Dennis Attinger, Stuart Boardman

Philips/CGI

München, 24 April 2008

Process-based Identity & Access

Management

Challenges in an extended enterprise model

•Dennis Attinger (Philips)

•Stuart Boardman (CGI)

Philips/CGI, DAT/SBO, München, 24 April 2008 2

What you can expect from us

• Present the problem domain

• Compare solutions and architectural options

• Present the concept and solution approach

• Present 1st phase of pilot and experiences

• Compare with alternative solution for the concept

• Future Phases

Philips/CGI, DAT/SBO, München, 24 April 2008 3

Assumptions and Principles

• The business paradigm is Extended Enterprise

• The design paradigm is Service Oriented Architecture. No assumptions

on technology.

• Objective is:

– to realize the SOA “promise of Agility”

– to have Security as an integral part of Architecture and not as an

“after-thought”

Philips/CGI, DAT/SBO, München, 24 April 2008 4

Capabilities

Business Processes

The Extended Enterprise

Directed

By

Services

Agents

The Extended Enterprise

Employees

Customers

Partners

Delivered

By

Suppliers

PartnersPartners Suppliers

Partners

Philips/CGI, DAT/SBO, München, 24 April 2008 5

SOA in the Real-World

• Service-Oriented Architecture as the architectural style:

– Promise of Agility:

• Mirror real-world activities

• Boundaryless Information Flow

• Re-use

– Design on Business Process level

– Implement by using Open Standards

Philips/CGI, DAT/SBO, München, 24 April 2008 6

Service-Oriented Architecture

Service

HW: PC cards (on a PC-bus)

SW: code with a defined function (on an

Enterprise Service Bus)

Business: activity (as part of a process)

A service is a logical representation of a repeatable business

activity that has a specified outcome

Services are coupled

with each other

in an orchestrated

Process chain

PO

creation

Customer

Login/check

Customer

approval

Process

Order

Process

Order

Process

OrderRelease

For

Shipping

Philips/CGI, DAT/SBO, München, 24 April 2008 7

Service-Oriented Architecture:

getting complex along the way

User

Role n

User

Role n

User

Role 2

User

Role 2

User

Role 1

User

Role 2

Process

1

Process

2

Process

1

Process

2

Process

1

Process

2

Composite

1

Composite

2

Composite

n

Composite

1

Composite

2

Composite

n

Composite

1

Composite

2

Composite

n

Service

1

Service

2

Service

n

Service

1

Service

2

Service

n

Service

1

Service

2

Service

n

Composite

1

Composite

2

Composite

n

Process

1

Process

2

Service

1

Service

2

Service

n

User

Role 1

User

Role 2

User

Role n

Source: Rob Hailstone IDC

Philips/CGI, DAT/SBO, München, 24 April 2008 8

Extended Enterprise and SOA:

Real-World Issues for IAM

• Two requirements in tension:

– Security view:

• Controlling who is actually entitled to use what

– Compliance view:

• Ensuring traceability and legitimacy of all transactions

• Current “afterthought” approaches:

– Security as an afterthought

• Each user and its credentials must be known to each service

– Architecture as an afterthought

• Multiple access mechanisms managing the “same” entities

Philips/CGI, DAT/SBO, München, 24 April 2008 9

Problem Statement

• If security or architecture is an afterthought these issues arise:

– Services are coupled to security functionality – forget re-use

– Identities propagated to all access mechanisms – forget agility

• Complexity – performance, maintenance and governance risk – can

lead to security risks

• Managing growing numbers of identities across eCommerce, SOA and

legacy apps

• Why give all users access rights to those back end systems?

• We’re looking for:

– a solution that closely follows the A in SOA thinking

– a solution which is extensible (well adapted to change)

Philips/CGI, DAT/SBO, München, 24 April 2008 10

Line of Thinking

• Services are coupled with each other in an orchestrated Process chain…..

– Process view in SOA taken as conceptual starting point

– Promise of Agility largely based on a Processes focus

1. Identity propagation takes the service as the point of authorisation

2. Taking the process as the point of authorisation is the architectural approach

Philips/CGI, DAT/SBO, München, 24 April 2008 11

Process as the point of authorization

Identity flow

PO

creation

Customer

Login/check

Customer

approval

Process

Order

Process

Order

Process

OrderRelease

For

Shipping

Conceptual Solution

Agent based, PEP/PDP solution

Two identity contexts – user and service

Identities exist only in relevant contexts

Access control rights driven

No identity (or role) mapping required

Audit compliance per transaction based on transaction characteristics

Requires correlation across multiple logs

Philips/CGI, DAT/SBO, München, 24 April 2008 12

Business Services

Application Services

Business Process Services

Service - Layering

Business Process Services

Task Oriented Business Services

Entity Oriented Business ServicesInfrastructure Services

Application Services

Utility Services

Component Services

Enterprise

Business

Applications

Partners Customers Suppliers Agents

Philips/CGI, DAT/SBO, München, 24 April 2008 13

Current Thinking: decoupled security architecture

Policy Enforcement Point

Application Service

Business service

Portal

ID Assertion

Policy Enforcement Point

Policy

Decision

Point

Policy Enforcement Point

ID & Attribute

Assertion

Application Service

• Policies can be changed centrally and rolled

out without touching business logic

• Developing standards can be rolled out

centrally

Identity Management

and

Policy Management

• Many ready to use agents (policy

enforcement points) available

•Move security out of service design and

into deployment

Philips/CGI, DAT/SBO, München, 24 April 2008 14

Component View of Service and IAM

Application Services

Business Services

Enterprise

Business

Applications

Service

Identity

Context

User

Identity

Context

Portal

Policy Enforcement Point

User

Provisioning

Policy Enforcement Point

Authentication / Register /

Authorization

Assertion

(token, roles, claims)

Federation

Id - Provider

Authorization,

Insertion

ESBBPMS

Business Process Services

CorrelationAudit

Log

Audit

Log

Po

licy D

ecis

ion

Po

int

Audit

Log

Partners Customers Suppliers Agents

Philips/CGI, DAT/SBO, München, 24 April 2008 15

Component View Solution

Enterprise

Business

Applications

Service

Identity

Context

User

Identity

Context

Web ServerFederation

ESBBPMS

Portal Server

Policy Server User

Provisioning

Engine

Policy

Decision

Point

Policy

Administration

Policy Enforcement

Point

Repo-

sitory

Policy Enforcement

Point

Policy Enforcement

Point

Policy Enforcement

Point

Partners Customers Suppliers Agents

Application Services

Business Services

Business Process Services

Philips/CGI, DAT/SBO, München, 24 April 2008 16

Component View Solution

Enterprise

Business

Applications

Service

Identity

Context

User

Identity

Context

Policy Server User

Provisioning

Engine

Policy

Decision

Point

Policy

Administration

Repo-

sitory

Co

rre

lati

on

& R

ep

ort

ing

En

gin

e

(SIM

)

Log

Log

Log

Log

Log

Log

Log

Service id Process id

Policy Enforcement

Point

Token, process id, service id

ESB

Token, process id

Portal Server

BPMS

Token, process id

User id / token

Web Server

Partners Customers Suppliers Agents

Application Services

Business Services

Business Process Services

Philips/CGI, DAT/SBO, München, 24 April 2008 17

The Fulfillment Process

Policy

Enforcement

Point

Policy

Decision

Point

Order Products (BPS)

Capture Order (BS)

Validate Order (BS)

Place Order (BS)

Manage Order (BS)

Order from LOB 1 (AS)

Order from LOB 2 (AS)

User Id / token

Token (user)

Log

User Id / token,

Provider (service)

Token, Consumer (Service), Provider

Token, Consumer, Provider, Order #

Consumer (Service) Id, Provider,Order #

Consumer (Service) Id, Provider, Order #

Consumer (Service) Id,

LOB Order #

Correlator

LOB Order #

LOB Order #

Philips/CGI, DAT/SBO, München, 24 April 2008 19

Deployment View – Phase 1

JBoss

(App) Order Products

JCAPS

JBoss

JBoss JBoss

ApacheAgent (PEP)

ApacheAgent (PEP)

(WS) Place Order

(WS) Validate Order

(WS) Manage Order

Ap

ac

he

Agent (P

EP

)BPM ESB

(WS) Order from LOB1

App “SAP 1”

(WS) Order from LOB2

App “SAP 2”

CA SOA Security Mgr

PDP

Apache HTTP Server

CA SOA Security Manager

JBOSS Application Server

Sun JCAPS 5.3

CGI Octopus BAM (Correlation)

SAP

Philips/CGI, DAT/SBO, München, 24 April 2008 20

An example log

16:16:22,750 INFO (- 127.0.0.1 -) [PlaceOrderAction] place_order process started (date=1204125382750) [place_order:1204125382750:127.0.0.1]

16:16:22,881 INFO (- place_order:1204125382750:127.0.0.1 -) [PlaceOrderAction] Placing order...

16:16:22,911 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderPlacerWeb] Passing control to OrderValidator

16:16:22,931 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderValidatorWeb] Order has been validated

16:16:22,941 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderPlacerWeb] Passing control to OrderManager

16:16:23,462 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Managing order for

16:16:23,482 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Electric Shaver (1)

16:16:23,512 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Flat TV (LCD, 32") (1)

16:16:23,662 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] to be sent to Herr Joe Bloggs at Niederkasseler Lohweg 175, Düsseldorf

40549

16:16:23,662 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Passing control to LOB002

16:16:23,682 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderFromLOB2Web] Placing order with SAP

16:16:23,712 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] Placing order for

16:16:23,712 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] Electric Shaver (1)

16:16:23,712 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] to be sent to Herr Joe Bloggs at Niederkasseler Lohweg 175, Düsseldorf 40549

16:16:23,722 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderFromLOB2Web] Order successfully placed. Assigned Order No. dd9cb66d-29d2-4f17-81b8-

5df84d2b2905

16:16:23,722 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Passing control to LOB001

16:16:23,732 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderFromLOB1Web] Placing order with SAP

16:16:23,752 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] Placing order for

16:16:23,752 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] Flat TV (LCD, 32") (1)

16:16:23,752 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] to be sent to Herr Joe Bloggs at Niederkasseler Lohweg 175, Düsseldorf 40549

16:16:23,762 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderFromLOB1Web] Order successfully placed. Assigned Order No. 5413d8

b8-b162-4f04-ae4f-ad73dcc95b16

16:16:23,762 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Order successfully managed. Assigned Order No. 83ae304d-39c5-4783-9362-

58cb8711a861

16:16:23,772 INFO (- place_order:1204125382750:127.0.0.1 -) [PlaceOrderAction] Order has been placed (Order No.:83ae304d-39c5-4783-9362-58cb8711a861)

16:16:23,772 INFO (- 127.0.0.1 -) [PlaceOrderAction] place_order process terminated (date=1204125383772) [place_order:1204125382750:127.0.0.1]

Portal log file Services log file SAP log file

Philips/CGI, DAT/SBO, München, 24 April 2008 21

Technical aspects

• Process ID: place_order:6098504983:joebloggs

• HTTP; SOAP; WS-Security; WSDL stack

– Consumer identity in HTTP header

– Provider address in HTTP header

– Process ID in SOAP header

• PEP currently only inspects HTTP

• ESB requires proxy WSDL

• Introduction of BPEL – pros and cons

Philips/CGI, DAT/SBO, München, 24 April 2008

Groenendael 30-10-2007

22

Another Viewpoint – Finance Sector Company

• Stricter view of user domain – stops at Business Process Service

• All user management external – identity provider created

– User management looks outward

– Possible collaboration with other enterprises

– Service to consumers

• Strongest possible Identity 2.0 approach – using InfoCard

• Company specific scenario:

– Many external parties – customers, partners, agents

– Existing federated governance

– No real Business Service layer (BPS -> AS -> legacy)

• But well adapted to changing business models

Philips/CGI, DAT/SBO, München, 24 April 2008 23

Alternative Solution (NL Finance Co.)

Enterprise

Business

Applications

Service

Identity

Context

User

Identity

Context

Web Server

BPM/ESB

Portal Server

Policy Server

Policy

Decision

Point

Policy

Administration

Policy Enforcement

Point

Partners Customers Suppliers Agents

Application Services

Business Process Services

Identity Provider

User

Provisioning

Engine

Repo-

sitory

Policy Enforcement

Point

Philips/CGI, DAT/SBO, München, 24 April 2008 24

Future Phases

• Phase 2

– Introduce real SAP applications in place of the stubbed components.

– Enhance Services to ensure sufficient and correct information passed to (and received from) SAP

– Introduce a Correlation Engine.

• Phase 3

– Implement a “real” ordering scenario with more services

– Enhance usability if necessary

– Implement BPMS

– Introduce a real portal

– Finalize configuration framework

• Phase 4

– Stress testing – scale up LDAP and transaction volume

Philips/CGI, DAT/SBO, München, 24 April 2008 25

Deployment View – Phase 2

JBoss

(App) Order Products

JCAPS

JBoss

JBoss JBoss

ApacheAgent (PEP)

ApacheAgent (PEP)

(WS) Validate Order

(WS) Manage Order

Ap

ac

he

Agent (P

EP

)

BPMESB

(WS) Order from LOB1

SAP LOB 1

(WS) Order from LOB2

SAP LOB 2

CA SOA Security Mgr

PDP

(WS) Place Order

CGI Octopus

Correlation

Philips/CGI, DAT/SBO, München, 24 April 2008 26