Transcript Identity Management in a Federated Environment

Identity Management in a
Federated Environment
US-NATO TEM 6
1-3 December 2009
Alan Murdock
Dr. Robert Malewicz
Dr. Sven Kuehne
CAT-2 Interoperability | NATO C3 Agency - The Hague
Tel.: +31 (0)70 374 3562 | E-mail: [email protected]
NATO IdM Initiatives
 SC/4-SC/5 NATO IdM Workshop (2008/09)




output: NATO IdM Strawman Paper
directory services oriented view
focused on alliance aspect of NATO IdM
identifies IdM use cases in NATO
 SC/4 Service Management Infrastructure AHWG
(2008/09)




output: SMI Technical Services Definitions working paper
Security Management architecture view
requirements/standards/technology agnostic approach
identifies interfaces with other security management
services
NATO UNCLASSIFIED
2
Terminology
 Identity Management is ambiguous!
 Identity Management includes:
 Identity Assurance
 Identity Employment or Utilization
 Identity Services
 What is an “Identity”
 … a PKI certificate?
 … a set of attributes?
 … the same for every entity in the enterprise?
Different view on IdM
 NATO has a two-dimensional challenge:
 IdM in the NATO Alliance
 28 NATO nations
 and partners
 constitute a federation
 IdM in the NATO Organization
 NATO HQs
 and NATO agencies
 constitute an enterprise (?)
NATO UNCLASSIFIED
4
Challenges
• The concept of NATO IdM is in a very early stage of
formalization
• Requirements for NATO IdM need to be defined
• Two dimensions of the NATO IdM has potential to
cause conflicts for IdM
• Emerging technologies (Identity 2.0) not reflected
either in NATO IdM Strawman Paper or in SMI working
paper
• Policy document for NATO IdM
• Interoperability at all levels
NATO UNCLASSIFIED
5
Way forward
 What can we accomplish today?
• Listen
• Inform
• Plan for the future
NC3A Identity Management
Test Campaign
IdM Concept Validation
 Purpose:
• Identify NATO IdM requirements based on IdM use cases
• Verify architectures and solutions for identified IdM use cases
 Scope
• Validation focused on federated scenarios within NATO Alliance
 Test Facility
• Classification: NATO Unclassified
• NNEC CES Testbed as an investigation platform on the NATO side
• National Testbeds
 Procedure
• VPN Joining Instruction
• IdM Joining Instructions (based on ACP145 and ARH forms)
 agreed test scope (use cases) and schedule
NATO UNCLASSIFIED
7
NNEC CES Testbed Layout
NATO UNCLASSIFIED
8
IdM Use Cases
 IdM use cases defined in NIdM Strawman Paper
•
•
•
•
•
Access to C2 Data/Services in NATO SECRET Domain
Single Sign On in Cross-Domain Federation Scenario
Use of certificates bound to the identity
NATO Pass System
Use of national military ID-Card
 Technology/Solution specific IdM use cases for
testing
•
•
•
•
•
•
Cross-domain group management
Security token based authentication for Web Services
Portal access (based on SharePoint Server)
Collaboration tools (based on JChat application)
Access to legacy applications
Others …
NATO UNCLASSIFIED
9
IdM Strawman and Technology/Solution
Driven Use Cases Relevance Mapping
Strawman
Paper
Technology/
Solution
Access to
C2 Data
and
Services
SSO in
Federation
Use of
certificates
NATO Pass
System
Use of
national
military IDCard
Group Management





Security Token
based authentication





Portal Access





Collaboration Tools





Access to Legacy
Systems





???
NATO UNCLASSIFIED
10
IdM Use Case Validation Environment
NATO UNCLASSIFIED
11
Service Components
 Information Exchange Gateway scenario B (IEG B)












NATO Enterprise Directory Service (NEDS)
Allied Replication Hub (ARH)
Border Directory Services
NATO Public Key Infrastructure (NPKI) Certificate Authority
Security Token Service (STS)
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Web servers/portals and clients
Web Proxy
Web Concentrator
Collaboration tool servers and clients
Identity Data Sources
NATO UNCLASSIFIED
12
Use Cases
•
•
•
•
•
Cross-domain group management
Security token based authentication for Web Services
Portal access (based on SharePoint Server)
Collaboration tools (based on JChat application)
Access to legacy applications
Group Management Use Case
 Foundation for other use cases
 Foundation for a formal access control mechanism
implementation. Access control models being considered:
 role based access control (RBAC) currently used in many C2 systems,
 attribute based access control (ABAC) anticipated to be more exploited
in future service-oriented systems
 Potential areas of usage (examples)
 cross-domain group management delegation
 cross-domain group mapping
 Status
 directory components installed
 meta-tools installed, configured, jobs implemented
 initial testing completed
NATO UNCLASSIFIED
14
IdM in Group Management
NATO UNCLASSIFIED
15
NNEC Hints
 “Network of networks” is one of the main concepts of
NNEC vision – environment be made up of many
separate networks linked together
 Community of Interest (CoI) a driver for access
control in NNEC
 Sharing of identity information between these
different networks is crucial for providing access
control
 Service Oriented Architecture (SOA) based on Web
services is a candidate technology to materialize the
NNEC vision, where services can be (dynamically)
discovered and called by different clients
NATO UNCLASSIFIED
16
Security Token Based Access Use Case
 Simple services can be combined into more complex ones
(“orchestration”)
 Typically users interact with web services using different kinds
of GUIs (web and form based ones).
 Service provider/consumer interoperability
 standard protocols like SOAP, HTTP
 Web services related standards, including the WS-* stack (e.g. WSSecurity, WS-Trust, WS-Federation etc .)
 Secure SOA-based data/services exchange scenarios in a
federated environment to be demonstrated
 Status:




all components installed,
not all configured yet
not all tested yet
not integrated with directory yet
NATO UNCLASSIFIED
17
Secure Token Based Access
NATO UNCLASSIFIED
18
… Integrated
with Directory Services
NATO UNCLASSIFIED
19
Access to Portal
 Web portal access handling is one of the most common and
basic information sharing requirements
 Access granularity is a desired feature that needs to be
implemented in future NATO portals
 Microsoft SharePoint is identified as a future NATO portal
product. The next version to be integrated with Microsoft's
Identity Architecture, and so will be able to act as a relying party
to XML security tokens.
 Initially, access from national domain to NATO portals is the
most expected operational scenario
 Status:
 all components installed
 meta-tools installed, configured
jobs implemented
 initial testing completed
 implemented different
authentication mechanisms for
internal/external users
 hashed passwords for external
users populated through ARH
NATO UNCLASSIFIED
20
IdM in Access to Portal
NATO UNCLASSIFIED
21
Collaboration Tools Use Case
 XMPP is an open technology for real-time communication, which
powers a wide range of applications, e.g.:








instant messaging,
presence,
multi-party chat,
voice and video calls,
collaboration,
lightweight middleware,
content syndication,
generalized routing of XML data.
 XMPP is a mandatory collaboration standard for military usage
in many NATO nations
 JChat application, a standard NATO collaboration tool, to be
used on the NATO side
 Status: not implemented yet
 all components installed
 meta-tools installed, configured
jobs implemented
 hashed passwords for external
users populated through ARH
NATO UNCLASSIFIED
22
IdM in Collaboration Tools
NATO UNCLASSIFIED
23
Access to Legacy Applications
 There are still applications in NATO CIS, which are not PKI
and/or Web services enabled
 Authentication/Authorization mechanisms:
 implemented as an integral part of the applications (usernames
and passwords stored in a local database), which results in
application specific solutions, or
 are not implemented at all
 For completeness of the IdM use case validation picture legacy
systems should be included
 Status: not implemented yet
NATO UNCLASSIFIED
24
IdM in Legacy Systems
NATO UNCLASSIFIED
25
Summary
 The concept of IdM in a federated NATO environment
(NATO plus NATO nations) is in an early stage of
formalization
 List of use cases for IdM is open
 NC3A CES/NNEC testbed provides an infrastructure
for complex IdM validation to be performed with
Alliance partners
NATO UNCLASSIFIED
26
Why Identity Management matters …
CONTACTING NC3A
NC3A Brussels
NC3A The Hague
Visiting address:
Visiting address:
Bâtiment Z
Avenue du Bourget 140
B-1110 Brussels
Telephone +32 (0)2 7074111
Fax +32 (0)2 7078770
Oude Waalsdorperweg 61
2597 AK The Hague
Postal address:
NATO C3 Agency
Boulevard Leopold III
B-1110 Brussels - Belgium
Postal address:
NATO C3 Agency
P.O. Box 174
2501 CD The Hague
The Netherlands
Telephone +31 (0)70 3743000
Fax +31 (0)70 3743239
NATO UNCLASSIFIED
28