1 / 20

Federated Identity in Practice

Federated Identity in Practice. Mike Beach The Boeing Company. Federated Identity. Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation.

sandra_john
Download Presentation

Federated Identity in Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated Identity in Practice Mike Beach The Boeing Company

  2. Federated Identity Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation. This applies both within the corporation and across the Internet.

  3. The Boeing Environment • Three user communities • 150,000 employees, contractors • 80,000 partners, suppliers, customers • 1,000,000+ ex-employees, beneficiaries • Three enterprise directories • Comprehensive Sun ONE directory (all people of interest) • Microsoft Active Directory (most employees) • RACF (most employees – but not same employees as MS AD) • Many Boeing web servers • Apache, IPlanet, IIS, ColdFusion, Shadow, Oracle • Over 350 web server platform/version variations • Multiple versions of both Netscape and IE browsers

  4. WSSO Objectives • Simple, consistent user experience • Improved security through centralized access management • Reduction in user accounts and passwords, thus reductions in account administration costs • Applications isolated from authentication mechanisms and authentication technology insertions • Applications agnostic to origin of user’s access (internal or external) • Single sign on across Boeing business domain, including partners, suppliers, customers…

  5. WSSO Key Solution Differentiators • Web Single Sign-on (WSSO) across Boeing and external web sites • Common infrastructure supporting internal and external access, for internal and external users • No control over desktop configuration and no ability to deploy components to the desktop • Leverage existing Boeing infrastructure

  6. The Deployment • Oblix Netpoint infrastructure with 12 Access Servers deployed across 3 geographic regions (plus sand box, development, test, and integration environments – about 50 machines total) • Primarily authentication today, limited authorization • No Identity Management or delegated administration • Custom integration with 5 authentication mechanisms • MS Active Directory • RACF • X.509 personal certificates • Proximity badge • Customer/supplier reverse web proxy user ID and password

  7. Major WSSO Components Identity And Policy Stores WebGate Login Hub BoeingReverseProxy WebBrowser LogonW2KRACFCertificate AD RemoteAccessService RACF WebGate Web ServerContent WebBrowser X.509 SAMLServices CorporateSun ONEDirectory AccessServer Boeing Plugin 3rd PartyWeb ServerContent WSSOProxyServices Login Hub AllPeople Boeing Plugin LogonPIN OblixPolicy Groups Customers,Suppliers CustomerAuthenticatorService PIN Authentication DMZ

  8. W2K RACF X.509 Personal Certificates External PIN WSSO Authentication Sources Identity And Policy Stores WebGate Login Hub BoeingReverseProxy WebBrowser LogonW2KRACFCertificate AD RemoteAccessService RACF WebGate Web ServerContent WebBrowser X.509 SAMLServices CorporateSun ONEDirectory AccessServer Boeing Plugin 3rd PartyWeb ServerContent WSSOProxyServices Login Hub AllPeople Boeing Plugin LogonPIN OblixPolicy Groups Customers,Suppliers CustomerAuthenticatorService PIN Authentication DMZ

  9. LDAP People Branch LDAP Group Authorization Customer/Supplier Authorization WSSO Authorization Sources Identity And Policy Stores WebGate Login Hub BoeingReverseProxy WebBrowser LogonW2KRACFCertificate AD RemoteAccessService RACF WebGate Web ServerContent WebBrowser X.509 SAMLServices CorporateSun ONEDirectory AccessServer Boeing Plugin 3rd PartyWeb ServerContent WSSOProxyServices Login Hub AllPeople Boeing Plugin LogonPIN OblixPolicy Groups Customers,Suppliers CustomerAuthenticatorService PIN Authentication DMZ

  10. Typical customers, suppliers Employees (VPN, Dial) Federated customers, suppliers External employees, retirees WSSO Perimeter Access Components Identity And Policy Stores WebGate Login Hub BoeingReverseProxy WebBrowser LogonW2KRACFCertificate AD RemoteAccessService RACF WebGate Web ServerContent WebBrowser X.509 SAMLServices CorporateSun ONEDirectory AccessServer Boeing Plugin 3rd PartyWeb ServerContent WSSOProxyServices Login Hub Login Hub AllPeople Boeing Plugin LogonPIN LogonPIN OblixPolicy Groups Customers,Suppliers CustomerAuthenticatorService PIN Authentication DMZ

  11. Internal Boeing External third party suppliers WSSO-protected Components Identity And Policy Stores WebGate Login Hub BoeingReverseProxy WebBrowser LogonW2KMyInfoCertificate AD RemoteAccessService RACF WebGate Web ServerContent Web ServerContent WebBrowser X.509 SAMLServices CorporateSun ONEDirectory AccessServer Boeing Plugin 3rd PartyWeb ServerContent WSSOProxyServices Login Hub AllPeople Boeing Plugin LogonPIN OblixPolicy Groups Customers,Suppliers CustomerAuthenticatorService PIN Authentication DMZ

  12. Internal employees External employees, retirees, customers, suppliers WSSO Users Identity And Policy Stores WebGate Login Hub BoeingReverseProxy WebBrowser LogonW2KMyInfoCertificate AD RemoteAccessService RACF WebGate Web ServerContent WebBrowser WebBrowser X.509 SAMLServices CorporateSun ONEDirectory AccessServer Boeing Plugin 3rd PartyWeb ServerContent WSSOProxyServices Login Hub AllPeople Boeing Plugin LogonPIN OblixPolicy Groups Customers,Suppliers CustomerAuthenticatorService PIN Authentication DMZ

  13. We Are Here Milestones • Started RFP 3/2001 • Vendor selection 8/2001 • Production 12/2001 • 100,000 logins per day 2/2003 • 100+ applications in production 4/2003 • 3rd party web site integration 5/2003 • External user integration 5/2003 • SAML production 6/2003 • Role-based access control Q3/2003 • Complete deployment (1000+ applications) End 2004-2005

  14. SAML Participants The Boeing Company A leading manufacturer of commercial airplanes, space technology, defense aircraft and systems, and communication systems. Southwest Airlines A major domestic airline that provides primarily shorthaul, high-frequency, point-to-point, low-fare service. Southwest operates over 350 Boeing 737 aircraft in 58 cities. Oblix Inc. A leading developer of identity-based security solutions for e-Business networks. The company's flagship product, Oblix NetPoint, is an enterprise identity management and Web access solution that provides an identity infrastructure for dynamic e-Business environments.

  15. SAML Deployment Objectives • Significantly increase the user base of MyBoeingFleet, the secure web portal that provides Boeing customers access to all of the information required to operate and maintain their fleets • Embed MyBoeingFleet more deeply in Airline’s businessprocess. Facilitate the deployment of MyBoeingFleet contentdirectly to the customer maintenance hanger • User will authenticate to their local intranet, click on a link to MyBoeingFleet, and seamlessly access the data and services without a secondary Boeing authentication request • Role-based access control targeted for next year

  16. 2.4 The SAML Flow DOMAIN A: swacorp.com 2.0 1 2.1 2.1 2.2 SWA Portal SWA User SAML Services 2.3 3 DOMAIN B: Boeing.com DMZ DMZ SAML Server Reverse Proxy 2.5 4 INTERNAL INTERNAL Target Resource:MyBoeingFleet.com Access Server

  17. Web Access ManagementGeneral Challenges • Managing • Executive expectation • User experience • Hundreds of applications with even more policies • Complexity and reliability • Browsers, web servers, networks, directories, libraries, versions, custom code • Session management • Existing applications typically have imbedded session management • Anomalies arise from inconsistent session state • Global “logout” is problematic (hurray for SAML 2.0!) • Security • Vulnerability assessment and risk mitigation where possible is appropriate

  18. SAML Deployment Considerations • Assertions may need to be constrained to a domain • Boeing defined the authentication mechanism to include both user identity and SAML issuer ID • Support for direct bookmarks • For each web session, prior to a SAML transfer, bookmarks and URL references may not work • Oblix-provided solution creates a persistent “SAML Provider” cookie and implements redirection through SAML services for unauthenticated users • Not a part of SAML standard. • SAML only provides the “introduction” • Boeing content resides inside the Boeing security perimeter. • Had to integrate ObssoCookie intelligence into perimeter before users could actually get to content. • Security considerations of interactions across the Internet AFTER the SAML exchange were significant

  19. Recommendations • Focus on communication and marketing • Manage expectations • Educate users • Thoroughly understand and plan user experience (within product capabilities) • Consider limiting scope • Integration of legacy technologies can be costly • Each component integrated adds to complexity and impacts overall reliability • Consider adjusting infrastructure to support IAM • Integration to existing infrastructure required significant custom code • Use of a virtual directory could simplify deployment, but probably with an impact to performance

  20. Standards Wish List • Support for direct bookmarks • Bookmarks and URL references (“deep links”) should work, even prior to the initial SAML transfer. • Global logout • Provide the user with an intuitive logout facility that would ensure complete termination of all application sessions and authentication credentials. • Domains of federated security • Users have need for multiple, disconnected federated security domains. For example, separation of business and personal. (Selective logout?) • Security strength of public Internet technologies • Industry needs to deliver technology that prevents cookie vulnerabilities (hijack and replay). • Support for individual application session timeout settings • Several of our application environments consider a session timeout setting (idle time) mandatory. • Authentication State Visibility • It is important for the user to always be aware of their authentication state. Are they authenticated, and to what?

More Related