Tivoli Federated Identity Manager
Transcription
Tivoli Federated Identity Manager
Tivoli Federated Identity Manager Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic [email protected] IBM Software Day Vilnius 2009 IBM Software group Agenda • IBM strategy on IAA • What is a federation from a business perspective • How does it work • Web services severity identity propagation • Customer cases 2 IBM Software group Identity and Access Assurance Tivoli Capabilities • User provisioning & role management • Unified single-sign-on • Privileged user activity audit & reporting • Directory and integration services • Log Management • Self-service password reset • Identity Assurance / Strong authentication management 3 Benefits: Reduce help desk operating expenses Comply with regulations Improve user productivity Reduce risk from privileged insiders Respond quickly to business initiatives (e.g. new applications, M&A, restructuring) IBM Software group Getting started with Identity and Access Assurance Identity change (add/del/mod) Access policy evaluated Approvals gathered Accounts updated User Provisioning / Role Management Detect and correct local privilege settings Single Sign On Accounts on 70 different Accounts on 70 different types of systems managed. types of systems managed. Plus, In-House Systems & Plus, In-House Systems & portals portals Tivoli Identity Manager & Password Management Databases Operating Systems HR Systems/ Identity Stores ID stores Access Attestation (Human Resources, Customer Master, etc.) Accounts TIM Trusted Identity Store 4 2 John C. Doe Recertification Request 5 4 Sarah K. Smith Access Revalidated and Audited jcd0895 jdoe03 Sarah_s4 Business Applications nbody 3 Sarah’s Manager Networks & Physical Access Security log management & reporting 1 Authoritative Identity Source Applications ackerh05 doej smiths17 Cisco Secure ACS IBM Software group Agenda • What is a federation from a business perspective 5 IBM Software group Key Business Models Driving Federation Mergers and Acquisitions Success of a merger is often related to how quickly disparate systems can be integrated to meet the needs of the business. Collaboration between autonomous Business Units Many companies maintain separate autonomous business units for political, competitive, and regulatory reasons but still require cross-unit access for management and customers. Collaborative development with Partners Some organizations are working more with partners on new strategic developments, thereby increasing the need for federated access to partner systems. Employee access to Outsourced Services Costs of building and maintaining point-to-point solutions for access to 6 outsourced solutions can dilute benefits of outsourcing. IBM Software group Key Business Models Driving Federation (cont) Service Provider Automation Service providers can incur significant costs in managing user accounts across their customer base – federated technologies can dramatically reduce these costs. Government collaboration Government security based initiatives to gain access to law enforcement and a wide range of other personal data in a secure, efficient manner. Improved Corporate Governance Key issue with audit/compliance is management of external access to systems. 7 IBM Software group Federated Identity Management Federation Identity Provider IdP business agreem ents , technical agreem ents , and policy agreem ents Service Provider Service Provider SP Service Provider SP SP End to end user lifecycle management Objectives Lower Identity Management costs Improve user experience Provide end-to-end security and trust foundation for inter-organization application integration Leverages concept of a portable identity 8 Identity is “asserted” from a trusted third-party Passport Credit / ATM Card Drivers License IBM Software group What does IBM Tivoli Federated Identity Manager (TFIM) bring to table? Ability to handle identity/attribute transformation as part of token handling Ability to exchange token types as part of validation of request at edge Enables advanced “intermediary” type functionality Ability to do authorization decisions at abstract WSDL level Independent of WSDL binding Integrates with TAM Authorization Access allowed? (Yes/No) Protected Object Policies (e.g. Time of Day) Authorization Rules (authorization policies based on client attributes) Audit All of this in a standards-based manner! 9 IBM Software group Agenda • How does it work 10 IBM Software group TFIM Architecture Overview Federated Single Sign -On Secure user interaction Federated Web Services Secure application interaction Portal Web Portal App Web Portal App App ESB Web Application Gateway Federated Provisioning Provisioning System Provisioning System Database Trust infrastructure Business agreements Transport : S SL/TLS, WS -S ec Message : sign/ encrypt Tokens : sign /encrypt Technical implementation 11 Legal agreements O p e n S t a n d a r d s IBM Software group Identity Federation – SSO with OOB Acct Linking (cont) Mapping between identities is not defined by the specification. SAML 1.x use-case Source Web Site www.ibm.com svest|… Identity Provider ate c i t n the u A ntity 1. e d I ert s s 2. A Assertion svest …. Destination Web Site my.travel.com 3. A cces s Re sou rc e ? Service Provider Sven_Erik|… 12 IBM Software group Identity Federation – Attribute Federation Identity mapping based on some shared attribute SAML 1.x use-case Source Web Site www.ibm.com svest|[email protected]|… Identity Provider te ica t n e uth A tity . n 1 e Id ert s s 2. A Assertion Destination Web Site my.travel.com 3. A cces s Re sou rc e svest [email protected] m Service Provider Sven_Erik|[email protected]|… 13 IBM Software group A Quick, Practical Example — Partner Case Myportal.com HRservices.com HRservices.com 1 HTTPS 3 Access Manager End User 1. User logs on MyHR.com - TAMeb authenticates user, creates session 2 Trust Broker / Trust Service Kerberos, SAML, X.509v3 SSO Service Custom Tokens User Provisioning Service User x - TAMeb controls user access & session mgmt. Federated Identity Management Identity Broker Security Token Service 4 Myrecord Partner Key Mgmt 2. User clicks on third-party link Options.com - Link configured for Liberty, WS-Fed, or SAML TAM consults FIM 3. FIM initiates SSO with 3rd party site - FIM creates SSO Token user session SSO SAML Liberty WS-Federation 14 4. Options.com maps token to local identity *** User has transparent SSO to third-party *** IBM Software group Agenda • Web services severity identity propagation 15 IBM Software group Use Case – Services Integration Propagate identity: Cross domain/realm identity mapping and token transformation Reflect business relationships: Trust Management (for data, identity, etc) Protect business information Governance, Risk & Compliance Service Requesto r Business Service Enterprise Service Bus Service Requesto r Service Requesto r 16 Application Service Identity & Authentication Authorization & Privacy Confidentiality & Integrity Infrastructur e Service Partner Service IBM Software group TFIM Components for Web Services Security Management WebSphere Web Services Requests W ebSphere W eb Services Handler Client App WS App Key Encryption Signing Service TFIM W eb Services Trust Handler ISC TFIM Console Trust Service Trust STS Service Auth Service Access Manager Policy Server & Authorization Server 17 LDAP User Registry IBM Software group TFIM WSSM – Generic Design Overview Web Service Server/Gateway Security Token Application Admin TAM Admin SOAP Request SOAP Request Security Token /itfim-wssm token WS-Trust token FIM Admin /Container TFIM Runtime 18 module module module TFIM Trust Service on i t a riz o th u A /Service-1 /PortType /operation TAM Protected Object Space Web Services Security WSSM Token Module Processing /Container Loc al C rede ntia l User Directory/Datastore IBM Software group Web Service Security Management : Solution Architecture Company A User local ID Token •Identity Mapping •Attribute Mapping •Token Management •Authorization Control 19 Token Invoke Application local ID Token SOAP Request Web Security Server local ID •Identity Mapping •Attribute Mapping •Token Management •Authorization Control Web Service Application Internet •Web Service •Firewall •Gateway SOAP Request IBM Software group IBM Tivoli Federated Identity Manager Federated Single Sign-On Integration with IBM Tivoli Access Manager Supported Protocols: SAML 1.0 / 1.1 / 2.0 WS-Federation Liberty 1.1 / 1.2 Federated Web Services WS-Trust based integration with Enterprise Service Buses, XML Gateways Integration with WebSphere Application Server SOAP, JCA and JDBC integration SAML modules to allow WAS to generate/consume SAML assertions in WS- Security headers of SOAP message Evolving into Identity Propagation in SOA Federated Provisioning 20 Provides linking of local provisioning systems Supported Protocol: WS-Provisioning IBM Software group Agenda • Customer cases 21 IBM Software group SP Single Sign-On (tomgreat) TFIM/SAML1.1 Single Sign-On Links UID /U s er User Tom Bear Co (tb de/Pw ear ) dL ogi n Single Sign-On SAML1.1 (tombear) Customized n application rtio se s A SAML1.1 est, u q Customized Re Single Sign-On application (beartom) User Registry SSO Module Member Life Insurance B2C Portal n e rtio SAML1.1 t, Ass es qu Customized Re application IdP SAML1.1 Single Sign-On Customized Re ques t, As(tom_bear) application s er tion IN TER N ET SP User Registry Member Bank My Bank SSO Module IN TER N ET SSO Module Financial Services Company RichPortal User Registry TFIM/SAML1.1 Re qu Single Sign-On e st , A (bear123) sse rtio n SP SSO Module q Re n r tio se As st, ue User Registry Member Securities My Securities SP User Registry Member Futures My Futures SSO Module SP User Registry SSO Architecture 22 SSO Module Member Securities Investment Trust MySIT IBM Software group Internet Logon – TFIM Solution TDS Mgmt Zone TFIM SPS TFIM STS SAML 2.0 4 1 Internet User 5 WebSeal 3 2 6 KBS MOSS KBS WEB AD Internet DMZ SAML 2.0 Internet Zone SIGNICAT Web Server Zone 1. User accesses protected page – no session defined 2. Reroute to Signincat 3. Signicat authenticates user and sends SAML 2.0 encrypted assertion through browser picked up by WebSeal 4. Single Protocol Service - TFIM called to create HTTP HDR based on SAML 2.0 assertions 5. Single Token Service – WS-Trust used to create KBS token 23 6. Request sent to Moss with correct KBS token IBM Software group SOA Security Overview TAM Policy Server TFIM Server TDS Custom ers (Mas ter) Em ployees Management Zone Internet User Partner Application Reverse Proxy Web Services Security Gateway Internet DMZ Intranet User (employee or Agent) MOSS 2007 portal framework Other Clients e.g. Z/OS Intranet AD Z/OS Z/OS Z/OS Intranet Zone Web Server Zone 24 Em ployees (Mas ter) Custom ers Em ployees Business Service WebSeal Reverse Proxy WEB AD Integration layer Internet Zone WebSeal Service Zone .. . . Backend Zone IBM Software group Does This Also Help with Compliance? You bet. One of the hardest compliance issues to solve is: “Prove to me that your external users still need access to the current system, including all their current privileges.” 25 Questions ? IBM Software group 27 IBM Software group Trust Service Composed of Module Chains module 3 module module chain-1 module Select Chain based on: 2 1. properties of STS message 2. trust service configuration module module Which Chain? STS message module module chain-2 1 web service interface <RequestType>, <Issuer>, <AppliesTo>, <TokenType> = module instance 28 module module RequestSecurityToken elements: module module chain-3