Embed Size (px)
DESCRIPTION
Citation preview
All Contents © 2008 Burton Group. All rights reserved.
Current State of Federated Identity
OASIS Open Standards Forum 2008Friday, 3 October 2008
Gerry Gebel
VP & Service Director – IdPS
www.burtongroup.com
A Few Points to Ponder
State of federation is strong – but the game is changing
Business models are driving up demand for federation technology – and forcing still other changes
Federation and SSO services – an emerging trend to watch
2
After this presentation, you will…
… stop federating
• Because business people don’t know what you are talking about
3
… realize that protocols do not equal a business process
• You need services and capabilities, in addition to protocols and technologies
… discover that the Internet doesn’t need an identity layer
• Rather, it needs a relationship layer!
Business Trends Drive IT Trends
Same as it ever was
• Global economy, cost-effective communications driving fundamental change to the business environment
• The more global things get, the more pressure to decompose big orgs• Need to integrate business process across many boundaries• Must interoperate, connect with security and low friction
4
Business Trends Drive IT Trends
What a difference a year (and a financial crisis) makes
• Do more with less, or do less with less• Plate tectonics: Business transformation, IT transformation collide• SaaS gaining favor . . . the times they are a-changing• Outsource, offshore, buy it as a service
5
Current Technologies and
Methodologies
The Expanding Identity Universe
Dynamics are driving requirements where CIOs have no control
6
Scale Control
Focus
Small
Large
Massive
Centralized
Distributed
Business Individual
SMB, SaaSSMB, SaaS
Consumers, Social Networks
Consumers, Social Networks
Deperimeterization Outsourcing
Deperimeterization Outsourcing
Compliance Privacy
Compliance Privacy
The CIO and the budget
Where does federation fit in here? 7
8
Federation and Distributed Control
Examine the Problem
SSO: internal applications
9
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Employees
Contractors
Partners
Examine the Problem
SSO: hosted applications
10
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Employees
Contractors
Partners
WAM/Federation WAM/Federation? ?
Examine the Problem
SSO: external users
11
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Contractors
Partners
AD/Kerberos?
Examine the Problem
SSO: external users
12
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Contractors
Partners
Federation?
Examine the Problem
SSO: employee off site
13
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/FederationEmployees
Contractors
Partners
AD/Kerberos?
Examine the Problem
SSO: employee off site, hosted applications
14
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/FederationEmployees
Contractors
Partners
Federation?
Examine the Problem
SSO: new options
15
Employees
SaaSPartner
Applications
AD/Kerberos
WAM/Federation
Employees
Contractors
Partners
Federation service
Examine the Problem
Why don’t we have SSO?
• Architecture limitations don’t accommodate new application types: Software as a Service
• Product and technology selection process failure• Used RFP checklist instead of usage scenario analysis
• Vendor implementations limit your options• Kerberos exhibits its weakness when external users are involved• Microsoft Office products do not handle HTTP redirects
• New products or technologies may be required• Hosted SSO/federation service is one possibility
• New approaches may be required• Identity intermediaries can limit inherent friction
16
17
Enterprise AD forestLDAP directory services
XML gateways
Federation servers
WAM serversApplications
App servers
Applications
Partner sites
ESSO
SSL VPN
Bulk feed
Examine the Problem
Maybe it is time to look at the business problem, instead of the technology possibilities
Too Much Science, Not Enough Art 18
The “science project”: connectivity is rarely straightforward
Enterprise AD forest
SAML assertion
SA
ML
-en
ab
led
pro
xy
Federation product
AD
FS
ag
en
t
Sh
are
Po
int
200
3
Web SSO token
LDAP directory
ADFS
Collaborator
SIDAttribute and group memberships
1
2
3
4
5
6
798
10
Mapping info and claims
WS-Federation
Web SSO server
Home authentication
19Growth Rates for Federation
Has anyone spotted the elephant in the federation room?
• All right, but what if deployment rate increases?• Assume enterprises can deploy 500 connections per year• One customer has 34,000 point-of-sale operations
• And that’s just for SSO• No authorization• Not hub-to-hub
"How long has THAT been there?"
> 1,000 connections @ 24 connections / year= 42 years!!
= 68 years!!
20The Aesthetics of Ubiquity
Your technology might be mediocre if:
• Adding a connection requires a project manager• Adding a connection requires lab time• Each connection requires a custom contract• You have to coordinate your deployment with others• The solution only works for the latest-and-greatest
infrastructure• Upgrading a server has ripple effects from end-to-end• It seems reasonable to measure
“connections per year”
21
What about that glass ceiling?
Interoperability 22
What if there was a similar program for XACML? Just asking…
Products•BMC•CA•Entrust•Evidian•IBM•Microsoft•Novell•Oracle•Ping Identity•RSA•Siemens•Sun•Symlabs
Edge Federation•Cisco•Forum Sys•IBM•Layer 7•Vordel
Fed Services•Covisint•FuGen Solutions•Symplified•TriCipher•EduServ
Federation Marketplace
Open Source Options 24
Working on that scalability problem… 25
Expanding Federations 26
Federating Federations 27
SaaS Federations 28
SSO+ as a Service 29
Identity Aggregators 30
Single point of integration for all Nordic e-ID systems
Expanding into other regions…
Looking Ahead
What is the impact of:
• User centric identity approaches• Of course, this is in name only• User centric becomes a reality when business models support it
• OpenID• First party identity systems are not very interesting from a business
perspective…
• Information Cards• Unlike OpenID, info cards have a real security model• But the market is not responding
• OSIS, Information Card Foundation, Identity Commons, Higgins, Identity Metasystem Interop TC, etc
• Can someone please explain this to me?
31
In Review
State of federation is strong – but the game is changing
Business models are driving up demand for federation technology – and forcing still other changes
Federation and SSO services – an emerging trend to watch
32
33Current State of Federated Identity
References
• Burton Group’s Identity and Privacy Strategies• In Search of the Internet Identity System: Contrasting the Federation
Approaches of SAML, WS-SX, and OpenID• Federation’s Future in the Balance: Teetering Between Ubiquity and
Mediocrity• Business and Legal issues in Federations• A Relationship Layer for the Web… and Enterprises, Too
34Current State of Federation Technology
References
• Burton Group’s Identity and Privacy Strategies• In Search of the Internet Identity System: Contrasting the Federation
Approaches of SAML, WS-SX, and OpenID• Federation’s Future in the Balance: Teetering Between Ubiquity and
Mediocrity• Business and Legal issues in Federations• Information Card Landscape• A Relationship Layer for the Web… And Enterprises, Too
