Identity Management in a Federated Environment
Download
Report
Transcript Identity Management in a Federated Environment
Identity Management in a
Federated Environment
US-NATO TEM 6
1-3 December 2009
Alan Murdock
Dr. Robert Malewicz
Dr. Sven Kuehne
CAT-2 Interoperability | NATO C3 Agency - The Hague
Tel.: +31 (0)70 374 3562 | E-mail: [email protected]
NATO IdM Initiatives
SC/4-SC/5 NATO IdM Workshop (2008/09)
output: NATO IdM Strawman Paper
directory services oriented view
focused on alliance aspect of NATO IdM
identifies IdM use cases in NATO
SC/4 Service Management Infrastructure AHWG
(2008/09)
output: SMI Technical Services Definitions working paper
Security Management architecture view
requirements/standards/technology agnostic approach
identifies interfaces with other security management
services
NATO UNCLASSIFIED
2
Terminology
Identity Management is ambiguous!
Identity Management includes:
Identity Assurance
Identity Employment or Utilization
Identity Services
What is an “Identity”
… a PKI certificate?
… a set of attributes?
… the same for every entity in the enterprise?
Different view on IdM
NATO has a two-dimensional challenge:
IdM in the NATO Alliance
28 NATO nations
and partners
constitute a federation
IdM in the NATO Organization
NATO HQs
and NATO agencies
constitute an enterprise (?)
NATO UNCLASSIFIED
4
Challenges
• The concept of NATO IdM is in a very early stage of
formalization
• Requirements for NATO IdM need to be defined
• Two dimensions of the NATO IdM has potential to
cause conflicts for IdM
• Emerging technologies (Identity 2.0) not reflected
either in NATO IdM Strawman Paper or in SMI working
paper
• Policy document for NATO IdM
• Interoperability at all levels
NATO UNCLASSIFIED
5
Way forward
What can we accomplish today?
• Listen
• Inform
• Plan for the future
NC3A Identity Management
Test Campaign
IdM Concept Validation
Purpose:
• Identify NATO IdM requirements based on IdM use cases
• Verify architectures and solutions for identified IdM use cases
Scope
• Validation focused on federated scenarios within NATO Alliance
Test Facility
• Classification: NATO Unclassified
• NNEC CES Testbed as an investigation platform on the NATO side
• National Testbeds
Procedure
• VPN Joining Instruction
• IdM Joining Instructions (based on ACP145 and ARH forms)
agreed test scope (use cases) and schedule
NATO UNCLASSIFIED
7
NNEC CES Testbed Layout
NATO UNCLASSIFIED
8
IdM Use Cases
IdM use cases defined in NIdM Strawman Paper
•
•
•
•
•
Access to C2 Data/Services in NATO SECRET Domain
Single Sign On in Cross-Domain Federation Scenario
Use of certificates bound to the identity
NATO Pass System
Use of national military ID-Card
Technology/Solution specific IdM use cases for
testing
•
•
•
•
•
•
Cross-domain group management
Security token based authentication for Web Services
Portal access (based on SharePoint Server)
Collaboration tools (based on JChat application)
Access to legacy applications
Others …
NATO UNCLASSIFIED
9
IdM Strawman and Technology/Solution
Driven Use Cases Relevance Mapping
Strawman
Paper
Technology/
Solution
Access to
C2 Data
and
Services
SSO in
Federation
Use of
certificates
NATO Pass
System
Use of
national
military IDCard
Group Management
Security Token
based authentication
Portal Access
Collaboration Tools
Access to Legacy
Systems
???
NATO UNCLASSIFIED
10
IdM Use Case Validation Environment
NATO UNCLASSIFIED
11
Service Components
Information Exchange Gateway scenario B (IEG B)
NATO Enterprise Directory Service (NEDS)
Allied Replication Hub (ARH)
Border Directory Services
NATO Public Key Infrastructure (NPKI) Certificate Authority
Security Token Service (STS)
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Web servers/portals and clients
Web Proxy
Web Concentrator
Collaboration tool servers and clients
Identity Data Sources
NATO UNCLASSIFIED
12
Use Cases
•
•
•
•
•
Cross-domain group management
Security token based authentication for Web Services
Portal access (based on SharePoint Server)
Collaboration tools (based on JChat application)
Access to legacy applications
Group Management Use Case
Foundation for other use cases
Foundation for a formal access control mechanism
implementation. Access control models being considered:
role based access control (RBAC) currently used in many C2 systems,
attribute based access control (ABAC) anticipated to be more exploited
in future service-oriented systems
Potential areas of usage (examples)
cross-domain group management delegation
cross-domain group mapping
Status
directory components installed
meta-tools installed, configured, jobs implemented
initial testing completed
NATO UNCLASSIFIED
14
IdM in Group Management
NATO UNCLASSIFIED
15
NNEC Hints
“Network of networks” is one of the main concepts of
NNEC vision – environment be made up of many
separate networks linked together
Community of Interest (CoI) a driver for access
control in NNEC
Sharing of identity information between these
different networks is crucial for providing access
control
Service Oriented Architecture (SOA) based on Web
services is a candidate technology to materialize the
NNEC vision, where services can be (dynamically)
discovered and called by different clients
NATO UNCLASSIFIED
16
Security Token Based Access Use Case
Simple services can be combined into more complex ones
(“orchestration”)
Typically users interact with web services using different kinds
of GUIs (web and form based ones).
Service provider/consumer interoperability
standard protocols like SOAP, HTTP
Web services related standards, including the WS-* stack (e.g. WSSecurity, WS-Trust, WS-Federation etc .)
Secure SOA-based data/services exchange scenarios in a
federated environment to be demonstrated
Status:
all components installed,
not all configured yet
not all tested yet
not integrated with directory yet
NATO UNCLASSIFIED
17
Secure Token Based Access
NATO UNCLASSIFIED
18
… Integrated
with Directory Services
NATO UNCLASSIFIED
19
Access to Portal
Web portal access handling is one of the most common and
basic information sharing requirements
Access granularity is a desired feature that needs to be
implemented in future NATO portals
Microsoft SharePoint is identified as a future NATO portal
product. The next version to be integrated with Microsoft's
Identity Architecture, and so will be able to act as a relying party
to XML security tokens.
Initially, access from national domain to NATO portals is the
most expected operational scenario
Status:
all components installed
meta-tools installed, configured
jobs implemented
initial testing completed
implemented different
authentication mechanisms for
internal/external users
hashed passwords for external
users populated through ARH
NATO UNCLASSIFIED
20
IdM in Access to Portal
NATO UNCLASSIFIED
21
Collaboration Tools Use Case
XMPP is an open technology for real-time communication, which
powers a wide range of applications, e.g.:
instant messaging,
presence,
multi-party chat,
voice and video calls,
collaboration,
lightweight middleware,
content syndication,
generalized routing of XML data.
XMPP is a mandatory collaboration standard for military usage
in many NATO nations
JChat application, a standard NATO collaboration tool, to be
used on the NATO side
Status: not implemented yet
all components installed
meta-tools installed, configured
jobs implemented
hashed passwords for external
users populated through ARH
NATO UNCLASSIFIED
22
IdM in Collaboration Tools
NATO UNCLASSIFIED
23
Access to Legacy Applications
There are still applications in NATO CIS, which are not PKI
and/or Web services enabled
Authentication/Authorization mechanisms:
implemented as an integral part of the applications (usernames
and passwords stored in a local database), which results in
application specific solutions, or
are not implemented at all
For completeness of the IdM use case validation picture legacy
systems should be included
Status: not implemented yet
NATO UNCLASSIFIED
24
IdM in Legacy Systems
NATO UNCLASSIFIED
25
Summary
The concept of IdM in a federated NATO environment
(NATO plus NATO nations) is in an early stage of
formalization
List of use cases for IdM is open
NC3A CES/NNEC testbed provides an infrastructure
for complex IdM validation to be performed with
Alliance partners
NATO UNCLASSIFIED
26
Why Identity Management matters …
CONTACTING NC3A
NC3A Brussels
NC3A The Hague
Visiting address:
Visiting address:
Bâtiment Z
Avenue du Bourget 140
B-1110 Brussels
Telephone +32 (0)2 7074111
Fax +32 (0)2 7078770
Oude Waalsdorperweg 61
2597 AK The Hague
Postal address:
NATO C3 Agency
Boulevard Leopold III
B-1110 Brussels - Belgium
Postal address:
NATO C3 Agency
P.O. Box 174
2501 CD The Hague
The Netherlands
Telephone +31 (0)70 3743000
Fax +31 (0)70 3743239
NATO UNCLASSIFIED
28