Identity in the Cloud Outsourcing Profile Version 1.0

Committee Note Draft 01 29 April 2013 Specification URIs This version: http://docs.oasis-open.org/id-cloud/IDCloud- outsourcing/v1.0/cnd01/IDCloud-outsourcing-v1.0-cnd01.doc (Authoritative) http://docs.oasis-open.org/id-cloud/IDCloud- outsourcing/v1.0/cnd01/IDCloud-outsourcing-v1.0-cnd01.html http://docs.oasis-open.org/id-cloud/IDCloud- outsourcing/v1.0/cnd01/IDCloud-outsourcing-v1.0-cnd01.pdf Previous version: N/A Latest version: http://docs.oasis-open.org/id-cloud/IDCloud-outsourcing/v1.0/IDCloud- outsourcing-v1.0.doc (Authoritative) http://docs.oasis-open.org/id-cloud/IDCloud-outsourcing/v1.0/IDCloud- outsourcing-v1.0.html http://docs.oasis-open.org/id-cloud/IDCloud-outsourcing/v1.0/IDCloud- outsourcing-v1.0.pdf Technical Committee: OASIS Identity in the Cloud TC Chairs: Anil Saldhana ([email protected]), Red Hat Anthony Nadalin ([email protected]), Microsoft Editors: Ginés Dólera Tormo ([email protected]), NEC Corporation Félix Gómez Mármol ([email protected]), NEC Corporation outsourcing/v1.0/cnd01/IDCloud-outsourcing-v1.0-cnd01.html Draft 01. Note Cloud in OutsourcingIdentity the Profile Version 1.0 [IDCloud-Outsourcing-v1.0] format used: referencing should be the following document When this citation format: Citation at page by using Committeethe “ Committee’s Technical emailOthersto list. commentsshould send the Technical the Committeeon to document Technical members comments this should send for possibleabove laterlocation noted revisions of document. this Thedate. alsothe “Latest above level of is version” approval listed above. Check was last the This revised document orby approved Status: Cloud Computing. istoprofile ina intendedprovide This outsourcing document for Identity Management Abstract: work: Related IDCloud-outsourcing-v1.0-cnd01 THATWARRANTY OF THEUSE THE OWNERSHIP HEREIN INFRINGE INFORMATION WILL NOT ANY EXPRESS ALL INCLUDINGDISCLAIMS WARRANTIES, ORBUT IMPLIED, LIMITED ANYNOT TO documentThis and the containedinformation is herein provided an on "AS IS" andbasis OASIS perpetual not and revoked will be byits OASIS or successors or assigns. translate it intolanguages than other English. The limited permissions granted above are applicable copyrights, to as forthset IPR in the Policy,must OASIS be or required followed) as to ordocument deliverable produced by Technical an Committee OASIS (in which case the rules copyright the references notice OASIS, or to asexcept for needed purpose the of developing any However, thisdocumentworks. itself may be not modified in any including way, by removing abovethat the copyright notice and this section included are on all such derivative copies and published, copied, distributed, and orin whole part, without restriction anyof kind, provided works that on comment explain or otherwise it or assist in its implementation may be prepared, documentThis and of translations it may be furnishedcopied and to others, and derivative website.OASIS PropertyIntellectual Rights (the IPR Policy Policy"). "OASIS The full All capitalized interms the text following have the meanings assigned them to in the OASIS Copyright OASIS© Open All Rights2013. Reserved. Non-Standards TrackNon-Standards open.org/id-cloud/IDCloud-usecases/v1.0/IDCloud-usecases-v1.0.html  is to: related This document Identity in the Cloud in UseIdentity the Cases Version 1.0 http://www.oasis-open.org/committees/id-cloud/ http://docs.oasis-open.org/id-cloud/IDCloud- The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply Send A Comment Send A This Non-Standards is a Work Product. Track ” button onCommittee’s button the Technical web” . Latest version. . Copyright © Copyright OASIS Open Reserved.Rights© All 2013. OASIS Identity in the Cloud inTCOASIS Identity . 29 April 2013. OASIS Committee April29 OASIS2013. . . Policy . . http://docs.oasis- may be found at the . 292013 April Page on the on 2 of 18

[Type the document title] PURPOSE. ORRIGHTS MERCHANTABILITY ANY WARRANTIES IMPLIED OF OR FOR A FITNESS PARTICULAR IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . 292013 April Page 3 of 18

[Type the document title] 3 2 1 Table Contentsof IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards 3.7 Case 3.7 Use Impersonation Identity 26: / Delegation Case 3.6 Use Government20: Cloud Provisioning of Services Case 3.5 Use Delegated18: Provider Identity Configuration Case 3.4 Use PerTenant17: Provider Identity Configuration Case 3.3 Use OffloadIdentity 16: Management External to Business Entity Case 3.2 Use 4: ConfigurationIdentity Case 3.1 Use 2: ProvisioningIdentity 1.1 3.7.1 Short3.7.1 description Relevant3.6.2 applicable standards Short3.6.1 description Relevant3.5.2 applicable standards Short3.5.1 description Relevant3.4.2 applicable standards Short3.4.1 description Relevant3.3.2 applicable standards Short3.3.1 description Relevant3.2.2 applicable standards Short3.2.1 description Relevant3.1.2 applicable standards Short3.1.1 description Use Cases Definitions Introduction 3.7.2 Relevant3.7.2 applicable standards References ...... The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply ...... This Non-Standards is a Work Product. Track ...... Copyright © Copyright OASIS Open Reserved.Rights© All 2013...... 292013 April Page 4 of 11 11 11 11 11 11 10 10 10 10 10 10 10 18 9 9 9 9 9 9 9 9 9 6 5 5

[Type the document title] Appendix C.Appendix B.Appendix A.Appendix 5 4 IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards 5.4 5.4 ConfidentialityIdentity 5.3 Administration 5.2 Delegated Authorization 5.1 ProvisioningIdentity Case 3.9 Use Delegation User 29: Access Personal of to Data in a Cloud Public Interest (CoI) Case 3.8 Use Federated 27: AccountUser Provisioning and Management for Communitya of Challenges Standards Relevant3.9.2 applicable standards Short3.9.1 description Relevant3.8.2 applicable standards Short3.8.1 description ...... Revision HistoryRevision Non-Normative Section Acknowledgments ...... The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply ...... This Non-Standards is a Work Product. Track ...... Copyright © Copyright OASIS Open Reserved.Rights© All 2013...... 292013 April Page 5 of 14 14 14 14 13 12 12 12 11 11 11 17 16 15 14 18

[Type the document title] 145/SP800-145.pdf Resour Standards and Technology- DivisionComputer Security Computer (NIST) – Security P. Mell, T. Grance, [NIST-SP800-145] 1.1 the providing of charge in be required identitymanagement functionalityon behalf.their to enterprise another get enterprises those management, identity identity required the infrastructuretodecide externalizecould deploy identitymanagementsuch functionality. By outsourcing the to resources enough have not do which enterprises or Organizations as such functionality, identity-related foridentityfunctionalityneeded interacting different withthe services. some require Internet environments, raisedcloud hardfor enterprisesby organizations is or some it torequired provide the the in services However,diversityattributesaggregation,etc.exchange, information authentication, the user to due the of Many applicable and challenges cases, use standards Identity in the ManagementOutsourcing Cloud Computing model. in the Management Identity various the describes document This Introduction IDCloud-outsourcing-v1.0-cnd01 v1.0-cn01.html 2012. 08 May M.Rutkowski, [IDCLOUD-USECASES-1.0] Non-Standards TrackNon-Standards References ce

Center OASIS Identity In IdentityUse Cases v1.0OASIS The Cloud http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-

(CSRC), January (CSRC), 2011. . The NIST Definition of Cloud Computing SP800-145Cloud The NIST Definition of The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track http://csrc.nist.gov/publications/nistpubs/800- Copyright © Copyright OASIS Open Reserved.Rights© All 2013. , OASIS StandardsConsortium,OASIS , . . National Institute of National of Institute . 292013 April Page 6 of 18

[Type the document title] which do not have enough resources to deploy the required identity infrastructure could decide to decide could infrastructure identity required the deploy to resources enough have not do which services. different the with interact to needed infrastructure required the deploy organizations to or enterprises some for hard is environments,it cloud by raised diversity the to Due etc. aggregation, attributes user exchange, information authentication, includes consider We functionality. management functionality.That identity identity-related the of part or the all externalize to management identity outsourcing outsourcing on focus we document trained this In specially and facilities and tools specialized personnel. with companies other by more therefore cost-effectively, and efficiently more done be could it if functionality some outsource to want may particular a do to person company A business. the to non-coreconsidered Typically, or is outsourcedfunction. being function the company another with contracting entity an of consists Outsourcing Outsourcingidentity applicationhosting environment configurations. possibly and applications deployed the over control has but storage, network, or systems, including operating infrastructure servers, cloud underlying the control or manage not does consumer The provider. the by supported tools and languages programming using created applications acquired or infrastructure cloud consumer-createdthe onto deploy to is consumer the toprovided capability The Cloud Platform (PaaS)aService as Definitions IDCloud-outsourcing-v1.0-cnd01 for bridge a different the accessing Internet as services. used is turn in which service, outsourcing the to identity functionality identity-related their of charge in 1 being Figure requiring without services different identity the offer management. access which to cloud, the solution in that Providers Identity virtual way, organizationsof this makeIn enterprisesuse or could SaaS. other via of functionality management use making services different required deploysthe identityinfrastructure relationshipstrust establishesthe necessary with the and behalf. their on functionality management identity required the providing ofcharge in be toenterprise another enterprises get those management, identity the outsourcing By to service interacteach withit. keyforth.soorganizationscertificates Furthermore,the ofand peculiarities adapted to the be should public exchanging agreements, SLA complex defining services, different the with relationships trust for establishing requires also protocols it but XACML, standard or OpenID SAML, implementing as such authorization, includes or authentication, only not functionality identity-related Moreover, externalize identity such managementfunctionality Non-Standards TrackNon-Standards

represents an overview of a basic outsourcing scenario, where two enterprises externalize enterprises two where scenario, outsourcing basic a of overview an represents The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track [NIST-SP800-145] Copyright © Copyright OASIS Open Reserved.Rights© All 2013. Hence, organizations or enterprises or organizations Hence, . The outsourcing vendor outsourcing The 292013 April Page 7 of 18

[Type the document title] IDCloud-outsourcing-v1.0-cnd01 F representedin previously As commented,identity-related functionalityinvolves many different Theyaspects. are F Non-Standards TrackNon-Standards IGURE IGURE

2 1 . O . O . UTSOURCING UTSOURCING Figure2

SERVICES SERVICE and described and below.described The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply

SCENARIO This Non-Standards is a Work Product. Track

[Type the document title] IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards       their identity-relatedtheir information interferer without other.witheach companywants which to outsource this functionality. Thisallows companies the to manage Virtualization The identitymanagement Services: virtualizedfunctionalityis foreach system, so the userscannot deny performing an operation initiatingatransaction.or incorporate effective an auditingsystem able to tracethe relevant events thein happened As many Services: Audit other identity management systems,outsourcing have services to are actions they to able perform over resources. which Authorization authenticating Besides Services: the users, necessary isit to determine what keycertificationas public such services, infrastructure (PKI). relationshipsby defining different agreementsService-level and (SLA) secured deploying relationshipsbetween different the providers. The outsourcingestablishesservice trust KeyManagement An important Services: partofoutsourcing to is manageservices trust requirements of the scenario. defined been several authentication applicability the mechanisms,whose on depends most tousers.visible It validates that who claiming toisthe actually isbe. user Therehave AuthenticationThe authentication Services: process oftenis the aspectofthatsecurity is This form of user a webservice. for the basis providing (SSO). Sign-On Single Session ManagementWeb Services: sessionsare established tomaintain state a for each The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . 292013 April Page 9 of 18

[Type the document title] Feature for the need portable standards to configureidentities applicationscloud in and 1.3.1 1.3 1.2.2 please refer to transitioning of affected resources to new identities. For extended description of thisuse case, Feature the need and support manage customer policies for identity decommissioning including 1.2.1 1.2 Cases Use IDCloud-outsourcing-v1.0-cnd01 available cloud-hosted applications to either employeesthe of its customers & partnersbusiness Show the need for federated identity management which enables an enterprise to make 1.4.1 1.4      1.3.2 to infrastructure (virtual machines, servers etc).For extended case, ofdescriptionthis refer use please Non-Standards TrackNon-Standards [IDCLOUD-USECASES-1.0]      Use Case 16: Offload Identity to CaseUse Management 16:Offload External Business Identity CaseUse 4: Configuration Identity CaseUse 2: Provisioning Entity Short descriptionShort Relevantstandards applicable descriptionShort Relevantstandards applicable descriptionShort SAML OVF TOSCA LDIF LDAP CIMIDMTF SCIM OSLC (open-services.net) open– services cycle for life stdscollaboration SPML thatStandards provision uid’s [IDCLOUD-USECASES-1.0] The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 292013 April 10 of 18

[Type the document title]  1.5.2 case, use referplease to navigating than and manually configuringindividually.each service For extended of description this need Show forthe tenantscloud to automatedsecurely using manage services cloud tools rather 1.5.1 1.5 1.4.2 users. For extended description thisuseof case, please refer to or its own institutional consumers and avoid directly identities managing (accounts) for those IDCloud-outsourcing-v1.0-cnd01  1.6.2 extendeddescription use case, of this referplease to configuration towithin a multi-tenantchosenidentitytheir service cloud providerFor service. need Show forthe tenantcloud administrators to need delegate access to identitytheir services 1.6.1 1.6   Non-Standards TrackNon-Standards        Use CaseUse 18:Delegated Identity Provider Configuration CaseUse 17:Per Tenant Identity Provider Configuration Relevantstandards applicable descriptionShort Relevantstandards applicable descriptionShort Relevantstandards applicable IMI SCIM SPML IMI SPML SCIM WS-Federation OAuth ConnectOpenID OpenID SAML [IDCLOUD-USECASES-1.0] The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track [IDCLOUD-USECASES-1.0] Copyright © Copyright OASIS Open Reserved.Rights© All 2013. [IDCLOUD-USECASES-1.0] . Page Page 292013 April 11 of 18

[Type the document title]  1.8.2 case, ofdescriptionthis refer use please to identityto impersonates the customer identityof another security. sacrificing without For extended Customersoftheprovider cloud may require provideracloud to that support supply one permits 1.8.1 1.8 1.7.2 please to refer configure to privileges and cloudprovision a extended service.For description this of case, use authorizedShow how personnel government could granted be andaccess assigned appropriate 1.7.1 1.7 IDCloud-outsourcing-v1.0-cnd01 1.9.2 extended ofdescription thisuse case, please to refer branch and offices business where partners each may cloudutilize models. deployment For attributes fororganizations that have distributed a structure which includes many central, Show the need for provisioning, andadministration governance of useridentities their and 1.9.1 1.9 Non-Standards TrackNon-Standards        Use CaseUse 27:Federated Account User Provisioning and Management Delegation Impersonation / CaseUse 26:Identity CaseUse 20:Government Provisioning Cloud of Services for Interest a Community of (CoI) Relevantstandards applicable descriptionShort Relevantstandards applicable descriptionShort Relevantstandards applicable descriptionShort IGF SCIM SPML WS-Trust SCIM SPML XACML SAML [IDCLOUD-USECASES-1.0] The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track [IDCLOUD-USECASES-1.0] [IDCLOUD-USECASES-1.0] Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 292013 April 12 of 18

[Type the document title] 1.10.2 1.10.2 extended For providers. description of case,this use please refer to withstored cloud a service providerusers to whose are identities bymanaged external identity are Users to able delegatedynamically (grantand revoke)and constrain access files to data or 1.10.1 1.10 IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards   Cloud Use Delegation 29:User Case Use of Access to Personal Data ina Public XACML UMA Relevantstandards applicable descriptionShort The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. [IDCLOUD-USECASES-1.0] . Page Page 292013 April 13 of 18

[Type the document title] Standards IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 292013 April 14 of 18

[Type the document title] 1.14 1.14 1.13 1.12 1.11 Challenges IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards Encryption, Decryption and and Decryption KeyEncryption, Management. Thereto aisneed provide confidentialityfor services capabilities such identities. This as includes identity-relatedtheir information. Thereto aisneed administrationenable capabilities different so the enterprises managecould delegated should be decisions toit. companywants to control ofuserstheir the access by owntheir methods the authorization and directedby entities other and the hence delegated authorization enabled. Forexample, a Thereto aisneed perform authorizationprocesses. Furthermore, authorization the may be Thereto aisneed manage lifecycle (Create, Read, Update and Delete) ofusers. Identity Confidentiality Identity Administration Delegated Authorization ProvisioningIdentity The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 292013 April 15 of 18

[Type the document title] John Tolbert,John TheCompany Boeing Jeffrey Broberg,CA Technologies Hardjono, Thomas MIT Nguyen, Dominique BankofAmerica Abbie Barbir, of Bank America DavidKern, IBM MattRutkowski, IBM DavidTurner, Microsoft Anthony Microsoft Nadalin, ScottStark, Red Hat Red Saldhana, Anil Hat Participants: acknowledged: following The have individuals participated thein creation ofthis specification and are gratefully AppendixA. IDCloud-outsourcing-v1.0-cnd01 Drgon, Michele Individual RogerBass, Individual GershonIndividual Jannsen, DavidIndividual Chadwick, Dale Moberg, Axway Software Cathy Tilton,Daon FelixGomex NECMarmol, Corporation Dolera Gines Tormo, NEC Corporation Non-Standards TrackNon-Standards Acknowledgments The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 292013 April 16 of 18

[Type the document title] AppendixB. IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards Non-Normative Section The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply This Non-Standards is a Work Product. Track Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 292013 April 17 of 18

[Type the document title] 01c 01b 01a AppendixC. IDCloud-outsourcing-v1.0-cnd01 Non-Standards TrackNon-Standards Revision April 29, 2013 April29, 2013 21, January 2012 November12, Date

The patent provisions of the Policy The OASIS of IPR do patent provisions not the apply Revision History FélixGómez Mármol Ginés DóleraTormo FélixGómez Mármol G FélixGómez Mármol G This Non-Standards is a Work Product. Track inés Dólera inés Tormo Dólera inés Tormo Editor AddedChallenges definition.Extended outsourcing definition. Mergeintroduction outsourcing and term ‘outsourcing’ Extendedintroduction and definition the of draftInitial version. ChangesMade Copyright © Copyright OASIS Open Reserved.Rights© All 2013. . Page Page 292013 April 18 of 18

[Type the document title]