Federated Identity on the Web Peter Yared Chief Technologist, Network Identity Sun Microsystems, Inc. Month, 2001 Presenter Information--edit on Slide Master What is Identity? The set of attributes that describe profile(s) of an individual. Customer NameJohn Smithalias User Credit card number Social security number Drivers license Passport Retinal Scan DNA Entertainment preferences Notification preferences Employee Authorization Business Calendar Dinning preferences Affinity program Friends and associates Education History Medical History Financial Assets Presenter Information--edit on Slide Master Know thy Customer Without identity, you cant have an enduring relationship with your customers Knowing your customers better than your competitors is a huge advantage Presenter Information--edit on Slide Master Possible Solutions Financial Svcs Customer Community Online Community Telecommunications Community Travel Community Entertainment Community Retail Community Wireless Community Centralized ModelOpen, Federated Model Presenter Information--edit on Slide Master Federated Identity Distributed data stays with rightful owner Multiple authenticators Competition for consumer trust Delineation between authentication and authorization Merchant retains control of transaction requirements Gradient levels of authentication within network Consumer is in control of who can access information Presenter Information--edit on Slide Master What is Liberty? A multi-industry business alliance Define and drive a widely accepted, interoperable standard for federated identity Provide a standard which will: Simplify business partnerships on the internet Simplify user's consumption of network services Allow businesses and consumers to better manage their data Presenter Information--edit on Slide Master Who is Liberty? Presenter Information--edit on Slide Master Liberty Organization Determines market requirements and use case focus for alliance. Drives positioning, promotion, branding, adoption and deployment GovernanceMarketingTechnologyPolicy Understands current standards, drives convergence, evolution of technology Delivers a spec. Understands policy/regulatory environment Defines mission/scope Drives execution timetable Presenter Information--edit on Slide Master Pragmatic Approach Focus on interoperability Respect other identity systems will exist No exclusivity Sun is one of many founders with no unique privileges Measure of success is commercial deployment Presenter Information--edit on Slide Master Evolution of Identity Networks Separate login for each site Separate login for each network Seamless login across networks Presenter Information--edit on Slide Master Analogous to ATM Networks Separate card for each bank Separate card for each network Seamless access across networks Presenter Information--edit on Slide Master SSO Architecture Cross-domain authentication Log in Be recognized Excite.com Pets.com Presenter Information--edit on Slide Master SSO (1 of 2) Excite.com Pets.com 1. Service Provider uses HTTP redirect or Form Post to Identity Provider 2. User redirected to Identity Provider and logs in 3. Identity Provider processes login Presenter Information--edit on Slide Master SSO (2 of 2) Excite.com Pets.com 5. Merchant receives HTTP redirect and parses nonce from URI 4. Identity Provider redirects to Service Provider with a nonce embedded in the URI 6. Service Provider opens PKI-ensured back channel to Identity Provider to query about user Presenter Information--edit on Slide Master Federation/Account Linking Pets.com WebVan.com Users already have accounts at a variety of sites Excite.com Joe123 JoeS JoeSch Presenter Information--edit on Slide Master Federation/Account Linking Pets.com WebVan.com Upon linking those accounts, the sites need to be able to have a frame of reference for the user Excite.com Joe123 JoeS JoeSch Presenter Information--edit on Slide Master Federation/Account Linking Pets.com WebVan.com Excite.com Joe123 JoeS JoeSchIf account names are exchanged, sites can talk to each other about the users approval! Presenter Information--edit on Slide Master Federation/Account Linking Pets.com WebVan.com Excite.com Joe123 JoeS JoeSch Instead, opaque handles resolvable only by the issuer should be exchanged