IBM Delivers ID Management as a Service with Tivoli FIM
July 22, 2008 Alex Woodie
IBM recently delivered a new product called Tivoli Federated Identity Manager, or FIM, that acts as an identity and authentication hub for the multitude of platforms and authentication methods used in the field, including WS-Trust, SAML, Kerberos, and RAC-F. What’s more, because Tivoli FIM can be called as a Web service, the software is ideal for use in new service oriented architectures (SOAs) and Web 2.0 applications, including those running on i.
While SOAs bring many benefits to developers, such as re-use of code and simplified application integration, user access security is not an area that necessarily benefits from SOA. In some cases, SOAs can bring higher security risks compared to how users access applications and data in traditional mainframe applications, says Nataraj Nagaratnam, chief architect for identity management at IBM and an IBM Distinguished Engineer.
“What they thought they had under control and trusted is expanding [within an SOA]. Their trust boundary is expanding,” Nagaratnam says. “Identity is no longer within an organization. It could be across different organizations, within a company, or it could be different partners. And when you’re expanding that trust and control, you’re opening vulnerability points along the way.”
For example, consider an SOA that includes a Java-based CRM system running on WebSphere Application Server, a C#-based e-commerce application running on Microsoft‘s Windows-based middleware stack, and a CICS system running on z/OS. It’s entirely possible that users will log in and access the WebSphere application using a Security Access Markup Language (SAML) token, use Microsoft’s CardSpaces tokens to access the Windows machine, and use a RAC-F ticket when they need something from the mainframe.
In such an SOA, how do you tell who’s who when users traverse applications, and how do you gauge their access rights? IBM’s Tivoli Federated Identity Manager version 6.2, which became available on June 20, is IBM’s answer for how to strike a balance between enabling access and preventing unauthorized access.
Tivoli FIM mediates the identities of users as they traverse distributed applications or SOAs, thereby providing the user-access repository of record for organizations. The software has the capability to support the various user and application credentials found today, including: RACF, Kerberos, SAML, and WS-Security tokens and passtickets, and platform-specific credentials used by Microsoft .NET, WebSphere, SAP NetWeaver, Oracle, and CA. The software works with most major identity management technologies and single sign-on (SSO) frameworks, including the free and open source OpenID framework, Microsoft Windows CardSpace (sometimes called InfoCard), and the Higgins Identity Frameworks from Eclipse.
Instead of requiring developers to write to one or all of these types of authentication tokens or identity frameworks, IBM is abstracting the authentication process and making it a callable Web service with Tivoli FIM. “It’s an abstraction layer that they can use to integrate multiple tokens or identity frameworks,” Nagaratnam says. “So given a SAML ticket, you get back a Kerberos token. Or you get given an IBM token to get back a RACF passticket. So the tokens can be transformed using this service.”
The key technology underlying Tivoli FIM is WS-Trust, the WS-Security authentication mechanism adopted as a standard by OASIS in March 2007. With so many different identity mechanisms and protocols to choose from, was it necessary to introduce one more that purports to be the end-all, be-all of user authentication in an SOA-based world? Yes, Nagaratnam says. “This is one of the key underpinning standards, WS-Trust, to build that,” he says. “WS-Trust is a way to help mediate the tokens and is a meta layer to help do the transformation.”
Different identity mechanisms and tokens are needed types of applications, Nagaratnam says. “For low assurance scenarios, where you want to identify users of wikis and blogs, the target resource isn’t that critical from a risk view point, so a lower security protocol like Open ID is sufficient,” he says. “Whereas when you want to access mission-critical data, and interoperability between vendors comes into play, or a RACF mainframe passticket could come into play, SAML would be used. So depending on the level of assurance and the boundaries, ultimately we believe there will be few of these token types, and WS-Trust is a key standard to help mediate them and act as a broker.”
The other thing that makes Tivoli FIM 6.2 significant–besides its capability to mediate among different authentication types–is that it functions as a Web service, via the HTTP and HTTPS protocols directly. “We have taken the approach to render the security capability as a service itself, so as people are building business services, we are providing infrastructure capabilities as a service,” Nagaratnam says. “We have provided the capability to externalize the security logic out of the application as well as this middleware stack, and this is based on open standards, mainly WS-Trust.”
Tivoli FIM consists of Tivoli FIM Business Gateway and Tivoli FIM on z/OS, in addition to the Tivoli FIM software itself. The software runs on Windows, Linux, AIX, Solaris, HP-UX, and z/OS. While it doesn’t run on i5/OS (or i as IBM now calls it), it does support the i OS environment through support for the Kerberos identity mechanism, Nagaratnam says.
Licenses for the Tivoli FIM server cost $3,720, while each user access license costs $52. For more information, visit www-306.ibm.com/software/tivoli/products/federated-identity-mgr.