Federation—the enabler for electronic business

Traditionally, identity management has been a core component of security infrastructures, where it is used to maintain account information that allows users to log in to a system or a limited set of applications. An administrator issues accounts so that resource access can be restricted and monitored. Control has been the primary focus for identity management. More recently, however, identity management has exploded out of the sole purview of information security professionals and has become a key enabler for electronic business through a technological innovation called federation. This innovation was not a revolution, but an evolution, came about as a result of the increasing number and complexity of online distributed systems that both house and manage some portion of our identity.

Federation is the combination of business and technology practices to enable identities to span systems, networks and domains in a secure and trustworthy fashion. This is analogous to how passports are used to assert our identity as we travel between countries.

Federation the enabler for electronic businessWhite paperTable of contentsIntroduction   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  2Drivers for federation  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  3Federation concepts  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  5Technological components   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6Standards and initiatives   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7Business benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Conclusion: The HP OpenView solution   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11About HP  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Untitled Document2IntroductionTraditionally, identity management has been a core component of security infrastructures, where it is used tomaintain account information that allows users to log in toa system or a limited set of applications. An administratorissues accounts so that resource access can be restrictedand monitored. Control has been the primary focus foridentity management. More recently, however, identitymanagement has exploded out of the sole purview ofinformation security professionals and has become a keyenabler for electronic business through a technologicalinnovation called federation. This innovation was not arevolution, but an evolution, came about as a result of theincreasing number and complexity of online distributedsystems that both house and manage some portion of our identity.Federation is the combination of business and technologypractices to enable identities to span systems, networksand domains in a secure and trustworthy fashion. This isanalogous to how passports are used to assert our identityas we travel between countries.As the richness of our electronic lives mirrors our physicalworld experience, as activities such as shopping, discussion,entertainment and business collaboration are conductedas readily in the cyber world as in person, we begin toexpect more convenience from the online distributed systems. We expect our personal preferences and profileto be readily available so that, for example, when we visitan electronic merchant we needn t tediously enter homedelivery information. We expect that when participatingin a discussion, we can check the reputation of other participants; when accessing music or videos, we firstsee the work of our favorite artists; and when conductingbusiness, we know that our partners are authorized tomake decisions. Today, federated identity managementsystems are fundamental to underpinning accountability in business relationships; providing customization to userexperience; protecting privacy; and adhering to regulatorycontrols.Since the advent of the Internet, there have been moreand more e-business transactions taking place online(B2B, B2C, B2E). These online transactions typicallyreach throughout and beyond an enterprise requiringusers to move across networks, applications and securitydomains. Enterprises are continually extending their businessprocesses outside their traditional boundaries to conductelectronic business with partners and suppliers. To beeffective, this movement must be transparent to the user,secure and privacy-friendly. Because customer service andsatisfaction remain priorities, employees, businesspartners and consumers need to have things made aseasy as possible when accessing targeted online services.This means, among other things, that they should not beburdened with multiple username/password combinations.Consider what s involved in this kind of convenience: asingle identity with one registration process and one log-inprocedure. This actually can be quite complex when youtake into account the expanding number of users needingaccess and an expanding number of online applications many of which are not within the span of control of theenterprise.To this end, a single organization cannot effectively manageor control an e-business initiative from beginning to end,especially when multiple organizations are involved. Even within the enterprise, different business units oftenmanage distinct sets of users and resources. Federationmakes it possible for an authenticated identity to be recognized and take part in personalized services acrossmultiple domains. By implementing federation technologies,a business can gain greater efficiency with IT expenditures,realize new revenue opportunities with its business partners,and expand its product and service offerings to its customers.That s why organizations are turning to federated identitymanagement to address their e-business challenges. By implementing federation technologies, a business can gain greater efficiency with ITexpenditures, realize new revenue opportunitieswith its business partners, and expand itsproduct and service offerings to its customers.Untitled Document The Aggregate Me Creditbureau My view of me Foo.com view of meGovernment viewEmployer view of me3Figure 1. Multiple views of identityDrivers for federationTo best understand business and technical aspects offederation, one must first examine the various industrydrivers that have led to its fruition. Several trends have combined to drive the need for federated identitysystems. Consumers, e-businesses, enterprises and governments all see value in the emergence of matureidentity management systems. Often the requirements of these communities are complementary, but in somecases conflicting needs raise new issues.Consumer trendsWith each new website a user discovers, consumers findthemselves creating a new digital identity. This proliferationof accounts is tedious both in the work needed to keepinformation correct and in the need to remember uniqueaccount name password combinations. Often this leads to security vulnerabilities, such as when consumers choosepoor, easy-to-remember passwords or use the same passwordat a collection of independent sites. Consumers areinterested in web and non-web based single sign-on thatallows easy access to a variety of sites. The emergence of information aggregators for financialservices in the late 1990s is evidence that consumers aredriven to the convenience of easy access even at theexpense of disclosing some sensitive information to a thirdparty. These aggregators provided a portal that extractedinformation from the consumer s financial serviceproviders. To access this information, consumers neededto disclose account information and access passwords tothe independent aggregator service.Consumers, however, have demonstrated resistance to thenotion of a single universally usable digital identity. Theselective disclosure inherent in managing independentidentities allows users to maintain different personas fordifferent interaction environments. This is consistent withhow people interact in the physical world and is illustratedin Figure 1. As a result, consumers are looking for identitymanagement systems that support some degree ofanonymity or pseudo-anonymity.e-Business trendsElectronic businesses are motivated to please theircustomers and therefore to deploy the ease-of-use aspectsenabled by identity management systems. Perhaps moreimportantly, they are also looking to extract direct valuefrom the system. For large conglomerates, a federatedidentity management system allows e-businesses to consol-idate their relationships with customers it allows theorganization to present a single face to the consumer. Personalization systems allow the business to learn aboutthe consumer and then target advertisements and specialoffers based on individual history and stated preferences.Enterprise trendsUser account and password management has long been a major expense for enterprise IT organizations. Networkoperating systems and environments have provided somerelief, by allowing a single account and password to workon a collection of machines, but this has failed to providetrue single sign-on for heterogeneous environments. Asenterprises are driven to greater degrees of collaborationwith business partners, as they integrate supply chains,the number and diversity of systems and applicationsincreases. Enterprises are driven toward federated identitymanagement solutions that will address heterogeneityissues and allow them to integrate with their businesspartners. They need systems that will provide forindependent administration and that will provide strongaccountability for business transactions, and represent a reusable architecture that can be applied for the nextbusiness partner to come online.Untitled DocumentCompany401kTravel4Figure 2. Business-to-employee scenarioFigure 2 represents an enterprise example of federation in a simple business-to-employee scenario. Here thecompany s goals are to provide timely access to externalemployee resources, reduce administrative overhead, andquickly form new service relationships as the need ariseswith little IT investment. The solution is to use federation toallow for the sharing of identity information between thecompany and its employee service providers (e.g., 401Kand Travel). Employees authenticate with the corporateportal, and when they navigate to the service provider sitethey will not need to re-authenticate. The employee serviceprovider, via a trust relationship and shared security asser-tion, will grant access to its site and provide a personalizedexperience based upon attributes that are exchanged(e.g. employee ID, state of residence).Government trendsWith the evolution of e-government initiatives, governmentsshare many of the concerns motivating e-businesses. Scale, however, is more of a concern for governmentorganizations few businesses have a customer base the size of a government s citizenry.Governments, however, do have some other concerns, mostof which revolve around compliance to various industry- orcountry-specific regulations that focus on privacy and thestorage/transmission of personally identifiable information.These regulations establish requirements for the privacy policy control component of a federated identity manage-ment system, and impose constraints on how businessesexploit identity information. The following are a small sampling of some of these regulations:Ant-terrorism"Foreign Corrupt Practices Act"Homeland Security Act"Patriot ActIT compliance"SEC 17A-4"Calif. SB 1386Financial compliance"Basel II"Sarbanes-Oxley"Gramm-Leach-Bliley"CocoManufacturing compliance"DOT mandates"MSDS"OSHA mandates"FDA 21 CFR Part 11Health records"HIPPAGeneral data privacy"European Data Protection Directive"Canadian Personal Information Protection and Electronic Documents ActUntitled Document5BooksellerUserCredit unionFigure 3. Account linkingFederation conceptsThere are several concepts related with federation thatdrive a federated identity solution s value when correctlyimplemented. This section explores the key concepts of single sign-on, account linking, attribute sharing and privacy.Single sign-onSingle sign-on allows a user to perform primary authen-tication once and then access the set of applicationsand systems that are part of the identity managementenvironment. Single sign-on in the light of federationmeans that authentication can take place seamlesslyacross multiple, heterogeneous, security domains bothwithin and between businesses.Account linkingAccount linking allows a user with multiple serviceand/or application accounts to link these accounts forfuture authentication and sign-in at these sites. Essentially,a mapping of distributed account information is takingplace. As an example (refer to Figure 3), Jane has anaccount (Jane123) with her credit union where sheperforms online banking operations. She also has anaccount at an online bookseller (JaneTheBookLover). Inorder for the online bookseller to accept authenticationassertions from Jane s credit union, and for the booksellerto make payment requests to the credit union, the twoorganizations must map each others account identifiers(the bookseller needs to know that Jane123 is JaneTheBookLover, and vice-versa). For security and privacyreasons, most distributed account mappings are doneusing a pseudonym (alias) instead of the actual accountname. This helps prevent collusion between multipleservice providers.Attribute sharingFederation is more than just single sign-on. It alsoincludes the secure sharing of identity attributes for thepurposes of personalization, making fine-grained accesscontrol decisions or completing a transaction. Considerthe earlier example of Jane s Credit Union and the onlinebookseller; attribute sharing could be used to allow thebookseller to retrieve your credit card number from thecredit union to complete an online purchase without the need for Jane to supply it for each transaction or for the bookseller to store it locally. Personalization allows an organization to tailor the userexperience for a given individual, leading to a streamlinedinterface for the user and the ability to target informationdissemination for a business.PrivacyIn a federated environment where accounts can belinked and attributes shared, it is vital to protect personalidentifiable information. Besides employing strong security measures at the protocol and transport layersof the interactions, processes around end-user consent/control, anonymity and pseudo-anonymity need to beemployed. Account linking should only occur with prioruser consent. What attributes are shared, and withwhom, should be based upon the policies designatedby the end user. Additionally, there needs to be thecapability to share pertinent attribute information in ananonymous fashion. It is not always pertinent to a serviceprovider who the end user is, so why share that informa-tion needlessly? For example, a weather service provideronly needs to know your location (e.g., ZIP code); thefact that your name is John Doe need not be revealedin order to provide the local forecast.Untitled Document6Technological componentsBecause federation is a core element of robust identitymanagement solutions, it is important to understand thetechnological underpinnings of such solutions (Figure 4). Data repository componentsDirectory services and meta-directories deal with therepresentation, storage and management of identityand profile information and provide standard APIs andprotocols for their access. Data repositories are oftenimplemented as an LDAP-accessible directory, meta-directory or virtual directory, or a database. Policyinformation governing access to and use of informationin the repository is generally stored here as well.Security components"Authentication providers The authentication provider, sometimes referred to as the identity provider,is responsible for performing primary authentication ofan individual, which will link them to a given identity.The authentication provider produces an authenticator a token that allows other components to recognize that primary authentication has been performed. Primaryauthentication techniques include mechanisms such aspassword verification, proximity token verification, smart-card verification, biometric scans, or even X.509 PKIcertificate verification. Each identity may be associatedwith more than one authentication provider. The mecha-nisms employed by each provider may be of differentstrengths and some application contexts may require aminimum strength to accept the claim to a given identity."Authorization providers An authorization providerenforces access control when an entity accesses an ITresource. Authorization providers allow applications tomake authorization and other policy decisions based onprivilege and policy information stored in the repository.An authorization provider can support simple accesscontrol management at the OS level, more sophisticatedrole-based access control-RBAC-up to flexible, distributed,policy-driven authorization, at the application and service levels."Auditing providers Secure auditing provides the mechanism to track how information in the repository is created, modified and used. This is an essentialenabler for forensic analysis which is used to determinehow and by whom policy controls were circumvented.Auditing is a fundamental technology required for assisting in adherence to most regulatory issues. Lifecycle components"Provisioning Provisioning is the automation of all theprocedures and tools to manage the lifecycle of an iden-tity: creation of the identifier for the identity; linkage tothe authentication providers; setting and changing attrib-utes and privileges; and decommissioning the identity. In large systems, these tools generally allow some form of self-service for the creation and ongoing maintenanceof an identity and frequently use a workflow or transac-tional system for verification of data from an appropriateauthority and to propagate data to affiliated systems that may not directly consume the repository. To managethese lifecycle processes, robust workflow and changemanagement are required capabilities of the provision-ing component.Management compo nentsSecurity componentsAuthenticationAuthorizationAuditingData repositorycomponentsMeta-directoriesVirtual directoriesDatabasesLifecycle componentsProvisioningLongevityUser mgmtAccess mgmtCompliance/privacy mgmtFederation mgmtDirectoriesFigure 4. Technological components of federated identity managementUntitled DocumentPersonal profileEmployee profile...Liberty ID-WSF 1.0LibertyID-FF 1.2Shibboleth1.2OASIS SAML 1.1XML, WSDL, WS-Security, XML Dsig, WS-*, etc.SOAP, SSL/TLS, HTTP, HTML, WAP, etc.Identity servicesFederationBinding, network, and t ransportXML and securityLiberty ID-WSF: Identity-based Web Service Framewor kLiberty ID-FF: Identity-based Federation FrameworkOASIS SAML: Security-Assertion Markup LanguageWS-Federation: Web Services Federation7Figure 5. Federation protocol landscape"Longevity Longevity tools create the historical record of an identity. These tools allow the examination of theevolution of an identity over time. Longevity is linked tothe concept of attestation or the ability to attest whatactors had access to what resources in what timeframe(irrespective of whether they exercised access, which is a matter of auditing).Management components"User management Provides an infrastructure for managing user profile and preference information. Usermanagement enables organizations to decrease overallIT costs by providing user self-service capabilities andalso enhance the value of their existing IT investmentsthrough directory optimization and profile synchroniza-tion capabilities"Access control management Provides IT an infrastruc-ture for managing user authentication and authorization.The flexible management of access control increasessecurity, reduces complexity, and lowers overall IT costsby automating access policies for employees, customersand partners."Compliance/privacy management Assures privacyand data protection policies (as defined in the compa-ny, by industry or governmental regulations, and by the end user) are respected in federated identitymanagement solutions."Federation management Enables the establishment oftrusted relationships between distributed identity andservice providers. Often this involves the sharing thingslike web service endpoints, X.509 certificates and sup-ported/desired authentication mechanisms. It providesthe infrastructure necessary to issue and request identity-related assertions.Standards and initiativesStandards play an important role in federation by providingthe common set of protocols, semantics and processingrules that allow the various parties and their identity infra-structures to interoperate. The following diagram depictssome of the relevant standards associated with federationand how they are interconnected.Looking at the federation protocol landscape diagram (Figure 5), there are several things to note:First, there is a dependency among the layers of the proto-col landscape. For example, each of the protocols in thefederation layer rely on well-known and industry-testedstandards at the transport, network, binding and XML layers. In many cases this dependency is mandated forinteroperability, and in other cases it is optional (e.g. Digital Signatures, SSL).Untitled Document8Second, there is a dependency between some of the federation protocols themselves. This is a result of the evolutionary nature of the standards. As business needschanged or became more complex, new standardsemerged to meet those needs. Those new federation standards leveraged and extended concepts of early standards. Here you can see that the Security AssertionMarkup Language (SAML) created in OASIS has formedthe basis for both the Liberty Identity Federation Frame-work (ID-FF) and Shibboleth.The third item to note is a new layer in the federationstack called Identity Services. Identity services are distributed network services that act on the behalf of anidentity, with prior consent and according to policy, toshare specific identity information or attributes to a relyingparty so that intelligent decisions can be made. Thisenables such things as personalization of services, andintelligent transactions based on identity information. SAMLThe OASIS Security Assertion Markup Language (SAML)was the first successful standardized mechanism to allowfor the exchange of security assertions. Much of the reason for its success was in large part due to fact that amajority of the SAML technical committees membershipwas made up of access management companies. With a large portion of access management companies partici-pating in the development and adoption of this standard,it meant that the path to interoperability was well at hand.And after all, interoperability among security providers forthe purpose of single sign-on was one of the main found-ing principals of this standard. In addition to single sign-on, SAML also provides a meansfor querying for attributes and authorization decisions.Most deployments to date have been primarily focused on business-to-business relationships. The main businessdrivers for its usage are: providing a seamless end-userexperience, reducing administrative and ongoing management tasks, and providing partners with secureaccess to company resources. With SAML 1.1 you get an implementation that has lessoverhead than other protocols. The protocol is clean, simple and focused. However, this same simplified focusand ease of implementation also makes it difficult to use for other deployment relationships like business-to-consumer and business-to-employee. This is mainly due to its lack of the additional functionality around privacy,security and support for mobile clients required by thesemore complex relationships. Liberty ID-FFThe Liberty Identity Federation Framework (ID-FF 1.2 andits predecessor 1.1) was created by a large consortiumcomposed of both vendors and customers that buildsupon, and extends, SAML for more complex deploymentscenarios. Its functionality includes, but is not limited to:"Opt-in account linking (this means the protocol takesinto consideration user consent to federation, making it privacy friendly)"Enhanced single sign-on for linked accounts (singlesign-on across federations)"Support for pseudo-anonymity and anonymity"Affiliations (allows for account linking across an entireaffiliation of sites)"Authentication context (to provide information not onlyon the authentication employed, but the whole contextaround authentication, such as registration process used and entropy of passwords)"Global log-out"Liberty Alliance smart client feature "Multiple client support "Meta data exchangeLiberty is not only ideal for deployment in the enterpriseand business-to-business scenarios (because of its SAMLbase), but also the business-to-employee and business-to-consumer scenarios. Its added facilities that make itprivacy friendly (e.g., pseudo-anonymity and anonymity)are a large factor for consideration, as well as its supportfrom multiple client types. Lastly, because the Liberty Alliance has a conformanceprogram to certify interoperability, consumers can restassured that their vendor s product has undergone the rigors of interoperability testing with other vendors.ShibbolethLike Liberty, Shibboleth also builds upon SAML. It is anInternet2 project that is developing architectures, policystructures, and an open source implementation to supportinter-institutional sharing of web resources subject to accesscontrols. The Shibboleth system provides a standards-based link between existing campus authentication systemsand resource providers of all kinds. There are currentlyabout 50 higher education sites piloting the software. Todate, there are no deployments outside higher education.Untitled DocumentFederatedservicesCircle of trustSSO (multipledomains)SSO (twodomains)Enterprise SSOReverse ProxySAML 1.1Liberty ID-FF 1.1Liberty ID-WSF 1.0Liberty ID-WSF x.xWS-FederationLiberty ID-FF1.2SAML 2.0ROI and timeframeImplementationcomplexityFederation protocol deployment timeline9Figure 6. Federation protocol deployment timelineShibboleth supports attribute exchange more fully than thesingle sign-on profiles of SAML alone dictate, by includingpolicy support on both ends for filtering release andacceptance of information. It also includes XML-basedmetadata and trust policy allowing agreements to scalebeyond small groups of partners, and can dynamicallyselect credentials and authorities at runtime to limit expo-sure if you have multiple partners with different trust paths. WS-FederationMicrosoft, IBM and VeriSign are working on a set of spec-ifications referred to as the WS-Security roadmap or WS-* for their next-generation web services platforms.One of the specifications in this roadmap is WS-Federa-tion, which defines a model for federating trust andidentity-related functions. Initial analysis indicates thatthere is overlap with many of the features and functions of SAML, Liberty ID-FF and Shibboleth.WS-Federation appears targeted for the enterprise, business-to-business and business-to-employee scenarios. Inits current incarnation, it does not appear to be particularlywell suited for business-to-consumer environments because of its optional use of privacy and lack of multi-client support. It is important to note that because this specification is relatively new, it has not been subjected to the same rigors of testing and deployment as the other protocols. That certainly does not mean this specification should beignored, but rather, a wait-and-see approach would beappropriate. If Microsoft decides to include WS-Federationfunctionality as a standard part of the platform, this specification could really take off. Liberty ID-WSFAt the highest point of the landscape stack resides the Liberty Identity-based Web Services Framework. ID-WSFis all about identity service discovery and invocation withthe intent of sharing identity attributes based upon thepolicies of the end user. Features of ID-WSF include:"Permission-based attribute sharing (where the end userdictates what attributes can be released and to whom)"Identity service discovery (this is how service providerslearn where they need to go to retrieve identity information)"Interaction service (allows service providers and identityproviders to interact with the end user in real time toobtain permissions and consent)"Extended client support (gives the option for clientdevices to now host their own identity service or act as an identity provider)"Identity service templates (a reusable mechanism fornew identity services to be built that can leverage theweb services framework) "And lastly, usage directives (which provide a means forincluding privacy directives in the attribute exchange)Untitled Document10ID-WSF is well suited for business-to-business andbusiness-to-consumer deployments where the sharing ofattribute information in a privacy-oriented manner is crucialfor online transactions. Relying parties in the transaction willbe able to search and discover identity information from distributed identity services that the end user has registered.Polices related to attribute release can be defined ahead of time or on the fly via an interaction service that can communicate with the end user to obtain permissions.Like the Liberty Federation Framework, Liberty ID-WSFconformance testing and certification is available. ConvergenceThe federation protocol landscape continues to morph.The good thing is that it is changing for the better. Furtherconvergence and consolidation are on the horizon. TheOASIS Security Services TC is currently finalizing SAML2.0. This new specification will represent the convergenceof SAML 1.1, Liberty ID-FF 1.2 and Shibboleth. Taking thebest from each specification set and merging them into asingle, cohesive federation framework. Additionally, it should be expected that following closely onthe heels of SAML 2.0 will be a new Liberty ID-WSF releasethat will rely on the new SAML 2.0 federation standard asthe basis for its identity-based web service framework.There will also likely be several additional identity servicespecifications available (such as Geo location, presence,gaming and calendar).This continued consolidation of federation standards willcertainly make it simpler for everyone to determine whatprotocol to deploy for future federation projects. Deployment timelineBusinesses have an evolutionary need for federated identitythat grows as their organizational needs and goals changeand as implementation complexity increases. The federationstandards discussed in this paper will help organizationsget the most ROI out of their identity investments, and achievegreater and greater benefit over time as their identity needsbecome more complex.The chart in Figure 6 demonstrates both the observed andanticipated deployment periods of federation standards.Today we are in the midst of SAML 1.1 and Liberty ID-FF1.1 /1.2 deployments. These deployments are expected to continue until 2006, at which time SAML 2.0 followedby WS-Federation deployments will begin to emerge. For federated identity services, there is already evidence ofLiberty ID-WSF 1.0 deployments (e.g., AOL Radio), andone should expect to see these deployments continue togrow over the next year. Enterprises looking to deploy federation solutions shouldlook to vendors such as Hewlett-Packard, who are platformand federation standards neutral. This will guarantee interoperability with federation partners while not dictatingany one federation standard.Business benefitsThere are numerous business benefits directly associatedwith federation that can be realized by an enterprise. A solid federated identity management infrastructure canbring substantial cost savings, operational efficiencies, revenue growth through development of strategic offerings, and increased security and risk management. The benefits of deploying a federated identity managementinfrastructure are summarized below:"Regulatory compliance Provides key capabilities forachieving and maintaining compliance with privacy andinformation integrity regulations."Business agility and reach Enables the business to morequickly respond to change. Promotes extension of informa-tion resources to external organizations. Systems can bedeployed quickly and easily since the components of thesolution are based on commonly accepted standards andinterfaces, eliminating the need to develop to a myriad ofintegration points."Cost reduction and revenue enhancement Provides multiple, measurable avenues to cost reduction. Decreasestime to productivity for employees, partners and customers.Enables the business infrastructure required for the develop-ment of bundled customer offerings with strategic partners."User self sufficiency Enables users to manage their ownidentities. Provides the tools for business managers tomanage the access needs of their employees, partnersand customers."IT efficiency Enables IT to do more with less by reducinguser administration burden and deflecting calls to thehelp desk. Enables integration of legacy systems withoutre-engineering their authentication and authorization modules."Increased security Provides systematic and auditablecontrol over user accounts, entitlements and access rights.Provides context-sensitive, gradient levels of authenticationand risk management. "Risk management Decentralizes data management.Identity information is not centrally aggregated in a federated solution, but rather managed in place by thedata owners. This decentralization of data managementlessens the risk for any one enterprise by delegating a portion of the risk to partners that manage that distributed information."User experience and productivity Provides a unifiedmethod for users to request and self-manage theiraccounts, access rights and passwords. Provides for a seamless experience through single sign-on and personalization. By 2005, the help desk costsassociated with end-user password resets will be reducedby 70 percent through theimplementation of self-service password reset solutions (0.8 probability). Justify Identity Management Investment With Metrics (Page 1),Gartner, February 2004Untitled Document11Conclusion: The HPOpenView solutionTo address the inefficiencies and complications of networkidentity management for businesses and consumers intoday s world, there is a strong need for a federated network identity infrastructure that allows users to link elements of their identity between accounts, data stores,and service providers without centrally storing all of theirpersonal information.HP OpenView is providing a holistic solution to federatedidentity management that focuses on the way that businessprocesses are defined, executed and managed. Such anapproach led HP to Business Driven Service Oriented Identity Management a solution that is founded on theprinciples of a service-oriented architecture. This allowsthe enterprise to manage its federated identity needs inthe same way it manages its existing business processes.HP OpenView Federated Identity Management puts con-trol in the hands of the business user with a suite of secure,scalable applications focused on ease of use, expediteddeployment, and the ability to embrace change. Addition-ally, the HP solution is not just technology based, but alsoincludes world-class services, support, hardware and part-ners, all in an effort to help your business realize fasterreturns on investment. The primary technological componentsof the HP OpenView solution are Select Federation, SelectAccess, and Select Identity. Today, these technologies are providing business with the federation capabilitiesrequired to succeed.HP OpenView Select FederationSelect Federation effectively enables extranet identity management, web single sign-on and cross-domain identitymanagement without requiring a centralized data repositoryor synchronization between repositories. Using Select Federation, you easily achieve single sign-on and federatedsession management while leveraging your existing identitymanagement deployments. Select Federation is designed to work with HP OpenView Identity Management products,as well as integrate for use with other vendors systems.Select Federation is protocol-agnostic. It allows federation to be achieved via SAML (1.0/1.1), Liberty ID-FF (1.1/1.2),and Liberty ID-WSF (1.0) protocols. Additionally, Liberty Personal Profile, Liberty Employee Profile and the LECP (Liberty Enabled Client Proxy) services are provided.Select Federation includes extensive administrative featuresthat allow for management of all circle-of-trust relationships,as well as privacy preferences.DirectoriesMeta-directoriesVirtual directoriesWebWeb serversPortalJava appCustomApplicationsMessagingDatabasesCRMERPCustomNon-digitalFacilitiesEquipmentEntry controlIT adminEmployeesMobileemployeesPartnersOutsourcedadminCustomersSeleSelect FederationSelect Identityct AccessServicesWeb servicesClient serverAccess control"Single sign -on"AuthorizationProvisioning,SynchronizationExternal User Provisioning"Self entrollment"Self management"Delegated adminFederation"Account linking"Attribute exchange"Session management"Liberty and SAMLHP C&I"Business process consulting"Technical deploymentFigure 7. Business-driven federated identity managementUntitled DocumentTo learn more about HP s offering, visit www.hp.com. 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statementsaccompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.5982-9986EN, 11/2004HP OpenView Select AccessBased on its intuitive user interface, automated manage-ment capabilities and XML-based architecture, HPOpenView Select Access is the easiest-to-use and quickest-to-deploy access management product for companies seek-ing to maximize their return on investment. HP OpenViewSelect Access provides a unified approach to definingauthorization policies and securely managing role-basedaccess to online resources, greatly reducing administrationcosts and complexity in a federated environment. And itenables businesses to capitalize on the potential ofextranets, intranets and portals by providing web-basedsingle sign-on for a seamless user experience. HPOpenView Select Access includes leading-edge Select Federation server capabilities as part of the standard offering, supporting single sign-on in both single and multiple domain environments. Select Access providesusers complete access to an entire federation of relatedwebsites, services and applications using the SAML(1.0/1.1), Liberty ID-FF (1.1/1.2) and WS-Securitystandards.HP OpenView Select IdentityProviding industry leading identity lifecycle managementfunctionality, HP OpenView Select Identity provides arobust and well integrated framework based upon a pureJ2EE implementation for managing your distributed identity environment.Unlike the traditional roles/rules-based approaches to iden-tity management, HP OpenView Select Identity is based onthe concept of Service Oriented Identity Management. Thisvital architectural distinction allows Select Identity to mirroryour IT/business services structure, tightly integrating themyriad of business processes associated with federatedidentity management. Using the unique context-basedapproach, Select Identity automates change managementin your business processes and needs. Its 100 percent allweb-based functions and open standards-based architectureallows for the extreme delegation of administration function-ality to your partners, user organizations and customers thatare part of your federated deployment. ServicesFederated identity management requires more than justimplementing technology. Good implementations requirean understanding of the business processes, businessrequirements, the risks, and the alternatives to properlymanage those risks. HP s Global Services has the knowledge and experience from hundreds of successfulfederated identity management deployments, spanningboth industries and geographies, that can be called upon to assist in your federated identity implementation About HPHP is a technology solutions provider to consumers, businesses and institutions globally. The company s offerings span IT infrastructure, personal computing andaccess devices, global services and imaging and printing.For the four fiscal quarters ended July 31, 2004, HP revenue totaled 78.4 billion. More information about HP (NYSE, Nasdaq: HPQ) is available at www.hp.com.