Platform Identity Management Nederland (PIMN)

PIMN voor beter identity management

Cook Book for Massively Scalable Telco IdM Systems

Grote plannen volgens de notulen van http://kantarainitiative.org/confluence/display/telcoid/Home

The objective of the meeting was to come up with an idea for the scope of the study so that a preliminary ToC could be produced

1. Cook Book for Massively Scalable Telco IdM Systems

The work philosophy is to see what the functional requirements are for such massively scalable IdM implementation. This will lead to constraints and a possible technical solutions to address those constrains. Final document should be detailed and illustrated in a way that someone should be able to implement it as a 'Reference Architecture'. Potential target candidate for implementation could come from industry [eg: ForgeRock, Lasso, Ericsson, ...] or University/ Research [eg: Fraunhofer, ...].

The working assumption for requirements/implementation time frame is ~36 months. Architecture will be declined in three classes going from large to extra/extra-large.

Size [Millions users]
Target
L
5-10
regional operators
governments
bank
XL
50-100 national operators [ex: SwissCom, Telenor, ...]
XXL
250-500 global operators [Orange, Vodafone, T-Mobile, ...]
huge countries [China, India]
global web-2.0 services

5 areas were identified, namely: Authentication, Attribute sharing, network, scaling and O&M. These areas came out from discussions on what functionality our system should have:

  • Authentication, Multi-level authentication (weak -> strong)
  • profiling information
  • session management
  • Multi-pass access (SSO, mail, MSISDN , chat (?))
  • Attribute sharing
  • Network
  • Scaling
  • 3rd party

These items were later group to the 5 mentioned beforehand:

  • Authentication:
    • Assurance FW (Basic to Strong)
    • House-hold network authentication
    • MSISDN (2G/3G network authentication)
    • One-time token by SMS
    • Strong authentication leveraging SIM toolkit
    • GAA/GBA (proper GAA authentication)
    • user/passwd
    • 3rd party authentication: SAML, OpenID, InfoCard.
  • Attribute sharing
    • Authorisation:
      • OAuth: -- or ++ 'versions'
      • SAML AX ? (in scope?)
      • OpenID AX ? (in scope?)
      • horizon 36 months -> no proprietary protocols/APIs, like today
      • Which attributes do you really need and where are they stored? Service Profile, Personal Profile, Billing (on-bill, off-bill (credit card)), Social Network (APIs)
        • Today, the model is to have a local copy of the data. This is difficult to sustain for the future. Today, discovery is not needed as a local copy is stored.
      • What is our vision on how AS will be done in the future?
      • DST (XPATH (SQL-like way to query attributes stored as XML) is not the value in ID-WSF.
      • ID-WSF -> ITU-T, SOAP-binding, discovery, Sech. Mech.) Use this in our Cook Book?!
      • Privacy, minimal disclosure, right to forget.
      • Assurance FW (for attributes, e.g., postal address, nationality)
      • Leverage Geolocation, presence (delivery -> agree (SMS if not)), messaging (call-back).
      • IPTV:
        • who is watching?
        • multi-device SSO
        • old people (if not watch TV every day or during certain hours -> alert relative
        • children (advertise Mickey Mouse, etc.)
  • Network
    • Multiple IdP implementation
    • Global DNS distribution
    • Break SSL at Fire Wall => use HW accelerator -> security mechanisms implementation
    • Load balancing
    • Fail-over in network
  • Scaling
    • Model
    • Distribution of users depending on:
      • subscription (gold, heavy user, etc.)
      • new DB or removal of DB in system
      • multi-country, consolidation might not be possible
        • problems (legal, performance, fail-over) => broker (or proxy), attached to the IdP?
    • Load model
    • Numbers:
      • #sessions
      • how to store sessions
      • #auth/s
      • #acticveSessions
      • life cycle of sessions in general
      • back-end repository
        • read-write/s, provisioning
        • which information shall be stored in the IdP repository vs. attribute sharing
        • make back-end repository as small as possible, 'as small as possible' needs to be defined
        • define relation between IdP repository and attribute (PP, EP, Geolocation, Presence, etc.) repository
  • O&M
    • User Management, provisioning
    • User migration
    • Adding a new service, adding a new authentication method, adding a 3rd party for something.
2. Next Steps

It was decided that Fulup [Oracle] will start leading the work. The ideas will be presented to the KI TI WG for comments. Later on, the work will be presented to other key people in KI and to the KI e-gov WG, probably during the next KI conference in Paris in October [Orange Labs]

Weergaven: 28

Opmerking

Je moet lid zijn van Platform Identity Management Nederland (PIMN) om reacties te kunnen toevoegen!

Wordt lid van Platform Identity Management Nederland (PIMN)

Doe mee op LinkedIn

Vaker een update en goede mogelijkheid om zichtbaar te zijn.

© 2018   Gemaakt door Jaap Kuipers.   Verzorgd door

Banners  |  Een probleem rapporteren?  |  Algemene voorwaarden