Profile Liberty Identity Services Interface Specifications (ID-SIS) Liberty Identity Web Services Framework (ID-WSF) ID-WSF Data Services Template 1.0 Identity Services Templates ID-FF Protocols and Schemas 1.2 ID-WSF Discovery Service 1.0 ID-WSF Interaction Service 1.0 Core Identity Services Protocols ID-FF Bindings and Profiles 1.2 ID-WSF Security Profiles 1.0 ID-WSF SOAP Binding 1.0 ID-WSF Client Profiles 1.0 Web Services Bindings & Profiles SAML HTTP AuthN Context 1.2 Meta data 1.2 WSS Reverse HTTP Binding 1.0 SOAP AuthN Service 1.0 WAP XML SSL/TLS SOAP XML-DSIG XML Enc WSDL ID-WSF 1.0 Standards ID-SIS ID-FF 1.2 Future
Liberty in Action - B2C Scenario 1. User access site 3. User access site AuctionWatch service provider 5. service provider obtains handle to mobile operator MyProfile Identity service provider 2. User Validated 4. Service Provider Requests SMS ticket 6. service provider sends SMS message to mobile operator MyPortal identity provider Web Service Personal Profile Service 6. Operator sends SMS message to user PacBell service provider
Liberty in Action - B2B Scenario 1. Access Order Mgt. Portal 4. Place Order 3. Role Information Retrieved 2. User Validated OrderMgt service provider 5. Query Inventory Levels, Earmark Product partner service provider Employee Profile Service manufacturer identity provider Shipping Inventory 6. Notify & Process Order 7. Register Order, Start Invoicing Web Service Accounts Payable
Liberty s Role in the Industry Establish an open standard for federated network identity through open technical specifications that will: Support a broad range of identity-based products and services Allow for consumer choice of identity provider(s) and the ability to link accounts through account federation Provide the convenience of simplified sign-on, when using any network of connected services and devices Enable organizations to realize new revenue and cost saving opportunities Allow organizations to economically leverage relationships with customers, business partners, and employees Improve ease of use for e-commerce
How Through Shared Effort Over 160 for-profit, not-for-profit and government organizations, representing a billion customers, are currently Alliance members * Only a sample of Liberty members
Advise Liaison Consists Responsible Final Develops Develops Develops Responsible How Expertise Across Disciplines Management Board of 16 founding sponsors for overall governance and maintenance voting authority for specifications and other output Public Policy Expert Group Technology Expert Group Marketing Expert Group on privacy, security, and other public policy issues to privacy groups and government agencies technical architecture and engineering requirements technical specifications Interoperability marketing requirements and use cases for membership, press relations, and marketing communications Adoption
Why is HP investing in Liberty? Collaborate with many of our largest customers to drive the market to standardizing on a common approach Vodafone, Nokia, GM, American Express, and others HP IceWall: Responding to direct customer demand Provide guidance to our clients HPC s Worldwide Security Consulting Practice active around the world Compliment and enhance our partnerships with many of the largest security vendors Verisign, RSA, Netegrity and many others Example: Built into our Mobile Services Delivery Platform
The Opportunity is Yours today Liberty Alliance is producing the defacto technology solution for secure, private, federated identity management. Web Services application architectures will require federated identity management to be successful You have the opportunity to define your company s leadership in federated identity www.projectliberty.org
Questions For more information: jason.rouault@hp www.projectliberty.org
HP has the answer for Liberty Alliance HP has a Liberty enabled solution. It s called hp IceWall SSO. IceWall is the leading single sign-on solution, especially in large-scale financial institutions and telecommunication companies in Japan. Over 10,000,000 user licenses have already been sold. Liberty Alliance enabled version of IceWall is to be released in this April. (hp IceWall SSO is Liberty Alliance specification v1.1 enabled and commits subsequent specifications) http://www.jpn.hp/hpc/sp/icewall/eng/
Backup: What is HP s Security Product Strategy Go-to-market strategy Compliment existing best-of-breed vendors of security solutions today Collaborate in the development of standards in order to maintain first-to-market leadership with the security products market Avoid channel conflict while adding value Partnership led through HP s Partner Organization Solutions approach Engineer unique IP into HP solution platforms using customer-preferred technologies and products Example: Mobile Services Delivery Platform for the Telco/Services Operator marketplace. Responding to direct customer demand: Provide unique solution portfolios (HP IceWall)