Tivoli Federated Identity Manager

Tivoli Federated Identity Manager
Sven-Erik Vestergaard
Certified IT Specialist
Security architect
SWG Nordic
svest@dk.ibm.com
IBM Software Day Vilnius 2009
IBM Software group
Agenda
• IBM strategy on IAA
• What is a federation from a business perspective
• How does it work
• Web services severity identity propagation
• Customer cases
2
IBM Software group
Identity and Access Assurance
Tivoli Capabilities
• User provisioning & role
management
• Unified single-sign-on
• Privileged user activity audit &
reporting
• Directory and integration
services
• Log Management
• Self-service password reset
• Identity Assurance / Strong
authentication management
3
Benefits:





Reduce help desk operating
expenses
Comply with regulations
Improve user productivity
Reduce risk from privileged
insiders
Respond quickly to business
initiatives (e.g. new
applications, M&A,
restructuring)
IBM Software group
Getting started with Identity and Access Assurance
Identity
change
(add/del/mod)
Access
policy
evaluated
Approvals
gathered
Accounts
updated
User Provisioning / Role Management
Detect and correct local privilege settings
Single Sign
On
Accounts on 70 different
Accounts on 70 different
types of systems managed.
types of systems managed.
Plus, In-House Systems &
Plus, In-House Systems &
portals
portals
Tivoli Identity Manager
& Password
Management
Databases
Operating
Systems
HR Systems/
Identity
Stores
ID stores
Access Attestation
(Human Resources,
Customer Master, etc.)
Accounts
TIM Trusted
Identity
Store
4
2
John C. Doe
Recertification
Request
5
4
Sarah K. Smith
Access
Revalidated and
Audited
jcd0895
jdoe03
Sarah_s4
Business
Applications
nbody
3
Sarah’s Manager
Networks &
Physical Access
Security log management & reporting
1
Authoritative
Identity Source
Applications
ackerh05
doej
smiths17
Cisco
Secure
ACS
IBM Software group
Agenda
• What is a federation from a business perspective
5
IBM Software group
Key Business Models Driving Federation
 Mergers and Acquisitions
 Success of a merger is often related to how quickly disparate systems
can be integrated to meet the needs of the business.
 Collaboration between autonomous Business Units
 Many companies maintain separate autonomous business units for
political, competitive, and regulatory reasons but still require cross-unit
access for management and customers.
 Collaborative development with Partners
 Some organizations are working more with partners on new strategic
developments, thereby increasing the need for federated access to
partner systems.
 Employee access to Outsourced Services
 Costs of building and maintaining point-to-point solutions for access to
6
outsourced solutions can dilute benefits of outsourcing.
IBM Software group
Key Business Models Driving Federation (cont)
 Service Provider Automation
 Service providers can incur significant costs in managing user accounts
across their customer base – federated technologies can dramatically
reduce these costs.
 Government collaboration
 Government security based initiatives to gain access to law enforcement
and a wide range of other personal data in a secure, efficient manner.
 Improved Corporate Governance
 Key issue with audit/compliance is management of external access to
systems.
7
IBM Software group
Federated Identity Management
Federation
Identity Provider
IdP
business agreem ents
,
technical agreem ents
, and
policy agreem ents
Service Provider
Service Provider
SP
Service Provider
SP
SP
End to end user lifecycle management

Objectives
Lower Identity Management costs
 Improve user experience
 Provide end-to-end security and trust foundation for inter-organization application integration


Leverages concept of a portable identity

8
Identity is “asserted” from a trusted third-party
 Passport
 Credit / ATM Card
 Drivers License
IBM Software group
What does IBM Tivoli Federated Identity Manager
(TFIM) bring to table?
 Ability to handle identity/attribute transformation as part of token
handling
 Ability to exchange token types as part of validation of request at edge
 Enables advanced “intermediary” type functionality
 Ability to do authorization decisions at abstract WSDL level
 Independent of WSDL binding
 Integrates with TAM Authorization
 Access allowed? (Yes/No)
 Protected Object Policies (e.g. Time of Day)
 Authorization Rules (authorization policies based on client attributes)
 Audit
 All of this in a standards-based manner!
9
IBM Software group
Agenda
• How does it work
10
IBM Software group
TFIM Architecture Overview
Federated Single Sign -On
Secure user interaction
Federated Web Services
Secure application interaction
Portal
Web Portal
App
Web Portal
App
App
ESB
Web Application
Gateway
Federated Provisioning
Provisioning System
Provisioning
System
Database
Trust infrastructure
Business
agreements
Transport :
S SL/TLS,
WS -S ec
Message :
sign/
encrypt
Tokens :
sign /encrypt
Technical implementation
11
Legal
agreements
O
p
e
n
S
t
a
n
d
a
r
d
s
IBM Software group
Identity Federation – SSO with OOB Acct Linking (cont)
Mapping between identities is not
defined by the specification.
 SAML 1.x use-case

Source Web Site
www.ibm.com
svest|…
Identity Provider
ate
c
i
t
n
the
u
A
ntity
1.
e
d
I
ert
s
s
2. A
Assertion
svest
….
Destination Web Site
my.travel.com
3. A
cces
s Re
sou
rc e
?
Service Provider
Sven_Erik|…
12
IBM Software group
Identity Federation – Attribute Federation
Identity mapping based on some
shared attribute
 SAML 1.x use-case

Source Web Site
www.ibm.com
svest|svest@ibm.com|…
Identity Provider
te
ica
t
n
e
uth
A
tity
.
n
1
e
Id
ert
s
s
2. A
Assertion
Destination Web Site
my.travel.com
3. A
cces
s Re
sou
rc e
svest
svest@ibm.co
m
Service Provider
Sven_Erik|svest@ibm.com|…
13
IBM Software group
A Quick, Practical Example — Partner Case
Myportal.com
HRservices.com
HRservices.com
1
HTTPS
3
Access Manager
End User
1. User logs on MyHR.com
- TAMeb authenticates user, creates session
2
Trust Broker / Trust Service
Kerberos,
SAML,
X.509v3
SSO Service
Custom
Tokens
User
Provisioning
Service
User x
- TAMeb controls user access & session mgmt.
Federated Identity Management
Identity Broker
Security Token Service
4
Myrecord
Partner
Key
Mgmt
2. User clicks on third-party link Options.com
- Link configured for Liberty, WS-Fed, or SAML
TAM consults FIM
3. FIM initiates SSO with 3rd party site
- FIM creates SSO Token user session
SSO
 SAML
 Liberty
 WS-Federation
14
4. Options.com maps token to local identity
*** User has transparent SSO to third-party ***
IBM Software group
Agenda
• Web services severity identity propagation
15
IBM Software group
Use Case – Services Integration
 Propagate identity: Cross domain/realm identity mapping
and token transformation
 Reflect business relationships: Trust Management (for
data, identity, etc)
 Protect business information
 Governance, Risk & Compliance
Service
Requesto
r
Business
Service
Enterprise Service Bus
Service
Requesto
r
Service
Requesto
r
16
Application
Service
 Identity & Authentication
 Authorization & Privacy
 Confidentiality & Integrity
Infrastructur
e Service
Partner
Service
IBM Software group
TFIM Components for Web Services Security Management
WebSphere
Web Services Requests
W ebSphere
W eb Services
Handler
Client App
WS App
Key Encryption
Signing Service
TFIM W eb Services
Trust Handler
ISC
TFIM
Console
Trust
Service
Trust
STS
Service
Auth Service
Access Manager
Policy Server
& Authorization Server
17
LDAP User
Registry
IBM Software group
TFIM WSSM – Generic Design Overview
Web Service Server/Gateway
Security
Token
Application
Admin
TAM Admin
SOAP Request
SOAP Request
Security
Token
/itfim-wssm
token

WS-Trust
token
FIM Admin
/Container
TFIM Runtime
18
module
module
module
TFIM Trust Service
on
i
t
a
riz
o
th
u
A
/Service-1
/PortType
/operation
TAM Protected
Object Space
Web
Services
Security
WSSM
Token
Module
Processing
/Container
Loc
al C
rede
ntia
l
User Directory/Datastore
IBM Software group
Web Service Security Management : Solution Architecture
Company A
User
local ID
Token
•Identity Mapping
•Attribute Mapping
•Token Management
•Authorization Control
19
Token
Invoke
Application
local ID
Token
SOAP
Request
Web Security
Server
local ID
•Identity Mapping
•Attribute Mapping
•Token Management
•Authorization Control
Web Service
Application
Internet
•Web Service
•Firewall
•Gateway
SOAP
Request
IBM Software group
IBM Tivoli Federated Identity Manager
 Federated Single Sign-On
 Integration with IBM Tivoli Access Manager
 Supported Protocols:
 SAML 1.0 / 1.1 / 2.0
 WS-Federation
 Liberty 1.1 / 1.2
 Federated Web Services
 WS-Trust based integration with Enterprise Service Buses, XML Gateways
 Integration with WebSphere Application Server
 SOAP, JCA and JDBC integration
 SAML modules to allow WAS to generate/consume SAML assertions in WS-
Security headers of SOAP message
 Evolving into Identity Propagation in SOA
 Federated Provisioning
20
 Provides linking of local provisioning systems
 Supported Protocol:
 WS-Provisioning
IBM Software group
Agenda
• Customer cases
21
IBM Software group
SP
Single Sign-On
(tomgreat)
TFIM/SAML1.1
Single Sign-On Links
UID
/U
s er
User
Tom Bear
Co
(tb de/Pw
ear
) dL
ogi
n
Single Sign-On
SAML1.1
(tombear)
Customized
n
application
rtio
se
s
A
SAML1.1 est,
u
q
Customized
Re
Single Sign-On
application
(beartom)
User Registry
SSO Module
Member Life Insurance
B2C Portal
n
e rtio
SAML1.1
t, Ass
es
qu
Customized
Re
application
IdP
SAML1.1
Single Sign-On
Customized
Re ques
t, As(tom_bear)
application
s er tion
IN TER N ET
SP
User Registry
Member Bank
My Bank
SSO Module
IN TER N ET
SSO Module
Financial Services
Company
RichPortal
User Registry
TFIM/SAML1.1
Re
qu
Single Sign-On
e st
, A (bear123)
sse
rtio
n
SP
SSO Module
q
Re
n
r tio
se
As
st,
ue
User Registry
Member Securities
My Securities
SP
User Registry
Member Futures
My Futures
SSO Module
SP
User Registry
SSO Architecture
22
SSO Module
Member Securities Investment Trust
MySIT
IBM Software group
Internet Logon – TFIM Solution
TDS
Mgmt Zone
TFIM
SPS
TFIM
STS
SAML 2.0
4
1
Internet User
5
WebSeal
3
2
6
KBS
MOSS
KBS
WEB AD
Internet DMZ
SAML 2.0
Internet Zone
SIGNICAT
Web Server Zone
1.
User accesses protected page – no session defined
2.
Reroute to Signincat
3.
Signicat authenticates user and sends SAML 2.0 encrypted assertion through browser picked up by
WebSeal
4.
Single Protocol Service - TFIM called to create HTTP HDR based on SAML 2.0 assertions
5.
Single Token Service – WS-Trust used to create KBS token
23 6.
Request sent to Moss with correct KBS token
IBM Software group
SOA Security Overview
TAM Policy
Server
TFIM
Server
TDS
Custom ers (Mas ter)
Em ployees
Management Zone
Internet User
Partner
Application
Reverse Proxy
Web Services
Security
Gateway
Internet DMZ
Intranet User
(employee
or Agent)
MOSS
2007
portal
framework
Other
Clients
e.g.
Z/OS
Intranet
AD
Z/OS
Z/OS
Z/OS
Intranet Zone
Web Server Zone
24
Em ployees (Mas ter)
Custom ers
Em ployees
Business
Service
WebSeal
Reverse Proxy
WEB
AD
Integration layer
Internet Zone
WebSeal
Service Zone
..
.
.
Backend Zone
IBM Software group
Does This Also Help with Compliance?
You bet.
One of the hardest compliance issues to solve is:
“Prove to me that your external users still need access to the
current system, including all their current privileges.”
25
Questions ?
IBM Software group
27
IBM Software group
Trust Service Composed of Module Chains
module
3
module
module chain-1
module
Select Chain based on:
2
1. properties of STS
message
2. trust service configuration
module
module
Which
Chain?
STS message
module
module chain-2
1
web service
interface
<RequestType>, <Issuer>,
<AppliesTo>, <TokenType>
= module instance
28
module
module
RequestSecurityToken
elements:
module
module chain-3