All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director

2 Addressing Interoperability Challenges Agenda Introduction User-centric identity XACML policy Q&A

3 Addressing Interoperability Challenges Agenda Introduction User-centric identity XACML policy Q&A

4 Introduction Why host interoperability demonstrations? Catalyst is a neutral forum for vendors and other technology providers to collaborate on interoperability It’s great to see competitors working toward common goals Interoperability demonstrations provide an indication of technology maturity Not as robust as formal interoperability and testing programs Expose differences in interpretation of specifications Challenge providers to address requirements of realistic scenarios

5 Introduction Interop demonstrations for Catalyst 2007 User-centric identity - June :30pm Information cards, OpenID, etc Johannes Ernst, NetMesh Mike Jones, Microsoft Paul Trevithick, Social Physics XACML - June :30pm Extensible Access Control Markup Language Managed by OASIS Hal Lockhart, BEA Rich Levinson, Oracle WS-I - June :30pm Web services security profiles Not discussed on the call today

6 Addressing Interoperability Challenges Agenda Introduction User-centric identity XACML policy Q&A

7 User-Centric Identity Addressing some key questions Why is user-centric identity important? Why is interoperability important for user-centric identity? What impact does the Catalyst interoperability event have on the industry?

8 User-Centric Identity The Big Idea: Identity “Self-Service” by the User Identity “Self-Service” by the User Good for businesses: Reduced cost More business through reduced friction with customer Single view of the customer Good for the individual: Perception of increased control (e.g. privacy) Less hassle (one root credential for many sites) Higher-value products / services

9 User-Centric Identity Identifiers / URLs Example: Key standards: How it works Users sign up with an OpenID provider Issued URL becomes universal account name Diffie-Hellman-based Identifiers / URLs Example: Key standards: How it works Users sign up with an OpenID provider Issued URL becomes universal account name Diffie-Hellman-based Information Cards Example: Key standards: WS-Trust How it works User obtains card from business or provider “Identity Agent” installed on PC (e.g. Vista CardSpace) or hosted (e.g. Higgins H1) Information Cards Example: Key standards: WS-Trust How it works User obtains card from business or provider “Identity Agent” installed on PC (e.g. Vista CardSpace) or hosted (e.g. Higgins H1)

10 User-Centric Identity Participants and process A combination of vendors, open source projects, and individual contributors Microsoft, IBM, CA, BMC Software, Oracle, VeriSign, Ping Identity, Higgins, Bandit, NetMesh, WSO2, PamelaWare, XMLDAP.org, Internet2 Shibboleth Project, and Ian Brown OSIS Project (“Open-Source Identity System”) Process Weekly conference calls Face to face testing at recent IIW conference Wiki used to collaborate and host documentation

11 User-Centric Identity Expected Interop Outcomes Many vendors participating in interop Demonstrated multi-vendor interoperability Multiple protocols Interop scenarios Expected Interop Outcomes Many vendors participating in interop Demonstrated multi-vendor interoperability Multiple protocols Interop scenarios Why it matters User-Centric Identity is here to stay User-centric identity can be expected to work No more protocol fights Glimpse of disruptive business potential Why it matters User-Centric Identity is here to stay User-centric identity can be expected to work No more protocol fights Glimpse of disruptive business potential

12 Addressing Interoperability Challenges Agenda Introduction User-centric identity XACML policy Q&A

13 XACML Policy XACML 2.0 overview XML language for fine-grained access control Extremely powerful evaluation logic Ability to use any available information Superset of permissions, ACLs, RBAC Scales from Internet to PDA Federated policy administration OASIS and ITU-T Standard

14 XACML Policy Burton Catalyst Conference San Francisco, June 28, 2007, 6-9:30 pm Tentative participants BEA, CA, IBM, Jericho Systems, Oracle, Redhat, Securent, and Symlabs Approach under discussion Two Use cases (Policy Exchange, Decision) Four Stock Trading Scenarios Weekly concalls

15 PAP PDP Repository Policy XACML Policy Policy exchange scenario

16 PEP PDP XACML Policy Decision request scenario

17 XACML Policy Interop challenges Minimize extraneous components Agree on items unspecified by XACML Motivating business cases Present understandable demo Repeatable scenarios Human error Opportunity for ad hoc variants

18 XACML Policy Use cases overview Use cases spec available through OASIS XACML TC Public Home Page. Authorization logic externalized from applications Enables centralization of critical business rules in XACML Policy Decision Point (PDP) Vendor Interoperability achieved through: Common policy specification language Use of common application-specific vocabulary Common request and response for policy execution

19 XACML Policy Use cases interop document Describes planning process for the Interop demo application and test framework Describes architectural approach and implementation options for building demo infrastructure. Contains detailed description of use cases and scenarios at data element and processing level. Shows xacml usage models at a depth that goes beyond xacml-core specs and in total application context. Can be used as sample for doing analysis for new applications

20 XACML Policy Use case 1: Authorization Request - overview Hypothetical Customer high-value stock account application Account is “managed” by professional investment advisor Customer can make trades within portfolio guidelines If customer attempts trade outside programmed guidelines of trade size and credit limits, automatic request for approval is generated for the account manager to review and approve Shows how xacml can be used to extract authorization logic from application using a custom vocabulary Shows how fine grained authorization can be centrally managed for uniform control of enterprise business policies

21 XACML Policy Use case 1: Authorization Request - technical Shows how one vendor Policy Enforcement Point (PEP) can use other vendor PDP Demo has application acting as PEP that sends a XACMLAuthz- DecisionQuery Request to PDP XACML SAML 2.0 profile for PEP/PDP request/response Shows variety of policy execution paths in PDP within Policy hierarchy Shows how Obligations can be used to direct subsequent steps taken by PEP and application to initiate approval processes

22 XACML Policy Use case 2: Policy Exchange Department administrators at vendor-specific Policy Administration Point (PAP) create or modify Policies using custom tools Policy can then be published into a centralized PDP and enforced by PEPs throughout the enterprise Shows how Policy from one vendor PAP(/PDP) can be used by other vendor PDP(/PAP) Create Policy at one vendor’s PAP and add to another vendor’s repository (or export Policy from PDP and add to repository) Import other vendor’s policy from repository to PDP for execution (or to PAP for editing)

23 Addressing Interoperability Challenges Agenda Introduction User-centric identity XACML policy Q&A

24 Addressing Interoperability Challenges