Context Navigation

The Bandit User-centric Enterprise Demo

Intro to Onramp to Identity Services Demo

Overview

Much of Bandit's public demos and interest has come from the emerging User-centric identity systems. The Digitalme Identity Selector and the Bandit Cards Identity Provider show how Open Source implementations of such systems can useful to work out interoperability issues and proof-of-concept deployments. This demo can show how an information card system supports appropriate control of corporate identity data, while clearly separating user privacy, with increased security for both.

But the Bandit project isn't only about information card systems. Many of the components in the Identity Provider are being developed as a set of flexible identity services. Some of these components are in the Bandit Identity Provider, and were also used in the HTNG reference implementation. These components are being developed into a complete identity services interface layer -- The Bandit Onramp To Identity Service (OTIS).

Themes and Key Messages

Bandit Brochure pdf

Depending on the needs of the audience, this demo can focus more on:

User-centric systems are here now and appropriate for use in the enterprise -- audience is users, identerati, corporate IT
The Bandit Onramp to Identity Services will make identity services more flexible, powerful, and easy to use for corporate applications and systems integraters -- audience is corporate developers, systems integrators

Main messages:

Information card systems support appropriate control and auditing of corporate identity data, while clearly separating user privacy, with increased security for both.
Open Source implementations of identity services are useful to work out interoperability issues and proof-of-concept deployments.
Moving fom LDAP to identity... the Bandit identity services interfaces layer is coming and will allow developers to use identity services in more powerful, agile applications.

Online Sites to Support the Demo

Bandit Cards IdP

This is an instance of the Bandit Identity Provider. It is the repository of user account information, and (for purposes of this demo) represents a corporate identity source. It issues a number of types of information cards:

An Employee Card. This card could be used to access information that should only be used in corporate approved sites, therefore Employee cards are issued in auditing mode. All uses of the card (each time a token is retrieved) are audited and the destination site for the token is recorded. If the card is attempted to be used at an unapproved site, no token is issued.
A Member Card. This card is not used to access sensitive corporate identity data, it can be used to get member discounts at various sites. It essentially conveys a token which states that the bearer is an member.

Identerati Paparazzi idP

This is an instance of the Bandit Identity Provider. It is the repository of user account information, and (for purposes of this demo) represents a hobby community that has no association with the Bandit Cards IdP. It issues a card that indicates that the user is a member of the community ... the Identerati Paparazzi.

The paparazzi card is issued in privacy mode. The Paparazzi IdP does not know where the token is sent and cannot be audited by the IdP.

Applications

Applications used to access the various services and sites in the demo:

FireFox
Pidgin
GroupWise
DigitalMe

Bandit Cards Blog

A site that can only be updated by an Employee card WordPress blog

Identerati Expose

A photo sharing site

Attempted access with Bandit Employee card is rejected by IdP

Access by paparazzi is accepted.

Bandit Cards Audit Console

Web accessible access to view of audit log of Bandit Employee card

View audit log on cards
View admin page on cards

User Perspective

There are three types of cards a user may request:

Employee Card

This card is issued from the Bandit Cards site. Login and request an "Employee Card", NOT the "Bandit Card" or the "Member Card".

This type of card may only be used at the following relying party sites:

https://cards.bandit-project.org/~wordpress

If you attempt to use this type of card at other relying parties you should get an error in the selector. DigitalMe will display the error, whereas CardSpace will log the error to the Windows application event log.

Member Card

This card is issued from the Bandit Cards site. Login and request a "Member Card", NOT the "Bandit Card" or the "Employee Card".

Identerati Paparazzi Card

This card is Issued from the Identerati Paparazzi site. Login and request the "Identerati Paparazzi Card".

What user sees as different sites are accessed

Employee card is accepted at Bandit Blog Employee card is rejected by the STS when attempted to be presented at the photo expose site

Corporate Administrator Perspective

Administer the Bandit Identity Provider through a web interface

Administrator can easily control many aspects of identity information handling, including restricting sites where issued cards can be used.

View audit log on cards, wag or woof.

Developer Perspective

All open source software, with community support. Start here!

Components of the Identity Provider and the HTNG Proof of Concept system are building towards the Bandit Onramp to Identity Service. See the evolution and roadmap here.

Attachments

bandit_hand_out.pdf (0.5 MB) - added by dbuss 2 years ago. PDF of bandit handout
TUT288-D3.pdf (379.5 kB) - added by dale 2 years ago.
TUT288-D3.odp (349.2 kB) - added by dale 2 years ago.

Download in other formats:

Plain Text