Implementing B2B and B2C Using Novell Affiliate Connector Novell BrainShare 2002 Implementing B2B and B2C Using Novell Affiliate Connector Kevin Ward Engineering Manager/Affiliate Connector Novell, Inc. kward@novell.com Loren Russon Product Management/Access and Security lrusson@novell.com IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Agenda Customer Challenges and Business Problems Novell BrainShare 2002 Agenda Customer Challenges and Business Problems The Security Assertion Markup Language (SAML) Novell Affiliate Connector 1 Summary Question and Answer IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Vision…one Net Mission A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Novell Vision and Security Novell BrainShare 2002 Novell Vision and Security The Novell “one Net” vision provides the basis for “best practice” deployment of Identity Management, Access Management and Trusted eBusiness communities The one Net approach provides eBusiness solutions for Business-to-Consumer (B2C), Business-to-Business (B2B), and Enterprise web (B2E) applications Secure “digital identity” framework for trusted relationships Platform-independent solutions IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Customer Challenges and Business Problems

Today’s Typical Environment Novell BrainShare 2002 Today’s Typical Environment Firewall Web Servers and Applications Security e-mail ERP CRM Partner Extranet Customer Internet Employee Intranet GabeW - xxx WatG - yyy 7366 - zzz Employee Intranet Employee Intranet KenS - xxx 7748-zzz SmithK - yyy ScottB - xxx BellS - yyy Customer 2298- zzz IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Further Complicated when Affiliates are Added for B2x Environments Novell BrainShare 2002 Further Complicated when Affiliates are Added for B2x Environments Firewall Web Servers and Applications Partner Extranet Customer Internet Employee Intranet GabeW - xxx WatG - yyy 7366 - zzz Employee Intranet KenS - xxx 7748-zzz SmithK - yyy Employee Intranet Security e-mail Security ScottB - xxx ERP BellS - yyy Customer 2298- zzz Company.com Security Travel.com IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Web Servers and Applications Novell BrainShare 2002 Novell iChain® Employee One Net Customer Partner ScottB - xxx KenS - xxx GabeW - xxx Web Servers and Applications Firewall 1. Authentication 2. Access Control e-mail 3. Single Sign-On ERP 4. OLAC (Personalization) Security Infrastructure 5. Data Confidentiality CRM eDirectory™ IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Novell iChain with Affiliate Connector Novell BrainShare 2002 Novell iChain with Affiliate Connector Firewall One Net Security Infrastructure Company.com KenS - xxx e-mail 1. Authentication Employee 2. Access Control ScottB - xxx ERP 3. Single Sign-On Intra-domain Cross-domain Customer eDirectory 4. OLAC (Personalization) GabeW - xxx 5. Data Confidentiality Security Partner Travel.com IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Technical and Operational Challenges Novell BrainShare 2002 Technical and Operational Challenges Integrate heterogeneous environments Integrate with business partners Leverage existing IT investments Reduce development time to market Build on open standards IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Security Assertion Markup Language (SAML)

What Is SAML? SAML—the Security Assertion Markup Language—is a standard which is being developed by the Security Services technical committee of the OASIS standards organization (www.oasis-open.org) The goal of SAML is to define an XML-based security standard for exchanging authentication and authorization information SAML defines XML-encoded security “assertions” XML-encoded request/response protocol Rules on using assertions with standard transport and messaging frameworks

Novell BrainShare 2002 SAML Assertions An assertion is a statement of fact about a subject (e.g., a user or a service), according to the assertion issuer SAML defines three assertion types Authentication Attribute Authorization decision You can extend SAML to make your own kinds of assertions Assertions can be digitally signed using the XML digital signature standard IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Authentication Assertion Novell BrainShare 2002 Authentication Assertion An authentication assertion demonstrates that an authority has authenticated a subject SAML does not control the authentication itself, but rather makes statements about an authentication that occurred previously For example, an issuing authority asserts that subject Bob authenticated to Company.com at 8:30 on July 3, 2002 using the password method IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Novell BrainShare 2002 Attribute Assertion An attribute assertion binds a subject with attributes Typically attribute values are pulled from a data repository of user information (e.g., LDAP) For example, an issuing authority asserts that subject Bob in Company.com is a member of a department called Engineering IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Authorization Decision Assertion Novell BrainShare 2002 Authorization Decision Assertion An authorization decision assertion declares that a subject is authorized to access a resource For example, a Policy Decision Point decides whether to grant the request: Can Bob in Company.com have execute privileges on http://Travel.com/ReserveHotel.html? The response is in the form of Yes/No The Policy Enforcement Point allows or denies access based on the response IO124—Implementing B2B and B2C Using Novell Affiliate Connector

SAML Request/Response Protocol Novell BrainShare 2002 SAML Request/Response Protocol An XML-based protocol used to ask for, and to obtain SAML assertions A relying party (requester) makes a request for an assertion An asserting party (responder) issues a response containing the assertion Some environments may need to use their own protocol They can use assertions without the rest of the request/response structure The full benefit of SAML is realized when parties with no direct knowledge of each other can interact Via a “third-party introduction” IO124—Implementing B2B and B2C Using Novell Affiliate Connector

SAML Protocol Bindings Novell BrainShare 2002 SAML Protocol Bindings A binding is a way to transport SAML requests and responses over a messaging protocol SOAP-over-HTTP binding is mandatory Other bindings to follow, e.g., raw HTTP SAML 1.0 is secured through the transport binding IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Novell BrainShare 2002 SAML Profiles A profile describes how SAML assertions are embedded into and extracted from a protocol, e.g., how SAML can be used to solve real business problems Web browser profile for SSO (push and pull models) SOAP profile for securing SOAP payloads IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Web Browser Profile This profile assumes A standard commercial browser and HTTP(S) User has authenticated to a local source site Assertion’s subject refers implicitly to the user When a user accesses a target site An authentication assertion reference travels with the request so the real assertion can be de-referenced Or the real assertion is passed through an HTTP POST

Novell Affiliate Connector 1

Novell Affiliate Connector’s Use of SAML Novell Affiliate Connector 1 implements a multi-domain SSO push model Creates authentication and attribute assertions Attribute values are typically retrieved from an LDAP directory or other database Assertions can be digitally signed Assertions are HTTP POSTed and travel as a payload through the browser Requires the use of SSL for securing assertions during transport

General Setup Source site Affiliate site Directory or Database Novell SAML Agent API Custom Logic Browser Affiliate site iChain® 2.1 Web Servers

Step 1 Source site Directory or Database Novell SAML Agent API Custom Logic Authenticate Browser User connects to the source site, and authenticates, registers or otherwise identifies himself—this process is defined by the source site and is not part of SAML Affiliate site iChain 2.1 Web Servers

Step 2 Source site Directory or Database Novell SAML Agent API Custom Logic Click link Policy Browser User clicks on a link to get to the affiliate site—the web server calls the Custom Logic layer and passes identification information about the user The Custom Logic layer consults policy information and optionally retrieves additional information about the user that will be used to build the assertion(s) The Custom Logic layer is developed by the source site and represents its custom business policies and practice Affiliate site iChain 2.1 Web Servers

Step 3 Source site Directory or Database Novell SAML Agent API Custom Logic Assertions Browser The Custom Logic layer passes information about the user to the Novell SAML Agent API, which then formats the information into one or more SAML assertions The assertions are returned to the Custom Logic layer, which then places the assertions into a HTML FORM document that is returned to the browser Affiliate site iChain 2.1 Web Servers

Step 4 Source site Browser Redirect If the browser has JavaScript enabled, the HTML form containing the assertion(s) is automatically posted into the HTML header during the redirect to the affiliate site If the client does not have JavaScript enabled, the user must submit the form by pressing the submit button Affiliate site iChain 2.1 Web Servers

Step 5 Source site Browser Authenticated eDirectory The Affiliate Connector engine running on iChain reads the assertion from the incoming request and consults policy information to validate it Once validated, the engine uses its policy to map the user to an identity at the affiliate site The user is authenticated at the affiliate site Policy Affiliate site iChain 2.1 Web Servers

Step 6 Source site Browser eDirectory LDAP read The Affiliate Connector engine recognizes the session to be affiliate-based According to policy, if any OLAC data is required for the session it is pulled from the user’s assertions Any other required OLAC data not found in the user’s assertions are retrieved from LDAP for the mapped user Affiliate site iChain 2.1 Web Servers

Step 7 Source site Browser When a web application is accessed, the complete OLAC parameter string is sent along with the user request for the web server resource Web single sign-on has been achieved OLAC Affiliate site iChain 2.1 Web Servers

Novell Affiliate Connector 1 Requirements Source site Novell SAML Agent API requires one of the following Solaris 2.7 or 2.8 with Apache web server Microsoft Windows NT or Windows 2000 with Microsoft IIS Novell SAML Agent API must be installed and configured on every web server where a user can be redirected to the affiliate site iChain can be installed, but Novell Affiliate Connector doesn’t take advantage of it Affiliate site Requires iChain 2.1 Configuration The source site and the affiliate site must agree on policy The source site and the affiliate site each generate a key pair and certificate, and exchange public key certificate with the other site

Summary

Affiliate Connector Messages Novell BrainShare 2002 Affiliate Connector Messages Strategy Leverage the strengths of the iChain architecture and install base to deliver an easy-to-use access and security infrastructure for building B2x web services Value Propositions Provide a security infrastructure for all B2x web-based applications Simplify identity management between disparate organizations Extends the value of iChain and other SAML compliant access and identity management services Reduce password-related help desk costs to create a lower cost of ownership and administration Enables authentication and single sign-on across affiliate partner sites Provides common authentication services for web services deployments Key Messages Affiliate Connector extends the value of iChain across all of your affiliate partner sites Affiliate Connector is extensible and customizable, taking full advantage of standard SAML implementations Affiliate Connector deploys faster and is easier to manage than other competitive products IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Important Efforts Related to SAML IETF/W3C XML Signature Built into SAML for digitally signing assertions www.w3.org/Signature W3C XML Encryption Robust encryption capabilities for XML documents Intended to be used for encrypting SAML traffic Posted for Last Call in October 2001 www.w3.org/Encryption/2001 XKMS An XML-based mechanism for utilizing PKI services Intended to simplify the integration of PKI into XML environments SAML traffic might be secured by XKMS-based PKI, by other PKI, or by other means entirely www.w3.org/TR/xkms

Important Efforts Related to Security and Identity OASIS XACML An XML-based format for expressing access control policy information Intent is to be used in conjunction with SAML when processing assertions, especially Authorization Decision Assertions www.oasis-open.org/committees/xacml OASIS Provisioning XML-based framework for user, resource, and service provisioning www.oasis-open.org/committees/provision Liberty Alliance Identity solution for SSO of consumers and businesses Still too early to tell if Liberty will utilize SAML www.projectliberty.org

Novell BrainShare 2002 What about Microsoft? Didn’t participate in early SAML work, but received some “encouragement” later Has contributed design ideas, mostly about Kerberos support Subcommittee formed to pursue this further Latest .NET/Passport story addresses “federated” functions, based on Kerberos No commitment to SAML, but at the table Introduced WS Security—Microsoft’s Web Services security IO124—Implementing B2B and B2C Using Novell Affiliate Connector

Conclusion SAML meets important interoperability requirements Novell BrainShare 2002 Conclusion SAML meets important interoperability requirements The right players are involved The specification is moving along, expected final submission to OASIS by March Software vendors are just starting to integrate SAML Product thrust for next few years will be SSO Early SAML-based software won’t offer turn-key solutions Will be an important technology for enabling authentication and conveying authorization Other IETF and W3C efforts will extend and collaborate with SAML IO124—Implementing B2B and B2C Using Novell Affiliate Connector