Agenda

This talk will explore the impact of Internet scale on federated identity and access management, analyze the first few waves of solutions that strive to put users in control, and propose requirements for a more complete answer. It will conclude with a review of the work under way on User-Managed Access (UMA), which attempts to solve these requirements.

• Challenge: internal users, external users and broker users acting with a power of attorney
• Login process functionality with selection of user context
• Programmatic authorization within the application – entitlements to user profiles with restrictions (customers, portfolios, line-of-businesses)
• Embedded user- and entitlement administration within IF Login Nordic
• Integration to centralized IdM through IF specific IdM web services

Using current SIM card technology, Near Field Communication and identity frameworks, mobile phones have the power to turn into the user-centric identity management device of the future. The concept of Deutsche Telekom Laboratories allows credit cards, loyalty cards, access cards, membership cards, tickets and tokens to live in co-existence on a device that combines SmartCard security with SmartPhone convenience.

First implementations prove feasibility for use at registers, ticketing, access control etc. using NFC at the POS or premises, but also leading the way towards a card-based identity framework that covers Internet use on the SmartPhone, or even a PC. Existing standards are employed to guarantee the openness required for a wide acceptance across issuers, relying parties, and users alike.

The steadily growing demand to use internet services also "on the move" pushes the market penetration of mobile devices (such as iPhone, Nexus One) as well as of mobile applications.

All service offerings require a user identifcation to be offered in personalized form. A main success factor for the mobile usage is the usability, as the user just wants to use the services "on the move" without special login effort and without any additional registration need. In many cases, new mobile service offerings are also a result of the clever combination of various services from different providers (= mash-ups) to create new, functional applications. Therefore also the option of obtaining services from other providers on behalf of the customer is required.

There are many possibilites to provide personalized services and mash-ups "on the move". But what are the pros and what are the cons of either using existing or arising technologies.

Digital Identity has grown separately in IMS and Internet. While the one offers walled garden services the other is focused on openness and third party integration. However, for future Telco-business an inter-working of IMS and Internet is needed. A methodology where real use cases are used shows the benefits for operators, SPs and end-users by bridging these two worlds. These use cases cover the exposure of IMS authentication to Web services, exposure of Web federations to IMS networks and exposure of IMS resources to Web 3rd parties. In an IMS domain, for SSO, SAML assertions are conveyed in SIP messages. In a multi-domain world, the SSO solution is based on a GAA/GBA solution. For attribute sharing, LAP ID-WSF messages are used. When a Web Service Provider (WSP) exposes user data being retrieved from the IMS a resolution of the mapping between the SAML identifier and the IMPU is needed. The working assumption is that the user experience should be seamless while keeping attention to security and privacy. The main findings and conclusions is that no new technologies are needed. It is enough for IMS and DigId technologies to complement each other.

In the ever evolving virtual world it is a challenge to define "identity", leave apart managing identities. I will start with the most accepted definition "Identity management is a broad or rather evolving administrative area that deals with identifying individuals in a system (such as a country, a network or an organization) and controlling the access to the resources in that system by placing restrictions on the established identities". Coming from the private wealth business needless to say identity management process must be watertight. The identity management paradigm of pure identity, user access and service must be complemented with additional dimensions of need to know principle, cost overhead, user productivity and multi eyes approval process.

There is no easy way if this problem is looked in isolation. What can we do? Create a process that takes into account the entire lifecycle of an identity across all systems. This is a good starting point to look at the best practices which I am going to discuss...

• Use of Enterprise roles for SAP and non-SAP applications
• User provisioning and role assignment via the Identity Management System – connected to Active Directory
• Identity management Framework for the reduction of management effort for user creation and role assignment

Application roles from SAP and in-house developed non-SAP systems can be consolidated within the scope of an Identity management Framework to generate Enterprise roles. The effort involved in provisioning of users and the assignment of Enterprise roles to these users can be significantly reduced using an Identity management system. The users can then log on via the portal using Single Sign On and can access their applications based on the assigned Roles.

The FC² project is a French cross-sector initiative formed by private companies (Gemalto, Atos, EADS, Orange…), government and academic actors. The purpose is to implement a comprehensive platform that allows new secure electronic services based on transparent and interoperable Identity Management. During this session, we will share our vision on how digital identity management technologies can boost high value online services for a thriving digital economy and administration.

Several use cases have been selected and developed with business partners. They cover a broad range of cross-domain online services such as financial services subscription and payment, full mobile phone subscription dematerialization, e-commerce in general, enrolment in the administrative roll, child care centre or judicial inquiry. These scenarios involve the management of digital identities issued by national or local authorities, banks, telcos.

Through the implementation of these use cases, the goals of the project are the following:

• to define and implement an interoperable identity architecture
• to implement a dedicated infrastructure for service providers,
• to provide strong authentication means and privacy respectful services for end users.

The target services propose a simple and consistent usage of identity through several original concepts such as brokered authentication and SSO, multiple card selection in InfoCard, dynamic claims, integration of eID cards and other identification tokens for authentication, signature and attributes sharing. These innovations should radically change registration processes and thus propose a whole new enhanced user experience.

Based on an extensive collaboration with the open source project (Higgins), we have developed innovative software that we will demonstrate during the session: Java InfoCard Smart Selector, Windows mobile identity selector, online and USIM based InfoCard wallet, SEPA secured payment with InfoCard, hybrid Liberty / InfoCard identity provider.

The pilot experiments that will be managed through these use cases will be a first step towards large deployment in France. The project also investigates innovative business and operational models, acceptable by all players of the value chain.