Federated identity management – challenges of implementation; Danish liraries case ultimo 2006

Globalisation means more cooperation, single global market, and bundling of offers and services. For IT systems it means more of common, open standards, protocols and trust-relations, distributed, real-time applications and web-services. Technology plays important role in enabling this cooperation, on an enterprise level, but also in collaboration with suppliers, partners and customers/external users. Traditional Identity Management (IM) is getting an obstacle for business development, slowing down the pace of interconnectivity; therefore we are going to see rapid development in this area. Identity management is on the evolution path from enclosed, perimeter defence “silo” system paradigm towards the open, federated identity systems architecture where users are not administrated within each enterprise separately. Common infrastructure will soon be in place.

Users want to access information/content through Web Services. For user it doesn’t matter if an information is stored in database, LDAP-server, or in file at the remote place. The organisations must adapt to user requirements, provide Web-service that will satisfy users or simply die. All the technological issues are solvable. This project aims to show what steps, from the technical point of view, a number of independent, “silo” type organisations need to undergo in order to come under the same, Federated Identity Management (FIM) umbrella. The author have tried to explain this process following the example of implementation of new paradigm in Danish libraries. Group of Danish libraries are connected in certain areas, but their employees and users are still bound to smaller or bigger perimeters. They are currently(ultimo 2006) running the project in the area of digital services, and FIM issue plays central role there.

In order to make my research more empirical I have been in touch with the team of it-professionals from Lenio (lenio.dk). Lenio is the leading Danish company in the area of identity management. In the project period I will take part in the preparation for implementation of Single-Sign-On (SSO) and the FIM solution for Danish libraries. The implementation is based on PingFederate, the product developed by American company Ping Identity[1]. Product seems to be ok, but does it address all the issues, library environment is craving for? In the conclusion of this project a clear answer to this question is given.

Project’s scope is covering mostly technological issues. Each library-partner who is planning to join the federation must make technical preparation so that it’s it-systems gets ready for future federal IM. Beside technical preparation, establishment of trust relationship with partners requires putting in place number of procedural issues, legal agreements etc. These important challenges has not been addressed in this project, as the scope of the project is limited to technological issues.


[1] http://www.pingidentity.com

The project

How to implement Single-Sign-On and the Federated Identity Management in Danish Libraries

is defended at IT-University primo 2007.

If you find these subjects interesting, you can download complete ca. 40 pages report as

Dr.John Gøtze has published Amir’s thesis at his site – gotze.eu

John writes:

Digital Identity Management – Challenges and Benefits

Amir Hadziahmetovic has published his MSc in IT thesis, which he made under my supervision. It is in English and is called Digital Identity Management – Challenges and Benefits (Download PDF). Besides giving a nice introduction to and analysis of Identity Management, Amir makes some interesting observations about the identity management situation in Denmark. I recommend everyone to read this good thesis.

I’ve extracted a few central paragraphs introducing the project:

The main research problem is how to find the optimal model that will solve Digital Identity (DI) management and the data interchange for electronic business in new network economy. The problem lies in unknown path of how to make choices for interoperable DI, and how to find the optimal strategy to implement chosen model. The research will commence with exploring the area of general Digital Identity Management, continue with analyzing platform for interoperable management and exchange of DIs, including implementation challenges, and end with listing the benefits of having such a platform implemented.

Imagine the sewerage management of a bigger city where each building block has a container for waste waters instead of a city-wide sewerage system. Without drain-pipes connecting the containers, every now and then a container would fill up, and for emptying a pump-trucks would be needed. They would pump out the content from a container, and spill it out at some depot outside the town. This would be very complex system of containers and trucks, difficult to control and manage. Some of the containers would certainly get overfilled, causing flooding and bad smell. With the growth of the city, the system would get even more unreliable. Therefore the majority of today’s cities have outspread sewerage system, which connects the depots, automating the spill of waste waters.

The similar problem modern business has with today’s DI management: Identity data in containers, filling up quickly; the system unable to exchange data with other systems; difficult to maintain and automate the spill of data. To enable development of electronic business, more reliable system for DI management is required.

Business trends today push organizations toward strengthening of cooperation and linking of business processes between them. Many companies and governments are tending to expand their activities by integrating online services and systems, and letting external users access internal data. Individual users want comfortable Web experience, and minimal effort in getting tailor-made products and services. Inability of today’s IT systems to match these trends is choking present development of business. Strengthening of cooperation and linking of business processes is putting pressure on IT systems and belonging infrastructure, requiring that Digital Identity data is created in unified fashion, and safely exchanged between organizations.

Digital Identity Management (IM) is a fundamental part of integrated company systems and online services. It defines who has access to what in some cases, and identifies customers and users of the services in other cases. IM architecture of today has to evolve from predominantly silo to common, interoperable architecture, based on open standards. This kind of architecture is a fundament for Federated IM, where identities are safely exchanged.

This project will try to look at Digital Identity Management, technology and architecture in relation to business goals and strategies. The main concepts of Digital Identity Management will be addressed i.a. concepts like Federated Identity, Single Sign-On (SSO), and Open Standards. The report will present a study of business and technical implications of Federating Identity, where Identity management is the central issue.

An analysis of the practical as well as architectural aspects of Federated Identity will be covered. An analysis of open standards for interoperability will be covered, especially those advised by Danish National IT and Telecom Agency and their Reference Model for Identity. The report will focus on standards from the Model such as Role-Based Access Control (RBAC), Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP) and Public certificates for electronic services – OCES Digital Signature, but also will discuss alternatives. Finally privacy issues will be considered.

The fundamental objective of any enterprise IT system must be full support to business flexibility and agility in ever-changing business environment. The ultimate goal of this project is to perceive the challenges of the IM evolution path, and to show how Identity Management supports connection between the systems and the processes, providing users with better web experience.

Method: The project will list general theoretical issues, comparing different views on these issues, and presenting own reasoning.

The obstacles in relation to acceptance of Reference Model for Identity will be analyzed. The analysis will be based on empirical research including feedback from involved organizations, interviews with individuals from selected organizations, conferences, and forums.

Again: Download Amir’s thesis (PDF).

Welcome to Identity blog of Amir Hadziahmetovic

Welcome to my Identity blog. I have just (jun 2006) defended master thesis “Digital Identity Management – Challenges and Benefits”. The evaluators think that my thesis is rather good (I’ve got very high grade – 10 for it :)

ThesisFrontPage

My supervisor was famous dane Dr.John Gøtze. Here follows some of the thesis’ chapters titles:

Identity and its digital representation
What is identity?
Two aspects of Identity
Three tiers of identity
Identity proof and chain of trust
Digital identity today
Challenges of DI management
Identity and security
Identity and business
Identity and privacy
Identity and technology
General motivation and Scope of Digital Identity Management

Concepts of Digital Identity
Digital Identity and Identity Management
Trust
Policy
Privacy
Digital Identity Lifecycle
Integrity, Non-repudiation and Confidentiality
Cryptography
Message Digests (Hashes)
Digital Signatures
Digital Certificates and PKI
Certificate Authorities
Identity Management processes

Authentication
Cookies
ID and Password
Challenge-Response Systems
Digital Certificates
Biometric Devices
Smart cards

Authorization
Abstract Authorization Architectures

Access Control
Responsibility for resources
The Principle of Least Privilege
Accountability versus Enforcement
Access Control Types
Mandatory and Discretionary Access Control
User-based permission systems
Access control matrix
Access-Control Lists
Digital Certificates and Access control
Role Based Access Control – RBAC
Attribute Based Access Control – ABAC
Digital Rights Management
Access Control and Service Oriented Architecture

Names and Directories

Interoperability Standards
Security Assertion Markup Language – SAML
Service Provisioning Markup Language – SPML
eXtensible Access Control Markup Language – XACML

Federated Identity

Architecture for Digital Identity
Identity Management Architecture vs. Information Security Planning
Governance and Business modeling of enterprise architecture
Identity Maturity Models and Process Architectures
Identity Data Architectures
Interoperability Frameworks for Identity
Identity Policies
Identity Management Reference Architecture
Building an Identity Management Architecture

IM situation in Denmark
Current development of Identity Framework in Denmark
The Reference Model
Administration and management
Issuing of credentials
Storing
Authentication
Authorization
Logging and control
More about the elements and other issues related to IM in Denmark

Cross-case conclusions
1. About the model
2. Authentication
3. Access control and rights administration
4. Standards, Interoperability and SSO
5. Logging and control

Putting IM into perspective

If you find theese subjects interesting, you can download complete ca. hundred page thesis as