All the hip new Enterprise architectures feature phrases like “claims based distributed federated identity authorization and trust with single sign on” (or some permutation thereof) on their PowerPoint slides. If you find yourself firing up MSDN or Wikipedia to understand what any of this stuff means, you may be better off just looking in your wallet or purse first. For within, you carry everything you need to understand the concepts behind the techno speak. Just take a look at your driver’s license. The ways in which you use your drivers license in the real world is an analog (and precursor) to a lot of this technology. Old wine in new bottles.
Federated Identity Management
Consider what happens when you try to catch a flight at the airport.
To board a flight (access a service), you must pass an authorization check. FAA security policy mandates that you can board the aircraft only if you are a member of specific security group – the set of passengers who have purchased seats on the flight.
To perform the authorization check, the airport staff demands two security tokens from you:
- Your identity token – your photo ID
- Your boarding pass – or ticket.
Whoa dude, roar the security experts. But that photo ID is sooo easy to fake! Heck, did it themselves in their misspent youth – creating IDs issued to McLovin and using them to procure restricted beverages.
Fortunately, the airport chaps are security veterans, and don’t accept any old photo identity token. They only accept tokens issued by specific trusted identity management entities, such as:
- The Dept. of Motor Vehicles of the 50 US states and territories – which issue driver’s license identity tokens.
- The Governments of the world’s sovereign nations – which issue passport identity tokens
The agency that issues your identity token is a security token service (STS). Airport security trusts the STS because it knows (hopes) that the STS has worked hard to verify:
- Your true identity – your name, your address, your weight (probably a lie)
- Your membership in the trust domain the STS is responsible for, such as:
- Residents of the State of Washington
- Citizens of the United States
To coax a drivers license out of a trustworthy STS, you submit credentials issued by a trusted third party – your birth certificate, your social security card, your citizenship naturalization certificate.
Airport security accepts identity tokens issued by an entire planet’s worth of distributed security token services, each responsible for its own trust domain. This cross domain trust is called federation. When the airport federates with those trusted Motor Vehicle STSes, it becomes a relying party in the trust model. Which means that if you produce a driver’s license issued to Cosmo Kramer (or McLovin)- well, you must be Cosmo Kramer – cause it says so on the card, and airport security is relying on it. Welcome on board the flight!
Like all security tokens, your license has a Unique ID and an expiration date. The license also bears the signature of the issuer – WASHINGTON – and other marks that are hard to duplicate (for a while). Modern licenses also include a hologram or some device visible only under ultra-violet or black light. The issuer encloses the license in a tamper proof container and may include serial numbers and barcodes.
You’ve seen airport staff validate your license. They shine a black light source on it or peer at it closely with a magnifying eye piece. Beware, McLovin, for they mean business.
Claims & Assertions
Your drivers license contains several claims or assertions about you. These claims are made by the license issuer – the Dept. of Motor Vehicles. Your license contains several types of claims. For example:
- Your name
- Your picture
- Your address
- Your physical signature
- Organ Donor
- Your birthday
- Your Sex
- Eye Color
Claims Based Authorization
To be allowed onto your flight, you must satisfy the FAA’s claims based authorization security policy.
Airport security enforces your access to the airplane, by executing claims based access check rules.
- The first rule uses a sophisticated human vision algorithm & advanced biological neural nets to match the Photo identity claim on your license to your lovely face.
- The second rule compares the Name identity claim on your license to the name printed on your boarding pass.
license.Claim[“Name”] == boardingPass.Name
If you don’t satisfy these rules, you shall not pass!
Federated Single Sign On
Your driver’s license is quite a remarkable security token. You can use the same driver’s license to board an airplane at any airport in the country!
The same security token even helps you to get that drink at the airport bar. The bartender, Stella, also uses claims based authorization to restrict access to her fine Guinness. The bar’s security policy dictates that you must be over 21 to be served. Therefore, Stella executes the following access check rule on the Birthday Claim in your license:
Years(Today’sDate – license.Claim[“Birthday”]) >= 21
And the wonders don’t cease. When you leave the airport, you find that you can use the same driver’s license to use another service – the rental car agency!
This magic is called single sign on. All you have to do is go to the local Motor Vehicle Bureau once, present your identity credentials and get your identity token. Armed with this one token, you can gain access to any service that federates with the State Motor Vehicle STS – i.e. accepts a driver’s license issued by the state. And each of these services can use the claims and assertions in your license to then enforce rule based access control and security policy.
Driver’s licenses are one of the real world’s means for delegated, distributed, federated claims based authorization and single sign on. With this concept well understood, you can now safely fire all your software engineers and replace them with the good folks from the Dept. of Motor Vehicles. Or at least be able read the literature on WS-Federation, SAML and related technologies without getting an immediate stroke.