OATH Reference Architecture, Release 2.0 Initiative for Open AuTHentication (OATH) The Initiative for Open AuTHentication (OATH) welcomes input, suggestions, and other feedback on this work from as broad a range of industry participants as possible, in order to improve its quality. Feedback should be sent to [email protected]. If you are interested in getting more information about OATH or joining OATH, please contact [email protected] or visit http://www.openauthentication.org. Copyright(c) 2004-2007, Initiative for Open AuTHentication. All Rights Reserved. OATH Reference Architecture, Release 2.0 1 OATH Reference Architecture, Release 2.0 2 CONTENTS 1. Executive Summary................................................................................................................ 5 2. Abbreviations.......................................................................................................................... 6 3. OATH Vision and Goals......................................................................................................... 8 4. Usage Scenarios.................................................................................................................... 10 4.1. Remote Access.............................................................................................................. 10 4.2. Online Banking ............................................................................................................. 10 4.3. Telecommuting ............................................................................................................. 10 4.4. Client and Business Partner Extranet............................................................................ 11 4.5. eGovernment................................................................................................................. 11 4.6. 24x7 IT Infrastructure Support ..................................................................................... 11 4.7. Wireless Roaming......................................................................................................... 11 4.8. Desktop Logon.............................................................................................................. 11 4.9. Closed network ............................................................................................................. 12 5. Authentication Framework ................................................................................................... 13 5.1. Client Framework ......................................................................................................... 13 5.2. Provisioning and Management Framework.................................................................. 13 5.3. Validation Framework .................................................................................................. 14 5.4. Applications .................................................................................................................. 14 5.5. Authorization ................................................................................................................ 14 5.6. User Store...................................................................................................................... 14 5.7. Policy Store................................................................................................................... 14 5.8. Audit Store.................................................................................................................... 14 5.9. Authentication and Identity Sharing ............................................................................. 14 5.10. Risk evaluation and sharing...................................................................................... 15 6. OATH Reference Architecture ............................................................................................. 16 6.1. Client Framework ......................................................................................................... 16 6.1.1. High-Level Architecture ....................................................................................... 16 6.1.2. Salient Features..................................................................................................... 17 6.1.3. Authentication Methods........................................................................................ 18 6.1.4. Authentication Tokens.......................................................................................... 19 6.1.5. Token Interface ..................................................................................................... 20 6.1.6. Authentication Protocols....................................................................................... 21 6.2. Validation Framework .................................................................................................. 22 6.2.1. High-Level Architecture ....................................................................................... 22 6.2.2. Salient Features..................................................................................................... 24 6.2.3. Existing Standards and Technologies ................................................................... 25 6.2.4. OATH Focus Areas............................................................................................... 26 6.3. Risk evaluation and sharing framework ....................................................................... 26 6.3.1. High-level architecture.......................................................................................... 26 6.3.2. Salient features...................................................................................................... 27 6.3.3. Existing Standards and Technologies ................................................................... 28 6.3.4. OATH Focus Areas............................................................................................... 28 6.4. Provisioning and Management Framework.................................................................. 28 6.4.1. High-Level Architecture ....................................................................................... 29 OATH Reference Architecture, Release 2.0 3 6.4.2. Salient Features..................................................................................................... 30 6.4.3. Existing Standards and Technologies ................................................................... 31 6.4.4. OATH Focus Areas............................................................................................... 32 6.5. Common Data Model.................................................................................................... 33 6.5.1. Existing Standards and Technologies ................................................................... 33 6.5.2. OATH Focus Areas............................................................................................... 34 6.6. Authentication and Identity Sharing ............................................................................. 34 6.6.1. Authentication Sharing ......................................................................................... 35 6.6.2. Identity Sharing..................................................................................................... 38 6.6.3. Traditional Federated Identity............................................................................... 38 6.6.4. User-centric Identity Sharing................................................................................ 39 6.6.5. OATH Focus Areas............................................................................................... 40 7. Example Deployment Scenario............................................................................................. 41 8. Summary of OATH Focus Areas.......................................................................................... 44 9. References............................................................................................................................. 46 10. Contributing members ...................................................................................................... 49 OATH Reference Architecture, Release 2.0 4 1. Executive Summary This document specifies version 2.0 of the reference architecture for the Initiative for Open AuTHentication (OATH). The OATH Reference Architecture document describes a high-level technical framework for open authentication, as envisioned by the OATH member companies. The reference architecture is intended to explain OATH’s vision for authentication, as well as to provide a high-level technical roadmap for its work. The intended audience includes decision makers and technical architects from OATH member and nonmember companies, IT managers and architects from organizations that are considering deploying strong authentication solutions, and other standards organizations that share all, or part, of the OATH vision. The work has been driven by the following guiding principles: • Open and royalty-free specification - OATH intends to establish an open and royalty-free specification for strong authentication by leveraging existing open standards, where possible, and leading standardization efforts in well-established technical standards bodies where existing standards are not available. • Device innovation and embedding - OATH intends to specify components for low-cost, multi- function authentication devices (e.g.