Category: Federation

Identity management survey

Marcus Lasance has a sterling reputation in identity management, having contributed to its evolution for many years now.  

He was well known as managing director of MaxWare (recently acquired by SAP) and is now involved with Siemens.  For those not familiar with the European landscape, both of these companies have done extraordinary identity work.

Marcus has put together an identity management survey that I promise isn't an advertising gimmick, and has offered to share the results with the blogosphere, so why not help out?  I did.  Now I'm going to pass the URL on to some of my friends in the Microsoft IT department, since they will have more relevant answers than I do as an architect.  You may want to answer it directly, or pass it on to your IT colleagues.

UPDATE:  Many people have reported problems with the first version of this link (which apparently thanked me for my survey response…  At least you know I tried it!)  I think the new link fixes the problem.   

Shibboleth adds CardSpace support

Here is news from Internet2 and Shibboleth, the open-source software for building multilateral federations that has become especially popular in the academic world (more information on Shibboleth here). 

ANN ARBOR, Mich. – May 23, 2007 –  Adding information card support to Shibboleth, the most widely-deployed federated authentication architecture, would enable interoperability with Windows CardSpace which provides critical support for secure user-centric authentication and identity information exchange for web-based applications. By enabling this interoperability, Microsoft and Internet2 aim to help users exchange personal identity information more safely and easily. In doing so, institutions can more effectively leverage their existing and future investments in their identity management solutions and build a closer, safer relationship with their users.

“As more and more companies and organizations make information materials and resources accessible online, the need for secure access solutions has become critical. We see information card technology like Microsoft's Windows CardSpace as a very important step forward in creating a ubiquitous Internet identity layer, which is a key goal of the Shibboleth project as well,” said RL “Bob” Morgan, security architect at the University of Washington and co-manager of the Shibboleth Project. “We appreciate Microsoft's leadership in helping to create an open environment for information card development and deployment, and are grateful for Microsoft support of Windows CardSpace work in Shibboleth.”

Shibboleth is a standards-based, open source middleware architecture providing both intra-domain and inter-domain single-sign on (SSO) capability. Used by over 20 million users worldwide within the research and higher education community, Shibboleth implements the OASIS Security Assertion Markup Language (SAML) standard specification, and is currently interoperable with Microsoft's Active Directory Federation Services (ADFS).

Both Shibboleth and Windows CardSpace provide the underlying mechanisms for institutions and individuals to share resources across organizational boundaries and to make informed authorization decisions for the access of protected online resources. This federated authentication model implemented by both Internet2 and Microsoft has proven to provide online resource providers and institutions with a solid platform for exchanging information in a highly secure and privacy-preserving manner. Once development is complete, sites using Windows CardSpace will have the ability to participate in the growing number of Shibboleth-based federations worldwide.

“The Internet2 Shibboleth project has been one of the leaders in bringing interoperable digital identity to the academic and research communities worldwide,” said Michael B. Jones, senior program manager for Identity Partnerships at Microsoft. “Shibboleth's support for information cards allows people in the Shibboleth federation to use the cards at sites participating in the Identity Metasystem, making the identities more valuable to both the issuers and to the individuals, as well as enhancing the user's control of their online interactions.”

I echo Mike's words.  Shibboleth is distinctly forward thinking in its approach, and has been the main crucible for refining the thinking (and practice) that enables multilateral federations like those needed to facilitate co-operation between universities. 

As Shibboleth federations continue to grow, so will the rewards for attacking them.  CardSpace, and other compatible Information Card selectors, will add resilience and phishing resistance while helping solve Shibboleth's “home site discovery” problem in a way that doesn't put control in the hands of evil sites posing as federation affiliates. 

For more details on what is at stake here, see this posting where I explain a similar vulnerability in OpenID.  SAML and the browser-based version of WS-Federation are also subject to these attacks, which become more probable as the technologies become more widely deployed.   

WS-Federation OASIS TC

I'll begin by quoting from a piece by Paul Madsen after the OASIS announcement of a new working group to drive WS-Federation towards standardization.  Paul writes: 

“James McGovern predicts:

‘I humbly predict that WS-Federation will become more important than SAML within the next two years and will invalidate all the hard work already done by the Liberty Alliance.’

“I guess it's over. I have to admit that I'm disappointed and, to be honest, even surprised.

“I actually thought things were going well, you know, lots of adoption, encouraging signs of convergence, important new functionality etc.

“As for the New Jersey Devils, it seems that the Liberty Alliance's playoff run is over. I'll be emptying my locker and signing autographs this afternoon before spending the summer golfing.”

Like Paul, I'm surprised, if not so inspired to irony, by James’ comment. 

I do agree that WS-Federation will gain a lot of traction.  But I absolutely disagree that it will “will invalidate all the hard work already done by the Liberty Alliance.” 

Liberty has contributed deeply to understanding a whole series of use cases and requirements, and the protocols, formats and concepts proposed by the SAML working groups have been an important step forward for all of us involved with identity.  Nothing about WS-Federation invalidates this work.

On the other hand, technology doesn't stand still.  Think back to the days when SAML was first posited as an alternative to LDAP authentication.  Those of us involved in LDAP from the very beginning didn't for one minute take LDAP as the end of all thinking about attributes and identity.   Ask LDAP guru Mark Wahl, or Bob “RL” Morgan or Keith Hazelton – people deeply involved in Kerberos and LDAP but just as willing to embrace new technologies like SAML as meeting new use cases.

Just as SAML broke new ground, WS-Federation is intended to address a number of things that people working in Web Services want better defined to facilitate interoperation using WS-Security and WS-Trust. 

These protocols hadn't even been invented when SAML evolved.  The idea of claims transformation is the most important technical advance in distributed computing for at least a decade.  It is so powerful that it wasn't even fully understood until we began to build things with it.  So how can anyone expect SAML to deal in an optimal way with the issues that ultimately emerged?  This doesn't detract from SAML's successes.  That's not how software engineering works.

WS-Federation will provide new options for people who want to build on the web services architecture, evolving their current web technology in an incremental way to be consistent with that architecture.  To do this, no one will have to throw out their existing SAML deployments.  Many of the SAML producers will include support for WS-Federation so that interconnectivity will be a given.

A lot of WS-Federation editorial work has been done by my friend DES (Don Schmidt).  This guy has paid his dues – triple dues – and works from a deep experience in security.  After some badgering he has just started to blog his ideas.  Here's part of how he explains his goals: 

WS-Federation enables development and deployment of advanced federation services (e.g. Authentication, Authorization, Attribute and Pseudonym Services) as special purpose variations of the WS-Trust STS claim transformation model.  Managing, discovering and accessing such services can be simplified when they are all based on a common processing model and speak the same protocol. Further, reusing an established processing model and protocol can simplify the threat model for implementers and should lead to more robust code.

Customers have indicated that manually configuring federation trusts – particularly exchanging signing keys and specifying service endpoints and access policies – is an onerous process when they have many partners. WS-Federation defines a Federation Metadata format to identify services, including the communication and security policies which must be satisfied for accessing them. This enables much of the configuration to be automated.

Another significant benefit of WS-Federation is improved security through “automated de-provisioning” of external user access. If a Relying Party issues local accounts for external users from its partners, it may not immediately learn when those users have changed responsibilities or been terminated. Such accounts could be misused to obtain unauthorized access. WS-Federation enables a Federated Identity relationship wherein a user can no longer access a partner’s resources as soon as he is unable to obtain a valid security token from his own organization.

Microsoft is actually pretty typical of many other companies in that it will have to support a whole spectrum of deployments reaching from simple, restful apps at one end to transactionally guranteed high security applications at the other.  The ability to support the whole spectrum consistently is the key.

We don't want to build two parallel infrastructures in order to do this.  We don't want to deploy everything twice.  Test everything twice.  Secure everything twice.   Does anyone? 

So we need a technology that takes everything learned while elaborating SAML – plus new features – and allows them to be composed and managed within the WS framework as well as used in conventional web sites. That's what I understand this TC to be about.

It remains a personal hope that those who have been involved with SAML will adopt this larger goal as part of what needs to be achieved.  That really will make convergence possible.

And I also expect everyone to give them credit for all they have done, which will not be lost if WS-Federation continues to gain momentum, but will rather be extended.

Identity – the toy model

I look forward to seeing Dave Kearns explore the notion of Legonics in an upcoming newsletter. As Dave explains – with his usual clarity:

This morning while delivering the opening keynote address for this year's Directory Experts Conference, Kim Cameron introduced me to a new term – “Legonics“.

This is a reference to the well-known building blocks, Legos, familiar to anyone under 40, and the parents of those under 40! The great thing about Legos is that any one piece can connect to any other piece. And while you can buy a small set that can build a particular object (such as a fire truck), the pieces in that set can be put together in different ways to build other objects or combined with other sets – or other loose pieces – to build completely different things. So by creating a Legonic Identity System (LIS?) we have one which can put together identity data in various ways to fit the conditions of the moment. Relying Parties, Identity Providers and User Agents can work together to construct sets of Identity Claims from all of the available pieces of identity data.

It's a good analogy, and a good paradigm, I think. I'll probably explore his more in the newsletter.

The fire truck link is fantastic, by the way.  Meanwhile, how about:

le·gon·ics: noun

  1. (used with a singular verb) the science dealing with the development and application of devices and systems that can be assembled through claims.
  2. (used with a plural verb) Legonic systems and devices:  The legonics aboard the new aircraft are very sophisticated.

Future of Active Directory

Here's a snippet from  another article by John Fontana that will be of interest to people wondering how much wood Microsoft is ready to put behind the claims based model.  Stuart Kwan has played a central role in the evolution of Active Directory and the emerging identity products: 

Las Vegas – Microsoft Tuesday laid out a vision for Active Directory in which it will take on a major role in pushing out user identity data to applications and securing collaboration between users.

“We are moving from being a directory provider to an identity provider,” said Stuart Kwan, director of program management for identity and access at Microsoft, during the second day keynote at the annual NetPro Directory Experts Conference.

He said the benefit for corporate users would be a standard user access mechanism that would benefit application development, access management and allow companies to more easily spread their identity systems.

Kwan concluded that Active Directory was so close to fulfilling its original goals as a trusted directory service for corporate users that it was time to look ahead and envision the next set of challenges.

The new challenges, Kwan said, will put the directory in a key role in Microsoft’s Identity Metasystem, a model for distributed identity architecture. Coupled with an emerging technology called Security Token Service (STS), which handles the exchange of identity data, Microsoft envisions an architecture that pushes identity data out to applications that know how to interpret and act upon that data.

Today, applications typically pull user access data from the directory to determine a user’s access rights. The push model not only affords network efficiencies but more easily ties identity and application development, puts less stress on the directory, provides more flexibility in defining a user and their rights and gives the ability to federate identity with those outside the corporate network.

Kwan said the push mechanism would be similar to the way group membership data for a user is automatically included in today’s Kerberos authentication process.

In the future, identity data coming from the directory would be transformed by the STS gateway into a properly formatted “claim” or a set of claims about the user and his access rights.   (Continued here)

My one clarification is that neither Stuart nor I are talking about “Microsoft's” identity metasystem”.  We are trying to build an identity metasystem that stretches across vendors and platforms and products and countries.  We're trying to do our part within this metasystem. 

Identity systems all about making claims

Network World's excellent John Fontana has written about an opening keynote I gave recently at the Directory Experts’ Conference (DEC).   I was talking about claims, trying to start a conversation that I will pursue on my blog over the next while.

Las Vegas — The traditional concepts of authentication and authorization will eventually give way to an inclusive identity system where users will present claims that answer who they are or what they can do in order to access systems and content or complete transactions, according to Microsoft’s identity architect.

“This is happening now and all it needs to do is gain momentum,” said Kim Cameron, Microsoft’s identity architect, who gave the keynote address Monday to open NetPro’s Directory Experts Conference. He said the transformation to a claims-based identity model is 18-24 months away.

Cameron said the flexible claims architecture, which is based on standard protocols such as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML) will replace today’s more rigid systems that are based on a single point of truth, typically a directory of user information.

“You need extroverted systems, not introverted,” said Cameron, who over the past few years has aligned Microsoft, its competitors and open source advocates around user-centric identity models.

He said identity systems that are rigid and cannot connect to other systems will become irrelevant and a competitive disadvantage.

“You may come with a claim that you are authorized to do something and it may not have any authentication [information] at all,” he said. “This tremendously important factor means we can have a consistent technology that goes between authentication and authorization. We don’t need all these different technologies and have all this new stuff to learn. It can all be done using the claims-based model.”

Cameron said this thinking is very different from a few years ago when authentication and authorization were thought of as entirely separate technologies that should never be confused.

He said the beauty of the claims model is that it can grow out of the infrastructure users have today, including PKI, directory services and provisioning systems.

The claims model, he said, is more flexible and based on components that can be snapped together like Lego blocks. Cameron called them Legonic Systems, which, he said, are agile and self-organizing much like service-oriented architectures.   (Continued here…)

CardSpace and OpenSSO

The Sun Developer Network has published an article by Martin Gee entitled Securing Site Access with CardSpace and OpenSSO:

With today's ever-increasing demands for robust security software and systems, alternative authentication and trust mechanisms are gaining popularity. In particular, the user name-password authentication model is typically the root cause of many security frauds. Why? First, many of us record passwords somewhere, rendering them vulnerable for snooping. Second, our tendency to create passwords that are easy to remember makes them easy to be guessed or detected. Consequently, enterprises that have established processes along that model are looking for ways to better safeguard and optimize their systems without major overhauls.

Enter Windows CardSpace (henceforth, CardSpace), a Microsoft-led specification that has been gaining recognition over the past months. CardSpace defines a simplified paradigm that employs a security token called InfoCard for managing digital credentials and is available in Windows XP and Vista.

OpenSSO is Sun's open Web access management project based on Sun Java System Access Manager source code. As part of the open-source Project CardSpace on java.net, ICSynergy has extended OpenSSO to include CardSpace as a simple authentication module. In addition, ICSynergy offers a commercial CardSpace implementation for OpenSSO and Sun Java System Access Manager along with training programs.

This article describes the benefits, basic architecture, and process flow of the CardSpace-OpenSSO authentication module.

It is good to see things coming together across the “crevasses” that used to separate different industry forces.  If you do Java you should look at the Project CardSpace site.

Windows Financial Services “Best of the Blogs” list

I'm pleased to see the editors of Windows in Financial Services put identityblog on its “Best of the Blogs” list.   Welcome to any readers who “get here from there.” 

It's impressive for a publication so intensely focussed on financial services to invite its readers into a parallel universe which, as the editors put it, “…addresses the innumerable ramifications of this growing problem [identity theft – Kim]…”.  Yup.  There are definitely a lot of ramifications around here.

Identity theft is fast progressing as a huge threat to financial institutions everywhere, especially in the area of online banking.  In his “Identity Weblog,” Kim Cameron, Microsoft’s architect for identity, addresses innumerable ramifications of this growing problem, ranging from illegal sale of stolen credit card information on the Web, to whether or not schoolchildren should be fingerprinted, to technical solutions such as encryption. 

In an April 2nd entry, Kim answers questions from his readers about CardSpace, an encryption technology that can be enabled for .NET 2.0 through the use of Visual Studio 2005 Toolbox for Windows CardSpace. C lick below to read Kim’s advice on subjects such as how CardSpace prevents phishing – even when used in conjunction with passwords – and to find out how to ask him ID-related questions of your own.

So, welcome to any new readers and please make yourselves at home.  Extra bonus:  you'll have a chance to use CardSpace when posting comments.

Cobbler's children

Here's an “ouch that hurts” posting by Jackson Shaw at Quest:

I received this email today regarding my identity partner's account that I have at Microsoft. Isn't it unfortunate that given Active Directory Federation Services (ADFS) and CardSpace that I have to do this?

Shaw, Jackson, The password for the extranet account issued to blah\JShaw will expire on Mar 15 2007. Please proceed to the following URL to change the password: https://Home.EP.Microsoft.com/login.aspx

NOTE: Failure to change the password before the expiration date will result in the account being locked and access will no longer be provided.

Thank you, The Extranet Management Tool Team

For assistance, please contact your administrator, site owner or support team.

I have zero time to figure out who my administrator, site owner or support team is.

I do know my Quest userid and password and wouldn't it be nice if that just worked??

Jackson is right.  Everything about this is bizarre.  I too love those “contact your administrator” messages – best of all, when I'm the administrator, but in all other cases too. 

Anyway, we are now getting close to the point where Microsoft marketing and other sites will start to light up.

With the sheer number of sites we have, and the attacks on our perimeter, our IT guys have to go about this in an organized way.  I spoke with Microsoft's internal IT security architects not long ago and was amazed at how well they have thought through the implications of the claims-based approach, privacy issues, uses for CardSpace, and so on. 

Meanwhile a lot of our sites are tied to Windows Live ID, so when it turns on Information Card support, the benefits should start to be widely felt.

Today Jackson did a piece outlining the Laws of Identity and  concludes:

I installed WinFX the other night on my Windows XP system and created my own Information Cards and then used one to logon to Kim's blog – it worked! [He's so surprised? – Kim]

Now if I could a Quest property or two to accept either OpenIDs or InfoCards…

Hey, Jackson – let's get some live company-to-company interaction happening with the technologies we all want to introduce.  Why don't we approach the Extranet Management issue from both ends – you from the quest end, me from this end?  Maybe others would want to jump on as well… The proof of the shoe is in the walking.

P.S.  Why don't you talk with Pamela about getting onto blogging software that accepts Information Cards too?  Mike Jones has done it.

UPDATE: Here is a posting on our progress in getting ADFS (Federation Services) going on our extranet, so the collaboration proposed above should be “way simple”.  And it's good to see that Brian Puhl not only listened to your original comment but did so much to move things ahead.

An example of delegation coupons

Even if the true meaning of uber-geek is “incomprehensible”, my last comment on the use of delegation in VRM was a real winner in terms of terseness. I was discussing Whit's notion that he wanted to give Amazon access to his behavior at Netflix, Powell's and lastfm – the goal being to improve Amazon's relationship with him by revealing more about himself as a complete person. So I'll try to unfold my thought process.

If you ponder the possible architectures that could be used, it becomes clear, as usual, that the identity aspects are the hardest. Let's build a little picture of the parties involved. Let's say the user (I know, I should be calling Whit a “customer”), shares his behavior with Amazon and Powell's. Now let's call some subset of his behavior at Powell's “BP“. Whit would like an outcome that would be modelled in the following diagram, assuming for the moment that U->A:BP just represents Amazon asking Powell's for the customer's relevant information.

But how does Powell's know that Whit really wants it to release information to amazon.com but not snooper.com? How does it know that the amazon.com which calls for information is really the same Amazon that Whit was dealing with? Why should Powell's ever take the privacy risk of releasing information to the wrong party? What would its liability be if it were to do so? Can it protect itself from this liability?

When I mentioned delegation, I meant that while the user is “behaving” at Amazon, it gives Amazon a “coupon” that says “User delegates to Amazon the right to see his Behavior at Powell's”. I represent this as U->A:BP, where:

  • U is the user;
  • A is Amazon;
  • P is Powell's; and
  • B is behavior

Amazon can now present this coupon to Powell's, along with cryptographic proof that it is the “A” in the coupon. By retaining this coupon and auditing any release, Powell's can indemnify itself against any accusation that it released information to the wrong party – and better still, actually defend the user's privacy.

‘Breaking up is hard to do.’

I have left two of the most important questions for another time. First, is it really necessary (or advisable) for Powell's to know that the Whit is sharing information with Amazon, rather than “some legitimate party”? Second, how does Whit revoke the permission he has granted to Amazon if he decides the time has come for them to “break up”?

But without even opening those cans of worms, it should be evident that, for reasons of privacy, auditablity and of liability reduction, everyone's interests are served by making sure no service ever acts as an end user. In this example, Amazon continues to act as Amazon, and even if its access is one day anonomized, would would always be identified as “the user's delegate”. The approach constrasts starkly with current approaches – as spooky as they are cooky – in which users release their credentials on “good faith” and eventually, if enough secrets are shared, anyone can be anyone.

Note:   The notation above is my own – please propose a better one if it is just as simple…