What is valuable about a single identity, why is that something people want and how achievable is it? As people work across multiple systems they encounter an equal number of barriers where they must authenticate or otherwise prove their identity in order to gain access. Ideally we always want to be showing the same information about ourselves regardless of where someone searches or how we are found. In this session we’ll discuss the issues behind both creating a single identity and simplifying authentication. We’ll also review the risks you need to be aware of, the technologies available to you and the importance of good and current personal information.
This is an updated presentation that includes some speaker notes for clarity
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Benefits and Risks of a Single Identity - IBM Connect 2017
1. February 2017
Benefits and Risks of a Single
Identity
Gabriella Davis
Technical Director - IBM Lifetime Champion
The Turtle Partnership
DEV-1078
IBM Connect 2017 Conference
3. Roadmap ForThis Session
✤ What is single identity and why would I care?
✤ What technologies are available to me?
✤ What needs to be in place for single identity to work
well
✤ The risks of single identity in an IOT and online world
4. What DoWe Mean By
Single Identity?
• Identity Management
• I am an individual but one that is part of this group
• I take my individuality into different systems
• I take information about me across different systems
• This is the difference between federation and single sign on
5. Things have gotten a bit
more complicated than that..
Multiple systems and standards including
SAML, OpenID, OAuth, Facebook Login
Users require logins across personal,
consumer, and enterprise systems
6. Individual
Identities Across Systems
Attributes Within Systems
An individual will have separate identities across different systems,
where some attributes are shared such as email or name and others
might be system specific. As the user moves between systems their
individual identity remains the same.
7. Why Is Having A Single Identity
Valuable?
Preferences Behaviour
& History
Patterns
BeingPresent
how i use the
system, how i
prefer to work
with it, what parts
of it i prefer to see
/ engage with
what I do, what
i have interacted
with in the past,
what I reuse or
repeat
spotting ways in
which I reuse or
repeat in order to
present information
to me that I might
not be aware of or
highlight information
that the pattern says
I should be
interested in
just because i’m using
system A doesn’t mean
someone in system B can’t
find and interact with me. I
have one identity if signed
onto multiple systems.
9. Authentication
Authentication is critical to ensure Gab
Davis in SystemA is the same as Gab
Davis in SystemB and the information that
goes with that ‘Gab Davis” is correct
10. ✤ Hello - have you met my friend?
✤ Is trust transferable?
Trust
Once you create a way in you
are establishing a security level
as that of the lowest entry point
11. ✤ Access rights
✤ Identity data such as name or
email
✤ System specific attributes such
as your favourite drink
Attributes
Sparkling Wine
Flute
White Wine
Glass
Standard Wine
Glass
Light Red
Wine Glass
Blod Red
Wine Glass
13. Password Synchronisation
This ISN’T Single Identity
Synchronising passwords across
different systems
Sametime
LDAP
Connections
LDAP
Traveler
Authentication
Password
Synchronisation
Tool
You’re not the same person, you’re just using the sam
password
You’re not the same person,
you’re just using the same
password
14. Single LDAP Source
This Kind-Of Is - At Its Most Basic
Authenticating against a single
password in a single place
Sametime
Network
Login
Connections
Mail
LDAP
Password
Technically you are the same person as you
authenticate using the same identity but that’s it, there
is no other information being held or exchanged.
15. This Is Closer - but not quite
IWA/Kerberos/SPNEGO
✤ The single authentication to Windows has granted
access to other systems using the same identity
1 2 3 4 5
ACTIVE
DIRECTORY
GENERATES
TOKEN
USER TRIES TO
ACCESS A
WEBSITE
BROWSER
SENDS IWA
TOKEN TO THE
WEB SERVER
ALONG WITH
USER NAME
THE WEB
SERVER
CONTACTS
ACTIVE
DIRECTORY TO
VALIDATE
TOKEN AND
RETRIEVE THE
USER’S NAME
STEPS
USER LOGS
INTO WINDOWS
16. Federated Login Is Single Identity
Security Assertion Markup Language
16
1 2 3 4 5
USER ATTEMPTS
TO LOG IN TO A
WEBSITE
USER IS
REDIRECTED TO
IDENTITY
PROVIDER
IDENTITY PROVIDER
REQUESTS
AUTHENTICATION OR (IF
USER IS LOGGED IN)
RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL
SITE WITH SAML
ASSERTION
ATTACHED
ORIGINAL SITE USES
ITS SAML SERVICE
PROVIDER TO
CONFIRM SAML
ASSERTION AND
GRANT ACCESS
STEPS
✤ Simple SAML Steps
17. SAML - Federated Single Identity
17
✤ IdP - Identity Provider (SSO)
✤ ADFS (Active Directory Federation Services)
✤ can be combined with IWA
✤ TFIM (Tivoli Federated Identity Manager)
✤ SP - Service Provider
✤ IBM Domino (web federated login)
✤ IBM SmartCloud
✤ IBM Notes (requires ID Vault) (notes federated login)
18. SAML Behaviour
✤ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service
Providers) via XML based assertions
✤ Assertions have three roles
✤ Authentication
✤ Authorisation
✤ Retrieving Attributes
✤ Many kinds of authentication methods are supported depending on your
chosen IdP
✤ Once initially federated no subsequent password or credentials are passed
19. Federation For Social Systems
OAuth / OpenID / Facebook Login!
OpenID is identify federation
OAuth is authorisation
OpenID is built on OAuth
20. Simplified OAuth Process
1 2 3 4 5
USER ASKS
FACEBOOK (THE
CONSUMER) TO
POST ON THEIR
ACTIVITY STREAM
FACEBOOK GOES TO
CONNECTIONS (THE
SERVICE PROVIDER)
AND ASKS FOR
PERMISSION TO
POST
THE SERVICE PROVIDER
GIVES THE CONSUMER A
SECRET KEY TO GIVE TO THE
USER AND A URL FOR THE
USER TO CLICK ON
THE USER CLICKS ON
THE URL AND
AUTHENTICATES WITH
THE SERVICE
PROVIDER
THE SERVICE
PROVIDER , SATISFIED
THE SECRET KEY IS
GOOD, WILL NOW ALLOW
THE CONSUMER ACCESS
TO ITS SERVICES
STEPS
21. IBM Products As SAML Service
Providers
✤ Verse on premises and cloud
✤ Domino
✤ Notes - both on premises and Smartcloud
✤ Connections
✤ WebSphere
29. Personas
✤ Do you want to tie everything together?
✤ Do you have the same persona everywhere?
✤ Is the language you use, your opinions, your
political views common everywhere
✤ and something you want to share?
30. Federation
✤ Once all systems are integrated all systems are vulnerable
✤ You are only as protected as your least secure password /
authentication model
✤ Understand what services or service providers you have
authorised, what information they hold , what their
privacy policies are and what their security policies are
✤ Make sure users understand they have to logout
31. OAuth/OpenID
✤ Theft of credentials
✤ Excessive access and data rights
✤ Theft of data
✤ Brute force guessing of credentials
✤ URL redirects or interceptions through incomplete URL requests
✤ Token interceptions
✤ Puts the user in control - this is not a bad thing
33. Internet OfThings
✤ A physical device with embedded internet connectivity and
“always on” status
✤ The beauty of IOT devices is that they are integrated into your life
✤ there’s no individual authentication
✤ They know everything they need to know simply because of
their placement or setup
✤ Their true value is in learning about those things we discussed
earlier, preferences, behaviour, patterns
34. RisksWith IOT
✤ Physical devices may now come with built in
connectivity as an added feature
✤ Companies who didn’t deploy them for that feature
may also not have security policies in place to disable
or limit it
✤ Risk assessment happens too late
37. Prepare
✤ Have a good directory and define security policies such as token
expiration
✤ Protect At Every Point Of Entry
✤ You don’t put a value on the information but someone else will
✤ Your identity has value
✤ Train users to log out, clean caches and understand what multi
system access means
✤ Include risk assessment for IoT in any hardware purchasing and
deployment
38. Lots of Good
✤ More passwords and stronger passwords don’t lead to better security
✤ Avoiding passwords entirely but authenticating based on existing
information can be more secure
✤ Users are more likely to engage with systems that have fewer
barriers to entry
✤ The more systems know about us, how we work and what we need
the better they can serve us
✤ There are enormous volumes of data being produced across systems
that can be used to save time, cost and effort
41. Notices and disclaimers continued
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly
available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility
or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s
products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management
System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social
Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®,
Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®,
Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available
on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.