Dan Houser, MBA, CISSP, CCP Security Architect Nationwide [email protected] Web Single Sign-On: Federated Identity.

Dan Houser, MBA, CISSP, CCP

Security Architect

Nationwide

[email protected]

Web Single Sign-On: Federated Identity

Nationwide

Fortune 500 company

A leading US financial company & insurer• Life Insurance• Automobile Insurance• Property & Casualty Insurance• Liability Insurance• Annuities• Retirement Products• Investment Services• Mortgages

Objectives

How a Fortune 500 company implemented SAML for

cross-company authentication (CCA)

Under the covers: how artifact and signed SAML

authentication works between business partners

Building an extensible, enterprise architecture

implementation with alpha and beta tools

Lessons learned, challenges, and surprises when

extending authentication and authorization to 3rd

parties

Identity, cryptography, and assertions, oh my!

Web services authentication and authorization

challenges

Web servicesPhenomenal Business acceleration since 1990

Transformation of business:

• From business at the club to EDI brokering

• From book binding to e-books to books on demand

• Supply chain management

Rapid changes in business and trust models

• Outsourcing, resourcing, insourcing

• Hosting, co-location, managed services, ASPs

• Intense, cyclical Acquisition & Divestiture activity

• Global markets & economies

Web services (2)

Generations of the Internet

1st Gen: Isolation Research

2nd Gen: Information Storefront

3rd Gen: Transaction eCommerce

4th Gen: Integration Web Services

Quick Web services primer

Web Services• Uses open, lightweight protocols:

• Provides a direct connection to business logic and

core objects through Internet protocols

• Instead of COM, DCOM and RPC, now invoke a Web

service over HTTP

HTTP XML SOAP

WSDL UDDI

Federated identity

What is federated identity?• The agreements, standards and technologies that

make identity and entitlements portable across

autonomous domains.§

Cross-company authentication (CCA)• Authentication & authorization between organizations

and companies.

Essentially, same thing under the covers

§ Source: RSA Security, http://www.rsasecurity.com/go/google/fed_id/redirect.html

A

Federated identity Use case 1: Travel model

• A conducts business with B on behalf of end user• Traditional back-office functions, but in real time

Reference model: Travelocity®

Internet /intranet

End userB2B, B2C, B2E

Web Page

Internet /intranet B

3rd-partyWeb Services

Provider

BusinessLogic

HTTP XMLSOAP

HTTP

Federated identityUse case 2: Portal model

• B provides service or collaborative content for A

• Transparent to the end user.

Reference model: MapQuest® in Yahoo!® portal

BusinessLogic

HTTP

HTTPXML

SOAP

End userB2B, B2C, B2E

Internet /intranet

A

Web Page

B3rd-party

Web ServicesProvider

B

Internet /intranet

Federated identity Use case 3: Single sign-on model

End userB2B, B2C , B2E

In ternet /in tranet A

W eb Page

redirect

B3rd-party

W eb ServicesProvider

2

34

1

• A redirects user to B

• B trusts A’s authentication

• “Single sign-on” (a.k.a. Cross-company authentication, federated identity.)

Reference model:

Private label banking

HTTPXML

SOAPSAML

HTTPXML

SOAPSAML

HTTPXML

SOAPSAML

Web services implications

Extensible access portals for legacy business logic and processes

Ability to react to the market very quickly

Changes to core business applications are immediately available to trading partners, vendors, customers and regulators

Business velocity without roadblocks of building extensive GUI presentation layers

Web services introduces Cross-company authentication

For selected interfaces:

Other business partners trust

your authentications, and…

Your organization trusts the

authentications provided by

others.

SAML provides framework for cross-company authentication

SAML: Security Assertions Markup Language

Lightweight protocol to exchange security assertions &

artifacts

Can be signed for self-validating assertion

Permits partners to exchange assertions about

authentication and authorization of users

SAMLSAML has 4 major components:

1. Assertions

• Authentication assertions

• Attribute assertions

• Authorization decision assertions

2. Request / response protocol – SOAP over HTTP

3. Bindings – how SAML requests maps to transport

protocols (such as SOAP)

4. Profiles – how SAML assertions are embedded or

transported between parties

SAML (2)POST /SamlService HTTP/1.1

Host: www.example.com

Content-Type: text/xml

Content-Length: nnn

SOAPAction: http://www.oasis-open.org/committees/security

<SOAP-ENV:Envelope

xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>

<SOAP-ENV:Body>

<samlp:Request xmlns:samlp:=”…” xmlns:saml=”…” xmlns:ds=”…”>

<ds:Signature> … </ds:Signature>

<samlp:AuthenticationQuery>

…

</samlp:AuthenticationQuery>

</samlp:Request>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

Source: OASIS - http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-00.doc

SAML provides transaction trust

Messages / Transactions

Session

Business function

Line of business

Enterprise

Session

No existing protocol

Protocols providing trust

SSL / TLS / IPsec / Kerberos

SAML / WS-SecurityXML-DSig / Passport

Nationwide & CCA timeline

2000-2001• Implemented several federated identity solutions

• Used proprietary artifacts & communication session

solutions

• Worked well, but….

• Unique “one-off” solutions

• Lacked standards for standard implementation,

extensive re-work

Nationwide & CCA timeline (2)

2002• Resolved to adopt a standards-based federated

identity solution

• Investigated several federated identity standards

• SAML selected as best SSO authentication solution

at the time

• Joined Liberty Alliance as Associate Member

Nationwide & CCA Timeline (3)

2002• Determined three viable directions:

Web Access Mgmt (WAM) middleware

Adding SAML parsing to existing application(s)

Building own assertion generator & parser

• Investigated the market for vendor best suited to

deliver SAML-based solution

• Established contract with WAM vendor

• Built first SAML implementation for SSO

Nationwide

AuthN

AuthZ

Nationwide:First SAML cross-company SSO

End userB2B, B2C, B2E

Financial Aggregator

2

3

1

4

• Launched January, 2003

• First commercial use of SAML for SSO

• Three business partners

• Nationwide provides portal, authentication & authorization for both other partners

Internet /intranet

redirect

redirect

FinancialServicesCompany

Link

Nationwide:First SAML cross-company SSO

End userB2B, B2C, B2E

Internet /intranet

Nationwide

FinancialAggregator

FinancialServicesCompany

redirect

Link

2

1

3

4redirect

5

AuthN

AuthZ

6

• Launched January, 2003

• First commercial use of SAML for SSO

• Three business partners

• Nationwide provides portal, authentication & authorization for both other partners.

Challenges

Complexity

Business issues

Federation

Weakest link

Business trust models

Complexity

Corporate 3-tier Web architectures are already complex

Federated SSO adds significant complexity in coupling:Existing infrastructureWeb Access Mgmt (WAM) middlewareWeb services interfacesNew infrastructureCross-company functionality

Complexity (2)

Complexity requires technical sophistication on both sides of the relationshipDevelopers need to understand:

SAML

Web services

WAM

Encryption

Architects need to understand:

Identity Management

Authentication/authorization models

Complexity (3)

Complexity extends to privacy and identity

issues

• Privacy policy aggregation, demarcation

• Need to involve CPO, General Counsel

• Identity management issues

• Legal contract & business agreement:

Roles & responsibilities

Vendor management

Procedures for validating trust

The technology is moderately complex.

Trust & policies are harder.

Closer to a wedding than a business relationship

Nationwide’s solution:

Certification & accreditation process

Reference Architecture

Strong 3-tier infrastructure architecture

Forward-looking standards for trust governance

Business issues

Federation

Interoperability of identity frameworks

Tough to do between existing corporate legacy applications

Even tougher between disparate organizations

Deep dive on assumptions, standards, vetting

Must scale and scope to business context

Weakest link

Security posture differences must be

determined & governed.

• Alignment of reference architecture

• Policy & standards matrix comparison

• Establishment of CCA standards

SLA & performance weakest link

• If your SLA is 7x24, and your partner’s SLA is 5x10,

how will you provide 7x24?

SAML provides transaction trust

Messages / Transactions

Session

Business function

Line of business

Enterprise

Session

No existing protocol

Protocols providing trust

SSL / TLS / IPsec / Kerberos

SAML / WS-SecurityXML-DSig / Passport

Web services introduces cross-company authentication

For selected interfaces:

Other business partners trust

your authentications, and…

Your organization trusts the

authentications provided by

others.

What now?

The Interconnectedness of all things…

Business trust models

Recognized needs:Ongoing contractual complianceContinual determination of trustworthinessLegal implications of trust model

Result:

CCA standards

Development of XotaSM protocol

XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

XotaSM

Combination of protocol & methodology

Permits determination of trustworthiness in

real time between business partners

Trust governance at the transaction level

Continuous assessment of contractual and

regulatory compliance

Nationwide is establishing a consortium

XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

Surprises

Troubleshooting with ½ the data

Missing standards & solutions

Interoperability

Human factors

Troubleshooting

SAML consists of HALF transactions:Asserting party Relying party

Troubleshooting with only half the data!

Complexity and cross-disciplinary issues

Coordinated helpdesk an issue

Log sharing, aggregation

Time synchronization an issue

Missing standards & solutions

SAML has some gapsNo SAML session managementNo support for timeout, logoff “rollup”Had to develop own session management and session

timeout protocol

Middleware gapsNo signed SAML support in middlewareLack of 3-tier architecture support

Session management issues

End userB2B, B2C, B2E

Internet /intranet

Nationwide

FinancialAggregator

FinancialServicesCompany

redirect

Link

2

1

3

4redirect

5

AuthN

AuthZ

6

• Cookie forces session timeout – user must re-authenticate

• User is redirected back to Nationwide gets SAML assertion

• Goes through SAML authentication process again

Interoperability

Authentication & authorization required

for both the business partners and users

SAML provides user authentication

No protocol support for partner connection

authentication, authorization

Each partner connection model unique

Bleeding-edge implementation preceded Web services

protocol standards

Human factorsCommunications Issues

Users unaware of SSO implementation:

• Sensitive to performance lag

• Multiple resubmits

• Question lack of sign-on –

“Is security broken?”

Deep bookmarking

Users will bookmark relying party sites

Persistent cookie that identifies user as CCA user?

Lessons learned

Have a good partner relationship with

WAM vendor(s)

Business issues as significant as

technology issues

Lightweight implementation toolkit

required for smaller partners

Trust modeling important consideration

Benefits achieved

Federated identity provides flexible,

adaptable solutions for SSO

Ability to use infrastructure for

affiliates, other contexts

If you build it, they will come

Federated identity works reliably

Use of standards, such as SAML, pays

off in 2nd, 3rd implementations

Q&A

Questions?

Further information

Contact information:

Dan Houser, MBA, CISSP, CCP

Security Architect

Nationwide

(614) 249-6639

[email protected]

Best resources:OASIS http://xml.coverpages.org/saml.htmlLiberty Alliance http://projectliberty.org

Thank you.

Questions, comments?

Mr. Houser will not be available to answer questions

at the Ask-the-Experts booth in the Exhibit Hall.

Please send question to [email protected].