Liberty Alliance Project

Identity Management Liberty Alliance Project • Rise of electronic networks: • Need stronger or relevant (business related) use of Setting the Standard identity verification and authorization for Federated Network Identity • Company extranets • Online trading

• Identity fraud (#1 consumer complaint): Privacy, Identity Management and Services • Worldwide monetary losses from identity theft were using Liberty technologies in Mobile approximately $8.75 billion in 2002, and are expected to triple to roughly $24 billion in 2003* Environment. • Importance of Identity Management crosses Timo Skyttä industries and sections: • It is required in any B2C, B2B or B2E transaction whether Nokia Mobile Software the entities are private businesses or governmental Strategic Architecture organizations 1 * Aberdeen research 2

Federated Identity & Identity What is the Liberty Alliance ? Management • Federation reflects how relationships are kept in • A business alliance, formed in Sept 2001 with the the real-world goal of establishing an open standard for federated identity management • Not all identity information is held in one place

• Global membership consists of consumer-facing • No centralized single point of failure companies and technology vendors as well as policy and government organizations • Opportunity for any trusted business to become a trusted identity provider • The only open organization working to address the • More than single sign-on technology and business issues of federated identity management • It’s how personal information is authenticated, shared and managed 3 4

1 Some current challenges for Mobile Industry Nokia architecture - Identity Manager as the outermost (related to Identity Management) Personal Security & Privacy tool towards services Tightening privacy legislation in EU – use of MSISDN (phone number) as an identifier automatically attached to outgoing HTPP-requests Service User Interface Identity Manager User becomes questionable (browsing/messaging/Java Interface app’s) (invoked if needed) Number portability makes it difficult to associate a phone number to a Secure user certain provider of services – needs to invent a new reference authentication mechanism Services without All other services Identity Manager Many of the mechanisms used in Fixed internet, based on HTTP any need to invoke Identity redirect, cause too many round trips and delays in mobile environment know anything Manager at login, User Profile about the user, when using a form, Consumer awareness and concern over generic privacy and misuse i.e. NO login, Secure use of personal information is growing, need for a “trusted” environment installing/using an Authentication & storage NO on-line forms, ID mechanism or Authorizations A mass market phone doesn’t have full keyboard, and is not likel y to NO hidden ID when initiating a have one in the foreseeable future -> data entry difficulties -> service mechanisms transaction Privacy & Identity adoption problems NOR transactions User’s want personalized services to get quicker access to the content they want, mobile phone screen is small, can present only a limited amount of information – personalization is key, do not compromise Services user’s privacy unnecessarily when doing this To solve Identity Management, including personalized service access, do not create a mobile specific, but a mobile aware solution. This drives adoption both in Mobile and Fixed internet Make the life of user and service provider easy, but trusted and secure 5 6

Before Liberty Use Case After Liberty Use Case

Timo has chosen to link his Timo must log-in to portal with three favorite sites an ID and password When Timo logs into the portal, After selecting a TV site he must the mobile operator log-in again automatically authenticates him Log-in’s like above can require 80+ Timo clicks on the TV and is clicks and more than 30 seconds of automatically signed-on time on a typical mobile phone Timo goes to his bookmarks keypad and instantly logs-on to his email Users often give up in frustration, limiting use of mobile data services 7 8

2 Thank You Additional material

Questions ?

9 10

Liberty Alliance Vision Defining Liberty

Mission: To serve as the premier open Alliance for federated Liberty Alliance IS… Liberty Alliance IS NOT network identity management & services by ensuring IS a member community IS NOT a consumer-facing interoperability, supporting privacy and promoting delivering technical product or service adoption of its specifications, guidelines and best specifications, business and IS NOT developed and practices. privacy best practices supported by one company IS providing a venue for testing IS NOT based on a interoperability and identifying Goals: centralized model business requirements – Provide open standard and business guidelines for federated identity management spanning all network devices IS developing an open, – Provide open and secure standard for SSO with federated identity standard that decentralized authentication and open authorization can be built into other – Allow consumers/businesses to maintain personal companies’ branded products information more securely, and on their terms and services IS driving convergence of open standards 11 12

3 How does Liberty work ?

Management Board

• 16 founding sponsors

• Responsible for overall governance, legal, finances, and operations

• Final voting authority for specifications The Business Case Business Technology Services Public Policy Conformance Marketing Expert Expert Expert Group Expert Group Expert Group Group Group The Role of Federated Identity in Web

Requirements • Privacy, security, Technical Service Technical req. and use cases and global public architecture marketing Licensing req. Services Responsible for policy issues & requirements Monitor Logo

evangelism and • Technical Liaison to privacy specifications usage public relations groups and specifications Manage Business government Defines service Conformance templates and agencies guidelines interoperability testing program • Privacy guidelines & conformance for Core Accelerates and best practices programs specifications market creation for publication

All members provide feedback on early drafts 13 14

The Problem Today

• Companies need solutions – How to leverage new trends to generate revenue – How to lower lower costs – And still address customer worries about privacy & security “Federated Identity Management is a strategic capability that will solve real business problems” • Companies are spending billions of dollars on Web Service projects (figures vary by analyst) Burton Group, July 2003 – Very few enterprises have completed projects

• Current barriers to wide-scale adoption – Lack of technical standards for managing identity – Lack of interoperability between products and services – Lack of a federated model – Lack of privacy and security best practices – Lack of business best practices 15 16

4 Identity problems exploding: Industries Ready for Federated Identity

• Wireless – Number Portability Act – enabling customers to retain their mobile phone • No common method to approach identity number when changing carriers – Emerging privacy legislation makes use of phone number as an identifier • Fragmentation of customers identities across towards services quite difficult – Limited data entry capabilities (small screens, small keypads) different many different sources – Users want immediate access to personalized services • Growing privacy / regulatory pressures – Exploitation of data services and m-commerce • Finance • Increasing potential and risk of identity theft - State and national legislation driving need to protect privacy and identity - Increasing opportunity to drive new partnerships and initiatives dependent upon • Convergence of internet and mobile world identity initiatives

• Desire to provide higher value-add services to • Healthcare – HIPAA legislation – organizations are responsible for ensuring identifiable customers information is protected while stored or in transit

• Government – Increasing incentives for e-filing and online tax returns – Bush administration’s eAuthentication mandate (led by GSA) 17 18

Recent Accomplishments

January 2002 – Liberty begins specification development

July 2002 – Liberty releases Phase 1 specifications

Liberty Progress & Momentum April 2003 – Liberty releases Phase 2 specification drafts; demonstrates interoperability among 20 products; donates Phase 1 specifications to OASIS (SAML)

June 2003 – Liberty releases first business guidelines; releases Phase 1 Japanese specifications

19 20

5 Increasingly Diverse Involvement Liberty Alliance Members

More than 150 member organizations globally • Growth in government, non-profit and education Driven by end-users, government orgs and vendors sector involvement Led by Technology, Business and Public Policy Expert Groups – GSA, DoD, Canada Post, Hong Kong Post, Royal Mail, TRUSTe, Universitat-Hamburg, U. of Chicago, ISTPA

• Close relationships with other standards groups – OMA, OASIS, The Open Group, Internet2

• Increasing global involvement – 25% of members are headquartered in Europe/APAC

21 22

Liberty-enabled products & services Sample Download Statistics

Communicator (available) NTT (TBD) SourceID enables Liberty federation and SSO and is a good Computer Associates (Q4*) NTT Software (available) indicator of Liberty interest. Download statistics below* DataKey (available) Oblix (2004) – More than 1,000 downloads in 100 days DigiGan (Q3*) PeopleSoft (available) – Majority of downloads are by global 1000 corporations Ericsson (Q4) Phaos Technology (available) – 72.85% are from companies *not* members of the Alliance Entrust (Q1 2004) Ping Identity (available) – 22.8% of the downloads are from governmental or academic institutions France Telecom (Q4 2003) PostX (available) – Telecommunications/wireless, financial services and manufacturing Fujitsu Invia (available) RSA (Q4) sectors have highest number of downloads Gemplus (TBD) Salesforce.com (TBD) HP (available) Sigaba (available) July Systems (available) Sun Microsystems (available) Immediate interest in Liberty’s Phase 2 specifications Netegrity (2004) Trustgenix (available) – Approximately 5,000 downloads of specification-related documents from NeuStar (available) Ubisecure (available) Liberty’s website three weeks following launch Nokia (2004) Verisign (Q4*) – 800 downloads of Liberty’s Privacy Best Practices document from Novell (available) Vodafone (2004) Liberty’s website three weeks following launch WaveSet (available)

23 *SourceID sponsored by Liberty member Ping Identity Corporation 24 *Delivery dates being confirmed

6 Identity Management Concepts

What is (digital) identity? • Represents principals (users, apps, etc.) • Name, number, other identifier, • Unique in some scope Consumer Profiles • Persistent, long-Lived or one-time • May be “anonymous” ,“pseudonym” or“true name”

Common Profile Info App, Site, or Partner Profiles Circle of Trust Concepts & Credentials Liberty Architecture Unique • May have multiple credentials Identifier • Different strengths, different apps • Can change w/more frequency

Credentials App, Site, or Partner Profiles Address, etc. • Attributes, entitlements, policies • More transient, fluid information Employer Profiles • Often specific to apps or sites 25 26

“Circle of Trust” Concept “Circle of Trust” Model

External Identity Service Provider (s) (IdP) Federated (e.g. Financial Institution, HR) Partner External Federated •Trusted entity Partner Partner Partner •Authentication infrastructure A Partner A Partner External Partner •Maintains Core Identity attributes Partner B Federated B H Partner External H •Offers value-added services Federated Network (optional) Partner Network IdentityNetwork Network External Network IdentityNetwork Partner Identity Partner Partner Identity Partner Federated Hub ProviderIdentity Hub ProviderIdentity Partner G Hub Provider C G Hub Provider C External Hub Provider Hub Provider Federated Partner Partner External Partner Partner Partner Federated D F Partner D F Partner Partner External Affiliated Service Providers E Federated E Partner •Maintain additional user attributes External •Offers complimentary service Federated Partner •Don't (necessarily) invest in authentication infrastructure 27 28

7 The Complete Liberty Architecture Liberty Specification Map ID-FF ID-Personal Profile Imp.. IDEmployee- Profilel Imp ID-SIS Guidelines 1.0 Guidelines 1.0 ID-Employee Profile Liberty Identity Services Interface ID-Personal Profile 1.0 1.0 Specifications (ID-SIS) ID-Personal Profile ID-Employee Profile Liberty Identity SCR. 1.0 SCR 1.0 Enables interoperable identity services such as personal Federation identity profile service, alert service, calendar service, ID-FF Architectural Overview 1.2 ID- WSF Framework (ID-FF) wallet service, contacts service, geo -location service, presence service and so on. ID-FF Implementation ID -WSF Security & Liberty Glossary ID-WSF Architectural Guidelines 1.2 Overview 1.0 Privacy Overview 1.0 ID-FF Static Liberty Trust Model ID-WSF Static ID -WSF Impl. Enables identity federation Conformance Req. 1.2 Guidelines Conformance Req. 1.0 Guidelines 1.0 and management through Liberty Identity Web Services Framework ID-WSF Data Services features such as (ID-WSF) Identity Services Templates Template 1.0 identity/account linkage, simplified sign on, and ID-FF Protocols and ID-WSF Discovery ID-WSF Interaction Provides the framework for building interoperable Core Identity Services Protocols simple session identity services, permission based attribute sharing, Schemas 1.2 Service 1.0 Service 1.0 management identity service description and discovery, and the ID-FF Bindings and ID-WSF Security ID-WSF SOAP ID-WSF Client associated security profiles Profiles 1.2 Web Services Bindings & Profiles Mechanisms 1.0 Binding 1.0 Profiles 1.0

Liberty Authentication Privacy & Security Liberty SASL -based Liberty Reverse HTTP Context 1.2 Best Practises Liberty specifications build on existing standards SOAP AuthN 1.0 Binding 1.0 (SAML, SOAP, WSS, XML, etc.) 29 Liberty Meta Data 1.2 Normative Non-Normative30

Where does Liberty Fit?

Liberty Alliance: a diverse industry consortium that is developing specifications for federated network identity, simplified sign-on, and authorization among diverse network and applications domains Liberty Alliance Other enabling standards: • SPML (Service Provisioning Markup Language) • XML Access Control Markup Language (XACML) • XML Key Management Specification (XKMS) What Should You Do Now? • XML Digital Signature

WS-security: mechanisms implemented in SOAP headers designed to offs (e.g., Meta Data spec) enhance SOAP messaging providing a quality of protection -

standards through message integrity, message confidentiality, and single message authentication Spin OASIS SAML Other enabling

OASIS WS security SAML 1.1 (Security Assertion MarkUp Language): SOAP, XML, WSDL, a set of XML and SOAP -based services, protocols, and formats for exchanging authentication and authorization HTTP, HTML information ** See archived Liberty Webinar for more SAML information 31 32

8 Liberty Alliance solves the Additional Information identity crisis The only global body working to define Learn more about the technical aspects of and drive open technology standards Liberty Alliance and guidelines for federated identity Free webinar from HP Addresses business, policy and technical issues associated with “Federated Identity” federated identity www.presentationselect.com/hpinvent/archives.asp Alliance of global organizations working together to enable the deployment of See the specifications and white papers at identity-based web services http://www.projectliberty.org Consider joining the Alliance

33 34