Das SOA-Referenzmodell Identity

Das SOA-Referenzmodell Identity & Access Management der Deutschen Telekom Deutsche Telekom Laboratories / T-Systems Enterprise Services GmbHBitkom: SOA & Security 12.03.2008

March 12th, 2008

Dietmar Krüger / Dr. Bert Klöppel 2

Agenda.

2 AAA & IdM Reference Architecture

1 Introduction

2.2 Digest of Concepts

2.1 Essentials

3 Characteristic SOA Security Questions

4 AAA & IdM Reference Architecture based Answers

5 Conclusions

March 12th, 2008


Agenda.


1 Introduction


2.1 Essentials



5 Conclusions

March 12th, 2008


Introduction – SOA and Security.The T-Systems Approach.

A secure SOA solution combines general SOA architecture/governance rules, security and project demands.Our approach: Generally independent process model for SOA and security – project specific fusion.

ProjectDemands

Secure SOA Solution

ConceptionAnalysis Transformation

Governance

Security

RetireTransformationConceptionAnalysis Transformation

Governance

Security

RetireTransformation

T-Systems SOA Process Model

AAA & IdM Reference Architecture

March 12th, 2008


Agenda.


1 Introduction


2.1 Essentials



5 Conclusions

March 12th, 2008


AAA & IdM Reference Architecture –Essentials.Challenges.Identity silos with poor interoperability.

Service Provider Domain A Service Provider Domain B

Network Access Provider Domain A Network Access Provider Domain B

Mobile ApplicationsDigital Content

SIM Card Authentication

Web ApplicationsDigital Content

ISP Network Access

ISP

Acc

ess

3G A

cces

s

Roaming

Streaming

Contracts

Privacy

Roles

Cost Control

Identities

Roaming

Preferences

Access Rights Credentials

March 12th, 2008


Courtesy of Francis Shanahan (http://www.francisshanahan.com/detail.aspx?cid=641)

AAA & IdM Reference Architecture –Essentials.Challenges from the user perspective.Identity fragmentation, plethora of passwords and identity theft.

Courtesy of Francis Shanahan (http://www.francisshanahan.com/detail.aspx?cid=641)

March 12th, 2008


AAA & IdM Reference Architecture –Essentials.Challenge from the business perspective.Mergers & acquisitions, reorganizations and changing business alliances.

Domain centric Identity Management

Federated Identity Management

Corp. Corp.

Corp.Corp.

SSO, SLOAttributes

CoT

NoInterop.

March 12th, 2008


AAA & IdM Reference Architecture –Essentials.Mission – Provide guidance and blueprints for seamless and overarching AAA & IdM functionalities by means of defining an AAA & IdM Reference Architecture.

AAA & IdM Reference

Architecture

Service Provider Domain A Service Provider Domain B

Network Access Provider Domain A Network Access Provider Domain B

Federation

Single Sign On/Off

IdentityManagement

Privacy

AttributeExchange

Authentication

AccountingCharging

Authorization

Mobile ApplicationsDigital Content

SIM Card Authentication

Web ApplicationsDigital Content

ISP Network Access

March 12th, 2008


Guidance

AAA & IdM Reference Architecture -Essentials. Reference Model & Reference Architecture. Terminology.

Realization

Reference Model

Reference Architecture Reference Architecture

System ImplementationSystem

ImplementationSystem Implementation



Software ArchitectureSoftware

Architecture


Architecture

conceptual guidance

domain specific derivations domain specific derivations

technology specific derivations technology specific derivations

Abstract Framework with a minimal set of unifying concepts, axioms and relationships.

Independent of standards, technologies, implementations and details

acc. to OASISGeneralized Architecture of several end systems that share one or more commonalities.

Defines infrastructure, components, interfaces and proposes technologies and standards.

acc. to Carnegie Mellon University, Software Engineering Institute

Structure of systems, which comprise software elements, the externally visible properties of those elements

and the relationship among them.

acc. to Carnegie Mellon University, Software Engineering Institute

GuidanceRealization

Reference Model

Reference Architecture Reference Architecture






Architecture


Architecture

conceptual guidance

domain specific derivations domain specific derivations

technology specific derivations technology specific derivations

March 12th, 2008


AAA & IdM Reference Architecture –Essentials.Reference Model: AAA & IdM Ecosystem.

Authentication Authorization

Identity Management Identity Provisioning

Identity AuditingAccounting and Charging

Authentication

AuthorityAuthorization Authority

AccountingProvider

ChargingProvider

Identity Provisioning

Provider

Identity AuditingProvider

Identity Provider

Attribute Provider

Principal

RelyingParty

March 12th, 2008


Agenda.


1 Introduction


2.1 Essentials



5 Conclusions

March 12th, 2008


AAA & IdM Infrastructure

Relying Party

AAA & IdM Reference Architecture – Concepts.Simplified version.

User Agent(Principal)

Relying Party

Identity Provider AuthenticationEnforcement

AuthenticationValidation

AuthorizationEnforcement

AuthorizationDecision

AccountingProvider

ChargingProvider


Identity Auditing

Attribute Provider

March 12th, 2008


AAA & IdM Reference Architecture – Concepts.Some selected concepts with regards to Service oriented Architectures.


Relying Party


Relying Party





AccountingProvider

ChargingProvider


Identity Auditing

Attribute Provider

March 12th, 2008


AAA & IdM Reference Architecture – Concepts.Trust: Security Tokens, Claims & Assertions


Relying Party


Relying Party





AccountingProvider

ChargingProvider


Identity Auditing

Attribute Provider

X.509, PKI KerberosSAML WS-Trust

Basic Building Block of an IdM & AAA infrastructure

… can be distributed over any fixed or mobile network and

interchanged between network and service layer without further requirement

on security

Security Token Service

Trust Validation

Security Token(Issuer)

Information(about someone)

March 12th, 2008


AAA & IdM Reference Architecture – Concepts.Delegated authorization based on attributes.


Relying Party


Relying Party





AccountingProvider

ChargingProvider


Identity Auditing

Attribute Provider

Delegated AuthZ Decision …

AuthZ PolicyAuthZ Decision

Security Token(AuthZ Decision)

User attributes

User Session User AuthN Context

User entitlements

Resource attributes

Context attributes

… based on AuthZ Policy

can be distributed to other parties …

AuthZ Delegation

Token

OASIS XACML & SAMLOther policy languagesWS-Trust

March 12th, 2008


AAA & IdM Reference Architecture – Concepts.Access control requires consistent and accurate identity data.


Relying Party


Relying Party





AccountingProvider

ChargingProvider


Identity Auditing

Attribute Provider

AuthN Credentials

… reuse of Identity InformationFederation & SSO

Security tokens(with identity information) AuthN Policy

Identities, Personas, Profiles

Identity AttributesPrivacy Policies AuthZ Policies

ProvisioningPolicy

OASIS SPML

Entitlements

… accurate & up-to-date provisioning of

Identity Information

Delegated AuthZ Decision …

Security Token(AuthZ Decision)

March 12th, 2008


Agenda.


1 Introduction


2.1 Essentials



5 Conclusions

March 12th, 2008


A typical SOA Architecture and Security.A collaborative SOA approach, based on a typical large scale architecture.

Complex and structured enterprise architecture for a global business partnerSOA access from various independent external partners via internetPossible multi location service delivery

loca

l ESB

Rev

Pr

oxy

WS

Gat

eway

Por

tal

glob

al E

SB

March 12th, 2008


SOA and Security – Questions (1). Details inside one global service location.

DWH

Datenbankzone

Legacy Zone

LegacySysteme

Portal

BPEE

App. 1

Portalzone

App. 2

ESB(z.B. MQ)

WS Gateway

Reverse Proxy

Security Service Zone

DirectoryService

Authenti-cation

Service

TokenService

PolicyServer

Internet

ClientDB

ESB Zone

BAM

Repository. Transformation (z.B. XSLT)

DMZ

Security Rules

Functional Descr.

Non-Func. Descr.

Security Rules

Wrapper

Applikationszone

1. Security information within the repository

2. Repository and security directory

3. security questions within the app-zone

March 12th, 2008


SOA and Security – Questions (1). Details inside one global service location.

1. Which security information is required within the service repository and how should this information be structured?

2. How should security information be shared between the security directory and the service repository? – Which system should be the leading one?

3. Which security is necessary within the service providers? Do we need some additional security architecture structures there? (see question #3 and the following scenario)

March 12th, 2008


A typical SOA Architecture and Security.A collaborative SOA approach, based on a typical large scale architecture.

loca

l ESB

Rev

Pr

oxy

WS

Gat

eway gl

obal

ESB

Por

tal

loca

l ESB

Rev

Pr

oxy

WS

Gat

eway

Por

tal

glob

al E

SB

March 12th, 2008


SOA and Security – Questions (2). Questions about global multi domain service delivery.

4. Security between global domains

5. Security and global service finding

6. Replication of security repository

March 12th, 2008


SOA and Security – Questions (2). Questions about global multi domain service delivery.

4. Which security rules should be applied between different regional locations (domains) of one global service provider?

5. Which security rules should be applied during the global servicediscovery? How should this task be distributed between the global ESB modules (e.g. repositories, content based security, service implementation)

6. Which distribution policy and rules should be applied for the global security information (within the repositories and the security dictionaries)

March 12th, 2008


Agenda.


1 Introduction


2.1 Essentials



5 Conclusions

March 12th, 2008


SOA and Security – Answers. Based on the AAA & IdM Reference Architecture.

DWH

Datenbankzone

Legacy Zone

LegacySysteme

Portal

BPEE

App. 1

Portalzone

App. 2

ESB(z.B. MQ)

WS Gateway

Reverse Proxy


DirectoryService

Authenti-cation

Service

TokenService

PolicyServer

Internet

ClientDB

ESB Zone

BAM


DMZ

Security Rules

Functional Descr.

Non-Func. Descr.

Security Rules

Wrapper

Applikationszone

March 12th, 2008


SOA and Security – Answers. Usage of security tokens.

DWH

Datenbankzone

Legacy Zone

LegacySysteme

Portal

BPEE

App. 1

Portalzone

App. 2

ESB(z.B. MQ)

WS Gateway

Reverse Proxy


DirectoryService

Authenti-cation

Service

TokenService

PolicyServer

Internet

ClientDB

ESB Zone

BAM


DMZ

Security Rules

Functional Descr.

Non-Func. Descr.

Security Rules

Wrapper

Applikationszone


Identity Provider

AuthenticationAuthority

Attribute Provider



Basic Building Block of an IdM & AAA infrastructure

… can be distributed over any fixed or mobile network and

interchanged between network and service layer without further requirement

on security

Principal(User Agent)

March 12th, 2008


SOA and Security – Answers. Authorization based on policies and security tokens.

DWH

Datenbankzone

Legacy Zone

LegacySysteme

Portal

BPEE

App. 1

Portalzone

App. 2

ESB(z.B. MQ)

WS Gateway

Reverse Proxy


DirectoryService

Authenti-cation

Service

TokenService

PolicyServer

Internet

ClientDB

ESB Zone

BAM


DMZ

Security Rules

Functional Descr.

Non-Func. Descr.

Security Rules

Wrapper

Applikationszone



Flexible and scalable access control for all kind of resources

(e.g. portal, WS gateway, applications, engines)

… based on authorization policies and security tokens.

Relying Party


Relying PartyAuthorizationEnforcement

Relying Party



Authorization Policies

March 12th, 2008


SOA and Security – Answers. Provisioning of accurate and consistent security data.

DWH

Datenbankzone

Legacy Zone

LegacySysteme

Portal

BPEE

App. 1

Portalzone

App. 2

ESB(z.B. MQ)

WS Gateway

Reverse Proxy


DirectoryService

Authenti-cation

Service

TokenService

PolicyServer

Internet

ClientDB

ESB Zone

BAM


DMZ

Security Rules

Functional Descr.

Non-Func. Descr.

Security Rules

Wrapper

Applikationszone


Identity Provider


Attribute Provider




Accurate & up-to-date provisioning of identity information

and security policies

… enables secure service delivery based on reliable security tokens.



Entitlements

Authentication PoliciesIdentities, Profiles Identities Attributes

Authentication Credentials

March 12th, 2008


SOA and Security – Answers. Put it all together ...

DWH

Datenbankzone

Legacy Zone

LegacySysteme

Portal

BPEE

App. 1

Portalzone

App. 2

ESB(z.B. MQ)

WS Gateway

Reverse Proxy


DirectoryService

Authenti-cation

Service

TokenService

PolicyServer

Internet

ClientDB

ESB Zone

BAM


DMZ

Security Rules

Functional Descr.

Non-Func. Descr.

Security Rules

Wrapper

Applikationszone

Relying Party



Relying Party





Identity Provider


Attribute Provider



Principal(User Agent)

Authentication Policies

Authentication Credentials

Identities, Profiles Identities Attributes



Entitlements

… and you are close to an

Enterprise Identity Bussupporting

IdM and AAA as a Service.

March 12th, 2008


SOA and Security – Answers. The good news is, it works in global multi domain service delivery too.





… due to the characteristics of the security token.

.

March 12th, 2008


Agenda.


1 Introduction


2.1 Essentials



5 Conclusions

March 12th, 2008


Conclusions.

A well designed security architecture within the enterprise’s SOA application zone eases transition into global scale ESB implementations (e.g. due to reorganizations, changing business alliances, mergers and acquisitions).

The security architecture must be flexible and scalable due to SOA’s characteristics of fine-grained services with a multiplicity of interfaces.

SOA requires an “Enterprise Identity Bus” approach supporting identity management, authentication and authorization as services (IdM & AAA as a Service).

Originally, the AAA & IdM reference architecture was developed independent of SOA in order to be applicable in almost every context (e.g. Telco, Web 2.0). However, SOA and the AAA & IdM reference architecture match perfectly.

Contacts.Dietmar Krüger, T-Systems Enterprise Services [email protected]+49 30 3497 3108

Dr. Bert Klöppel, T-Systems Enterprise Services [email protected]+49 561 5893 430

Jörg Heuer, Deutsche Telekom [email protected]+49 30 83535 8422

Documents

Das SOA-Referenzmodell Identity