www.oasis-open.org
Oasis Identity in the Cloud
(IDCloud)
Towards standardizing Cloud Identity
Anil Saldhana ( Red Hat), Co-Chair
Gershon Janssen, Secretary
Cloud Identity Management
• TC works to address Identity Management challenges
related to Cloud Computing
• Cloud Identity Management is considered a top security
concern
• Identity Management is not completely solved at Enterprise
level
• Standards are evolving
• Cloud is a new paradigm, so the same problems in new
packaging
2
Before we start
• How many of you have Facebook, Google, LinkedIn or any
similar Cloud Service accounts?
• Imagine a company uses a public cloud for its documents.
An employee leaves the company. The employee is
decommissioned. What happened to the documents?
• A small manufacturing company requires its employees to
use an online benefits system annually, to choose health
care benefits for the entire year. The employees work in
workshops/units do not use computers regularly at work.
Majority of them have Facebook accounts. Do you think
they will remember their Benefits system password as
much as their Facebook password? Should we use
Facebook Connect, for the Benefits system?
3
What is it we do?
3 Main objectives:
• Identifying detailed Use Cases
• Identity deployment, provisioning and management in a cloud
context
• Gap Analysis of existing Identity Management standards and
protocols when applied in the context of Cloud
• Based on Use Cases and Interoperability Profiles
• Feed analysis back to the WG responsible for a standard
• Define Interoperability Profiles for Identity in the Cloud
• Profiles will be based on use and combinations of existing
standards, protocols and formats
4
What is it we do?
• Other objectives:
• Glossary on Cloud Identity
• Harmonized set of definitions, terminologies and vocabulary on Identity
in the context of Cloud
• Do not re-invent the wheel
• Build on existing standards and specifications
• Strong liaison relationships with other international working groups
• ITU-T, DMTF
5
How serious are we about this?
• Our Technical Committee chairs are:
• Anil Saldhana (Red Hat)
• Tony Nadalin (Microsoft)
• Amongst the member of the Technical Committee are:
• Red Hat, IBM, Microsoft, CA Technologies, Cisco Systems, SAP,
EBay, Novell, Ping Identity, Safe Net, Symantec, Boeing Corp, US
DOD, Verisign, Akamai, Alfresco, Citrix, Cap Gemini, Google,
Rackspace, Axciom, Huawei, Symplified, Thales, Conformity,
Skyworth TTG, MIT, Jericho Systems, PrimeKey, Aveksa, Mellanox,
Vanguard Integrity Professionals, NZ Govt ...
6
Current Status
• Three stages:
• Formalization of Use Cases [Finished]
OASIS Identity In The Cloud Use Case Document v1.0
• Gap Analysis of existing IDM standards using the Use Cases
[In progress]
• Defining Profiles for Identity In The Cloud [Scheduled]
7
Use Cases
• Received 35 Use Cases of Identity Management in the
• Cloud (Finally, 29 Use Cases are formalized)
• Structure of Use Cases:
•
•
•
•
•
•
•
•
•
•
Description / user story
Goal / Desired outcome
Categories covered
Applicable Deployment Models
Actors
Systems
Notable Services
Dependencies
Assumptions
Process Flow
Use Cases
• Categorizations:
• Authentication
• Single Sign On (SSO)
• Multi factor Authentication
• Infrastructure Identity Establishment
• General Identity Management
• Infrastructure IdM
• Federated IdM
• Authorization
• Account & Attribute Management
• Account & Attribute Provisioning
• Security Tokens
• Audit & Compliance
9
Use Cases
• Applicable Deployment and Service Models:
• Deployment Models:
•
•
•
•
Private
Public
Community
Hybrid
• Service Models:
•
•
•
•
SaaS
PaaS
IaaS
Other
10
Use Cases
• High Ranked Use Cases:
•
•
•
•
•
•
Managing Identities at all levels in the Cloud
Need for Federated Single Sign On across multiple environments
Enterprise to Cloud SSO
Auditing
Multi-factor Authentication for Privileged User Access
Mobile Identity authentication using Cloud Provider
11
Use Cases
• Mobile Identity Authentication
•
•
•
•
Submitted by Bank of America
Use case affects Mobile Banking
First step is to do automatic mobile device registration
Cloud based IAM solutions provide identity proofing, credential
management, SSO and Provisioning capabilities.
12
Use Cases
• Government Provisioning of Cloud Services
• Submitted by Govt. Of New Zealand. (Colin Walis)
• Government employee or contractor logs into a web site where he
can configure an environment that utilizes one or more cloud
services.
• Identity proofing, authentication along with billing, auditing etc is
provided.
13
Analysis
GAP Analysis
• Analysis of Identity Management Use Cases in a Cloud context
Main Question:
“Can the desired goal or outcome be achieved using
existing standards?”
GAPS:
Profile:
14
How do we approach the Analysis
• Analyzing how a Use Case can be implemented: What is required?
USE CASE
Goal /
Outcome
User Story
Process Flow
Actors
Systems
Services
Assumptions and Dependencies
15
Scope of analysis
• Focus on the technological challenge: how to get a user story
working.
• Not looking at legal, policy or economic perspectives
16
How do we approach the Analysis
•
Step by step / phased drill-down into more detail
•
First pass: identify relevant standards
– Not reinvent the wheel; we have a broad scope and look at all relevant
standards, specifications, recommendations, notes and ‘work in progress’, from
both SDOs and non-SDOs
RESULT: List is standards
•
Second pass: coarse analysis
– Find out where the standards fall short or what we perceive as missing
– Identify Management commonalities and reusable elements
RESULT: Identified big / obvious gaps
17
Example of a Use Case
USE CASE:
Consumer Cloud Identity Management,
Single Sign-On (SSO) and
Authentication
User Story:
For services offered in the cloud, identity management and authentication should
to be decoupled from the cloud services themselves.
Users subscribing to cloud services expect and need to have an interoperable
identity that would be used to obtain different services from different providers.
Process Flow:
1. User access SaaS application
2. Login using external IdP
3. IdP transforms & maps identity to SaaS provider format
4. Access to SaaS application established
Systems:
- Cloud Identity Mgmt. System
- External Identity Provider
Goal:
A user is able
to access multiple
SaaS applications
using a single
identity
Actors:
- Subscriber SaaS Application User
- Subscriber SaaS Provider Administrator
Services:
- Cloud Provider Identity Federation Service
- Cloud Provider Attribute Management Service (identity transform)
Assumptions and Dependencies:
-The federated trust relationship between the SaaS application and the identity provider was previously
set by the Cloud tenant Administrator.
-The user accessing the service is already registered and enrolled with the Identity Provider of choice.
18
Example Analysis of Use Case
• First pass: Identified relevant standards:
–
–
–
–
–
–
–
SAML
OpenID
OAuth
SPML
SCIM
WS-Federation
IMI
• Second pass: Identified big / obvious gaps
– Configuration and association with an IdP is not standardized
– No standards or rules for mapping or transforming attributes between
different (cloud) domains.
– No profiles or standard roles and related attributes
– No standards for attributes
– No audit standards for IDM systems
19
‘Early’ profiles start to surface
• Interoperablity profiles (combination of standards and protocols)
become visible as identity management patterns surface
• E.g. the pattern on how we now a days think about the identity ecosystem (IdP, RP, AP, etc.)
20
Conclusions and next steps
• Produced in-depth work providing good understanding of Identity
Management in a Cloud context with respect to technical standardsbased feasibility
• Unsure how to deal with implicit details of use cases: e.g. trust
space, attribute space, privacy space
• Suggest future work to fill the gaps
21
Resources
• OASIS IDCloud Technical Committee Homepage
http://www.oasis-open.org/committees/id-cloud/
• OASIS Technical Committee Wiki
http://wiki.oasis-open.org/id-cloud/FrontPage
Anil.Saldhana@redhat.com
Gershon.Janssen@gmail.com
22