Sie sind auf Seite 1von 28

The State of California

Federated Identity Management The Blueprint


October 29, 2007

Draft
California Enterprise Architecture Program

The Future is Here


Offer new business services on the web Move from silo application environment to an SOA environment
Business services implemented as web services Shared services across public and private

Web services require a new security model Federal Guide to Web Services Security (NIST 800-65) August 2007
http://csrc.nist.gov/publications/nistpubs/800-65/SP-800-65-Final.pdf

California Enterprise Architecture Program California Enterprise Architecture

22

WS Security Standards Model

Federal Guide to Security Web Services (NIST 800-65 August 2007)

California Enterprise Architecture Program California Enterprise Architecture

33

Web Services Security


Key Elements according to Federal Guide to Securing Web Services (NIST 800-65, August 2007) Confidentiality of Web service messages using XML Encryption (W3C standard) Integrity of Web service messages using XML Signature (W3C) and X.509 certificates (IETF) Web service authentication and authorization
SAML, XACML (OASIS standards)

Web Services Security (OASIS standard)


End-to-end SOAP messaging security

Security for Universal Description, Discovery, and Integration (UDDI) (OASIS standard)
California Enterprise Architecture Program California Enterprise Architecture
44

SOA Reference Architecture


Users
Channel PC Browsers PDA Cell Phone IPhone Voice IVR User Interface User Interactions Business Process Messaging Management Authentication Composite Data Access Federated Business Logic/Rules

Policy, Process, Monitoring, Reporting, Usage Tracking

Security, Operations, & Governance

Access Points Service Management


Enterprise Service Bus
Service Registry

Portals / Websites Web Applications ASP JSP HTML CSS Voice/XML Orchestrated Web Services Service Discovery Service Transformations

Service Mediation, Routing, Logging, Auditing


Identity Policy Enforcement Single Sign-On Atomic

Web Services Platform Network

Mainframe UNIX Windows .NET Java J2EE COBOL CICS Firewalls Routers XML Accelerators Proxy Servers TCP/IP

System Administration
Network Administration

California Enterprise Architecture Program California Enterprise Architecture

55

SOA Identity Management Key Areas


Conceptual Architecture Levels of Authentication Authentication Attributes Identity Providers ESB and Service Registry Security Policy Service Service Providers Web Applications Virtual Directory Service Identity Resolution Service Provisioning Users Single Sign-On (SSO) Example Scenarios Governance

Note: Scenario examples are illustrated at the end of the presentation

California Enterprise Architecture Program California Enterprise Architecture

66

Identity Management & SOA


Call Center Users Phone Security Infrastructure
Enterprise Security Policy Service

Enterprise SOA Infrastructure Web Service Management Web Service Monitoring and Reporting

FTB DHCS

DMH OSHPD DOT DMV CDCR LA County Business Partner EDD CalRHIO DCA

Service Providers

State Employee Individual Business Partner County Employee Etc.

Voice Portal Web Portal Authentication Authorization Provisioning Smart Clients Auditing
Virtual Directory Service

Web Services Verify SSN Meds Eligibility Address Change Prof License Verification Vital Statistics

Web

Identity Providers
Basic

Individuals State Employees

Web Service

Security Attributes

Business Partners

California Enterprise Architecture Program California Enterprise Architecture

77

Assumptions
Different models for some user classes
One size does not fit all

Both Local and Enterprise environments Multi-vendor environments May need identity resolution if no single truth for identity information May need virtual directory service if identity information are not in a single repository Degree of opt in TBD for individuals
Drives identity architecture for this user class
CardSpace, self registration, rules for sharing identity information, SAML 2.0, etc.

California Enterprise Architecture Program California Enterprise Architecture

88

State Employee IDM Model


SOA Identity Management State Employees
Employee
Login Page UserId Pwd PIN SOAP/SAMLAssertion (UiD, Pwd, PIN)

Web App

Role 1 Role 2

E n t e r p r i s e E S B

State Emp Indentity Service


SAML Token (Succ/Fail, Emp ID)

Token Service

Audit Service

State Employee Authentication Repository

Local ESB Local Authorization


SOAP/SAML Emp ID Success Role 1, Role 2

Shared Web Service

Internal Web Service

Local Service Registry


Register Service

SOA Governance (Security Policies) Enterprise Service Registry


SOAP/SAML Emp ID Success Role 1, Role 2

Service Providers
Policy Enforcement Point

Register Service

Note: Counties could be local, enterprise, or a combination

Note: Enterprise environments at each major data center

Shared Web Service

California Enterprise Architecture Program California Enterprise Architecture

99

Business Partner IDM Model


SOA Identity Management Business Partners
Business Partner 1
Login Page

Business Partner Web App

SOAP/SAMLToken
(Successful, Business ID, User ID, Role 1)

E n t e r p r i s e E S B

Business Partner Identity Service

Token Service
(Optional)

Virtual Directory Service Audit Service

Business Partner 2
(User ID, Business ID, Role 1)

Identity Provider Service


Token Service
Enterprise Service Registry

SOA Governance (Security Policies)

Service Providers
Policy Enforcement Point

Local Authentication and Authorization

Register Service

Note: Business Partners could provide their own identity service, group together and share an identity service, or the State could provide identity services for certain classes of business users.

Shared Web Service

California Enterprise Architecture Program California Enterprise Architecture

10 10

Individual IDM Model


SOA Identity Management Individuals
Citizen
Login Page

SOAP/SAMLAssertion
(UiD, Pwd, PIN, other attributes)

Web App

E n t e r p r i s e E S B

Individual Identity Service


SAML Token (Succ/Fail, Other attributes)

Token Service

(Optional)

Identity Resolution
(Optional)

Audit Service

Virtual Directory Service

Basic Identity Service Token Service


UID, PWD

SOA Governance (Security Policies) Enterprise Service Registry


Register Service Emp ID Success Role 1 Role 2

Service Providers
Policy Enforcement Point

State Portal
Note: Optional, do basic authentication at the State Portal? Note: Need to accommodate both CardSpace and SAML 2.0. Degree of user opt-in TBD.

Note: Identity Resolution needed if no single truth for identity information. Note: Virtual Directory Service needed if identity information in multiple locations.

Shared Web Service

California Enterprise Architecture Program California Enterprise Architecture

11 11

Authentication Levels
Level 1 Basic
UserId and Password, Challenge-Response protocol

Level 2 Single Factor


Shared secrets, Identity Provider, SAML

Level 3 Multi-factor
Identity Provider, SAML, X.509 certificates Software tokens (digitally signed and encrypted) Hardware tokens (smart cards, etc.) One time passwords

Level 4 Hardware (physical) tokens only


Typically BIO (fingerprint, voice recognition, etc.)

Federal Electronic Authentication Guideline (NIST 800-63)


http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

California Enterprise Architecture Program California Enterprise Architecture

12 12

Authentication Attributes
Attributes that identify me
Name, Address, DOB, Gender, Fingerprint, Birth Certificate, etc. Shared secrets
Mothers maiden name, favorite dogs name, etc.

Identifiers assigned to me
UserId, Pwd, PIN, Drivers License, SSN, EmployeeId, Account Number, TaxpayerId, MedsId, etc.

Identifiers assigned to my employer


EmployerId, FEIN, etc.

Attributes may be combined into authentication profiles


Individual, State Employee, County Employee, Incorporated Business, Professional Business, etc.
California Enterprise Architecture Program California Enterprise Architecture
13 13

Identity Providers
Performs authentication for a class of users based on the security policy
Individual, State Employee, Business Partner, County Employee, etc.

SAML 2.0 (OASIS standard ) is the preferred protocol and token Only Identity Providers can access the Security Policy Service so, minimize the number of Identity Providers Responsible for creating the SAML token (credential) Trust relationship with Service Providers

California Enterprise Architecture Program California Enterprise Architecture

14 14

ESB & Service Registry


Provides service transparency and flexibility Only the Service Registry knows where the services are actually located All client web applications point to the ESB ESB provides message routing, transformation, mediation, logging, connectivity to other system components, and optionally, rules based routing Only authorized users can create or modify information in the Service Registry. If UDDI v.3 compliant, users looking up a service can also be restricted
California Enterprise Architecture Program California Enterprise Architecture
15 15

Security Policy Service


Single (logical) repository for security policies for all shared services (highly available and scalable) Often included in SOA Governance products, which may be bundled with the service registry Could include:
Authentication type (Individual, State Employee, etc.) Authentication level (1, 2, 3, or 4) Required attributes (UId, Pwd, Drivers License, etc.) Attribute encryption

Optional? Only administrators located in the Service Certification Environment can create/modify policies in the repository
Act as proxies for the Service Providers
California Enterprise Architecture Program California Enterprise Architecture
16 16

Service Providers
Implement business services as web services
Can be shared externally, internally, or private

Set the security policy for the service Publish service information to the Service Registry, and security information to the Security Policy Service May be written in any language that complies with web service standards (.NET, JAVA, CICS, etc.) Can be part of an orchestration of web services, or call other web services Are usually protected by a Policy Enforcement Point (proxy server, XML gateway, etc.)
California Enterprise Architecture Program California Enterprise Architecture
17 17

Web Applications
Responsible for the user session and interface (web pages) Determine if security is required for a given interaction Ask user for attribute information via a login form (based on request from an Identity Provider). For example, UserId, Pwd, Drivers License number, etc. Create the SAML assertion or manage CardSpace card
California Enterprise Architecture Program California Enterprise Architecture
18 18

Virtual Directory Service


Needed if identity information is stored in more than one location. Accommodates data federation Can connect to different formats (LDAP, Active Directory, Tivoli, SQL database, etc.) Some products can map attributes to a profile

California Enterprise Architecture Program California Enterprise Architecture

19 19

Identity Resolution Service (optional)


DMV
Master Person Profile Master State Employee Profile Name: John Johnny Landers Landers Addr: 1234 1234Massachusetts Simeron Dr. City: Sacramento Sacramento DOB: 10/19/1970 10/19/1970 Gender: M M Drivers License: M123456 M123456 Fingerprint: Y Y

Individual Identity Service

State Employee Id Service

Note: Minimal changes to existing databases and provisioning systems. Note: Could enhance fraud detection. Note: Could be anonymous. That is, the identity providers dont need to know the source of the attribute information.

DOJ
Identity Resolution Service Name: Jonathan Landers Addr: 1234 Cimarron Dr. City: Sacramento DOB: 10/19/1970 Passport: 12345678

Master Person Profile


Name, Addr, City, State, Zip, DOB, Gender, DL, SSN, Passport, Fingerprint, Birth Certificate, MedsId, UserId, Pwd, PIN

DHCS
Name: John E. Landers Addr: 1324 Cimarron Dr. City: Sacramento DOB: 10/19/1970 SSN: 512-00-1234 MedsId: X3984P Birth Certificate: Y

State Portal
Name: John Landers Addr: 1234 Cimarron Dr. City: Sacramento DOB: 10/19/1970 UserId: jlanders Pwd: xxxx

Note: Access to the Identity Resolution Service limited to Identity Providers in a Circle of Trust. Could further limit at the attribute level.

Example: Individual ID Service could only access Master Person Profile, or FEIN attribute is excluded.

California Enterprise Architecture Program California Enterprise Architecture

20 20

Provisioning Users
Depends on the following policies:
Will there be a single truth for a given user? Will all user attributes be in one location? Will the State Portal handle some level of authentication? Level of user opt-in Trust model

California Enterprise Architecture Program California Enterprise Architecture

21 21

Web Single Sign-On (SSO)


Circle of Trusts Small number of Identity Providers Based on SAML Depends on security policies
Additional attributes might be required Higher level authentication might be required

Reduced sign-on is probably achievable

California Enterprise Architecture Program California Enterprise Architecture

22 22

Example Scenario Individual User State Portal


Individual User
Update address

UDDI V3 authenticate=yes ESB Invoke Web Service (SOAP/SAML) Service Registry Desc Location WSDL

Login Page

State Portal
Web App

UserId Pwd PIN

Service Provider

SAML Assertion

SAML Token

Token Service Basic Identity Service


Level 1 or 2 (UiD, Pwd, PIN)

Get Policy: (UserId, Pwd, Pin)

Policy Enforcement Point Security Policy Service Certification Process Policies Address Web Service

Provisioning

Authentication Repository

Only administrators in the Service Certification environment are allowed to insert/update/delete service policies. They act as proxies for the Web Service Providers. This limits the number of connections into the Security Policy Service. Retrieve additional attributes

Virtual Directory Service

Must be standards based. Vendor neutral, but supported by major vendors.

California Enterprise Architecture Program California Enterprise Architecture

23 23

Example Scenario Individual User All levels


Individual User
Update address

UDDI V3 authenticate=yes ESB Invoke Web Service (SOAP/SAML) Service Registry Desc Location WSDL

Login Page

State Portal
Web App

UserId Pwd PIN

Service Provider
Authentication Request (SOAP/SAML) Individual Identity Service Get Policy (Uid, Pwd, Pin) Auth type, level Attributes required Security Policy Service Address Web Service Authenticdation Repository Policies Retrieve additional attributes Virtual Directory Service Address Changed Notification Service Policy Enforcement Point

Token Service

Provisioning

Address Changed Notification Service would be a good candidate for a BPEL process

Must be standards based. Vendor neutral, but supported by major vendors.

California Enterprise Architecture Program California Enterprise Architecture

24 24

Example Scenario Business Partner


Business Partner
Check Medi-Cal Eligibility

State Enterprise Environment


ESB

UDDI V3 Desc Location WSDL

Login Page

Service Registry

Business Partner
Web App Invoke Web Service (SOAP/SAML)

Service Provider
SOAP/SAML Policy Enforcement Point

Identity Service

Get Policy: (BusID, EmpID, Meds Elig Role, Encrypted, Signed) Security Policy Service Auth type, level Attributes required

DHCS Meds Eligibility Web Service

Note: Must be trusted relationship between Identity Service, Security Policy Service, and Meds Eligibility Web Service

Policies Meds Data Retrieve additional attributes Virtual Directory Service

Must be standards based. Vendor neutral, but supported by major vendors.

California Enterprise Architecture Program California Enterprise Architecture

25 25

Governance Matrix

California Enterprise Architecture Program California Enterprise Architecture

26 26

Roadmap
SOA & IDM vision SOA Governance Group Adopt vision

Enterprise SOA & IdM Roadmap

State CIO set SOA & IdM Policy


Enterprise SOA Infrastructure Enterprise Identity Management Infrastructure Individual Identity Service

State Employee Identity Service


County Employee Identity Service Business Partner Identity Services Provide Interoperability Standards Establish Service Certification Process Make PKI decision Recommendations for Sustaining Enterprise SOA Publish Standard SOA & IdM Language

Q3 07

Q4 07

Q1 08

Q2 08

Q3 08

Q4 08

California Enterprise Architecture Program California Enterprise Architecture

27 27

Questions

Lee.Macklin@ceap.ca.gov 916-739-7637

California Enterprise Architecture Program California Enterprise Architecture

28 28

Das könnte Ihnen auch gefallen