ECS401: Cryptography and

Network Security

Module 5: Authentication Protocols

Lecture 46
Outline of the lecture
• Federal Identity Management
• Identity Management
• Identity Federation
• Standards
• Example 1
• Example 2
• Example 3

2
Federal Identity Management
Federated identity management is a relatively new concept dealing with the use of a common identity management scheme
across multiple enterprises and numerous applications and supporting many thousands, even millions, of users.

Identity Management

The focus of identity management The central concept of an identity

Identity management is a
is defining an identity for each management system is the use of
centralized, automated approach
user (human or process), single sign-on (SSO). SSO enables
to provide enterprisewide access
associating attributes with the a user to access all network
to resources by employees and
identity, and enforcing a means by resources after a single
other authorized individuals.
which a user can verify identity. authentication.

3
 Identity Management Authentication: Confirmation
that a user corresponds to the
Principal elements of an user name provided.
identity management
system are as follows:
Password synchronization: Authorization: Granting
Creating a process for single access to specific services
sign-on (SSO) or reduced sign- and/or resources based on the
on (RSO). authentication.

Delegated administration: Accounting: A process for

The use of role-based access logging access and
control to grant permissions. authorization.
Password synchronization:
• Single sign-on enables a user to
access all network resources after a
single authentication.

• RSO may involve multiple sign-ons

but requires less user effort than if Workflow automation:
Provisioning: The enrollment of
each resource and service Movement of data in a business
users in the system.
maintained its own authentication process.
facility. 4
Identity Management
Principal elements of an
identity management
system are as follows:

Federation: A process
where authentication and
permission will be passed
Self-service password on from one system to
reset: Enables the user to another—usually across
modify his or her password. multiple enterprises,
thereby reducing the
number of authentications
needed by the user.

5
Identity Management
Figure 1 illustrates entities and data flows in a
generic identity management architecture. A
Principals authenticate themselves to an identity Increasingly, digital identities incorporate
principal is an identity holder. Typically, this is a
provider. The identity provider associates attributes other than simply an identifier and
human user that seeks access to resources and
authentication information with a principal, as well authentication information (such as passwords and
services on the network. User devices, agent
as attributes and one or more identifiers. biometric information).
processes, and server systems may also function as
principals.

6
Identity Management

7
Figure 1: Generic Identity Management Architecture
Identity Management
An attribute service manages the creation and maintenance
of such attributes (passwords and biometric information).
For example, a user needs to provide a shipping address
each time an order is placed at a new Web merchant, and
this information needs to be revised when the user moves.
Identity management enables the user to provide this
information once, so that it is maintained in a single place
and released to data consumers in accordance with
authorization and privacy policies. Users may create some of
the attributes to be associated with their digital identity,
such as an address.
Administrators may also assign attributes to users, such
as roles, access permissions, and employee information.
Data consumers are entities that obtain and employ
data maintained and provided by identity and attribute
providers, which are often used to support
authorization decisions and to collect audit information.
For example, a database server or file server is a data
consumer that needs a client’s credentials so as to
know what access to provide to that client.
8
Identity Federation
Identity federation is, in essence, an extension
of identity management to multiple security
domains. Such domains include autonomous
internal business units, external business
partners, and other third-party applications
and services.
The goal is to provide the sharing of digital
identities so that a user can be authenticated a
single time and then access applications and
resources across multiple domains.
Because these domains are relatively
autonomous or independent, no centralized
control is possible. Rather, the cooperating
organizations must form a federation based on
agreed standards and mutual levels of trust to
securely share digital identities.
9
Identity Federation
Federated identity management refers to the agreements,
standards, and technologies that enable the portability of
identities, identity attributes, and entitlements across multiple
enterprises and numerous applications and supporting many
thousands, even millions, of users.
When multiple organizations implement interoperable
federated identity schemes, an employee in one organization
can use a single sign-on to access services across the
federation with trust relationships associated with the identity.
For example, an employee may log onto her corporate
intranet and be authenticated to perform authorized
functions and access authorized services on that
intranet.
The employee could then access their health benefits
from an outside health-care provider without having to
reauthenticate.
10
Identity Federation
Beyond SSO, federated identity management provides other capabilities.

One is a standardized means of representing attributes. Increasingly, digital

identities incorporate attributes other than simply an identifier and
authentication information (such as passwords and biometric information).

Examples of attributes include account numbers, organizational roles, physical

location, and file ownership.

A user may have multiple identifiers; for example, each identifier may be
associated with a unique role with its own access permissions.

11
Identity Federation
Another key function of federated identity
management is identity mapping.

Different security domains may represent identities

and attributes differently. Further, the amount of
information associated with an individual in one
domain may be more than is necessary in another
domain.

The federated identity management protocols map

identities and attributes of a user in one domain to
the requirements of another domain.

Figure 2 illustrates entities and data flows in a

generic federated identity management
architecture.

12
Figure 2: Federated Identity Operation
Identity Federation
• The identity provider acquires attribute information through dialogue and protocol exchanges with users and
administrators.

• For example, a user needs to provide a shipping address each time an order is placed at a new Web merchant, and
this information needs to be revised when the user moves.

• Identity management enables the user to provide this information once, so that it is maintained in a single place and
released to data consumers in accordance with authorization and privacy policies.

• Service providers are entities that obtain and employ data maintained and provided by identity providers, often to support
authorization decisions and to collect audit information.

• For example, a database server or file server is a data consumer that needs a client’s credentials so as to know what access
to provide to that client.

• A service provider can be in the same domain as the user and the identity provider. The power of this approach is for
federated identity management, in which the service provider is in a different domain (e.g., a vendor or supplier network).

13
Standards
Federated identity management uses a
number of standards as the building blocks
for secure identity exchange across different
domains or heterogeneous systems. In
essence, organizations issue some form of
security tickets for their users that can be
processed by cooperating partners.
Identity federation standards are thus
concerned with defining these tickets, in
terms of content and format, providing
protocols for exchanging tickets and
performing a number of management tasks.
These tasks include configuring systems to
perform attribute transfers and identity
mapping, and performing logging and
auditing functions.
The principal underlying standard for federated identity is the Security
Assertion Markup Language (SAML), which defines the exchange of security
information between online business partners.
SAML conveys authentication information in the form of assertions about
subjects. Assertions are statements about the subject issued by an
authoritative entity.
SAML is part of a broader collection of standards being issued by OASIS
(Organization for the Advancement of Structured Information Standards) for
federated identity management.
For example, WS-Federation enables browser-based federation; it relies on
a security token service to broker trust of identities, attributes, and
authentication between participating Web services.
The challenge with federated identity management is to integrate multiple
technologies, standards, and services to provide a secure, user-friendly
utility.
The key, as in most areas of security and networking, is the reliance on a few
mature standards widely accepted by industry. Federated identity
management seems to have reached this level of maturity. 14
Example 1
To get some feel for the functionality of identity federation, we look at three scenarios:

The two
organizations are
When the
An employee uses a part of a federation
employee clicks on
Web interface to that cooperatively
a link to access
sign on to exchanges user
In the first scenario health benefits, her In this example, the
Workplace.com and identifiers.
(Figure 3(a)), browser is linkage between
goes through an Health.com
Workplace.com redirected to the two companies
authentication maintains user
contracts with Health.com. At the is based on account
procedure there. identities for every
Health.com to same time, the information and
This enables the employee at
provide employee Workplace.com user participation is
employee to access Workplace.com and
health benefits. software passes the browser based.
authorized services associates with
user’s identifier to
and resources at each identity health
Health.com in a
Workplace.com. benefits
secure manner.
information and
access rights.

15
Example 1 (Federated Identity Scenarios)

Figure 3 (a): Federation based on account linking

16
Example 2 (Federated Identity Scenarios)
Figure 3(b) shows a second type of browser-based scheme.
PartsSupplier.com is a regular supplier of parts to Workplace.com.
In this case, a role-based access control (RBAC) scheme is used for
access to information.

An engineer of Workplace.com authenticates at the employee portal

at Workplace.com and clicks on a link to access information at
PartsSupplier.com.
Because the user is authenticated in the role of an engineer, he is
taken to the technical documentation and troubleshooting portion of
PartsSupplier.com’s Web site without having to sign on.
Figure 3 (b): Federation based on
Similarly, an employee in a purchasing role signs on at Workplace.com roles
and is authorized, in that role, to place purchases at
PartsSupplier.com without having to authenticate to
PartsSupplier.com.

For this scenario, PartsSupplier.com does not have identity

information for individual employees at Workplace.com. Rather, the
linkage between the two federated partners is in terms of roles. 17
Example 3
The scenario illustrated in Figure 3 (c)
can be referred to as document based
rather than browser based.
An employee of WorkPlace.com signs on
In this third example, Workplace.com The user clicks on the PinSupplies button
and is authenticated to make purchases.
has a purchasing agreement with and is presented with a purchase order
The employee goes to a procurement
PinSupplies.com, and PinSupplies.com Web page (HTML page).The employee
application that provides a list of
has a business relationship with E- fills out the form and clicks the submit
WorkPlace.com’s suppliers and the parts
Ship.com. button.
that can be ordered.
18
Example 3
The procurement application generates an XML/SOAP
document that it inserts into the envelope body of an
XML-based message. The procurement application then
inserts the user’s credentials in the envelope header of
the message, together with Workplace.com’s
organizational identity.

The procurement application posts the message to the

PinSupplies.com’s purchasing Web service. This service
authenticates the incoming message and processes the
request.

The purchasing Web service then sends a SOAP message

to its shipping partner to fulfill the order. The message
includes a PinSupplies.com security token in the envelope
header and the list of items to be shipped as well as the
end user’s shipping information in the envelope body. Figure 3 (c): Chained Web services

The shipping Web service authenticates the request and

processes the shipment order. 19