The Internet of Things is not predicated on mobile or fixed-line operators. It is predicated on the value derived from the interplay between different sensors and actuators. In the history of mobile telecommunications it was the mobile network operators who provided a service that brought together radio waves and handset manufacturers. The success of mobile telecommunications has led to a 93.5% global saturation rate (source Informa) with the conglomerate operators China Mobile Vodafone. Airtel and Verizon etc being the big winners.
This blog is part of a series comparing the implementation of identity management patterns in SAML and OpenID Connect:
- Identity Broker Service in OpenID Connect
- Identity Broker Service in SAML
- OpenID Connect AuthN & AuthZ
- Comparison of OpenID Connect with OAuth2.0 & SAML2.0
- Cross Domain Identity Patterns: Chained Federation & Service Broker
Future of Identity Federation is OpenID Connect
Identity management is an enabler for networked services whether web browser, mobile or smart-tv applications or the internet of things. The increase in services will create an increase in passwords without mechanism for sharing & trusting identities. eGovernment services require a higher level of identity verification than the social authentication capabilities of Twitter & Facebook connect. The future of eGovernment Identity is an interoperable authentication and authorisation capability that can support higher levels of identity verification.
The importance of interoperability amongst identity solutions is that it will enable individuals to choose between and manage multiple different interoperable credentials. Futhermore service providers will choose to accept a variety of credential and identification media types. “Identity Solutions will be Interoperable” is a guiding principle of the US National Strategy for Trusted Identities in Cyberspace (NSTIC) which is a White House initiative for both public & private sectors to improve the privacy, security, and convenience of online transactions.
SAML is insufficiently interoperable to be the future standard for identity management federation. SAML is limited in its ability to support mobile & smart-TV applications and requires the implementation of a complex Broker Service in order to support multi-service provider & multi-IdP use cases.
OpenID Connect will most likely supersede SAML for all eGovernment externalised identity management. OpenID Connect is a lightweight identity verification protocol built on top of modern web standards (OAuth 2.0, REST and JSON) superseding OpenID 2.0. OpenID Connect allows a service provider (Relying Party) to select between a variety of registered or discovered identity providers. OpenID Connect can satisfy all of the SAML use cases but with a simpler, JSON/REST based protocol.
People who know me know that I am equally bad at both golf and tennis.
Because I’m keen on gadgets (and excuse all purchases as research into the internet of things), I had to purchase the new Zepp Golf sensor. The golf sensor attaches to the back of my golf glove and tracks my slow slices and off tempo hooks. I then purchased the tennis adapter which fits to the bottom of my tennis rack to track my off tempo serves and my slow sliced backhands.
What I find most interesting is how the sensor can be used for multiple sports. According to Zepp’s own documentation it is simple to swap between sports:
Your sensor will work with all 3 Zepp Sports Apps: Baseball, Tennis, and Golf. Simply download the mobile app of choice and attach the sensor to the appropriate racket, bat, or golf mount. To use the sensor for a different sport, connect your sensor to your mobile device and open the sport app of your choice. The app will ask you if you wish to change the sensor to the new sport mode. Select OK to begin change process
I really like this simplicity. Just download the app for the sport you’re going to play to the device or devices you use. I could imagine other firms over engineering the mobile applications so that they all linked to a single user account and a single self service operation would provision each individual sport.
Zepp’s model works well because the user just downloads what they need and can then work on cranking up the power of their forehands. Just wish mine would sometimes go in.
Some M2M devices will always connect to the internet using a fixed network connection / Wifi and others will always connect using a mobile network connection using an eUICC but there will be some that will offer both wifi and mobile network. It is these devices that will need to support wifi offloading where possible. It is for these devices where providing a standard API gateway and AuthN & AuthZ capability will be most complex.
For example, my oven is always positioned in my kitchen and connects to the wifi network to allow me to view inside by a mobile app so that I don’t have to open the oven door during the fifteen minutes a soufflé takes to rise that would cause the temperature to change and my soufflé to collapse. This way I can inspect and control the temperature remotely. It also mean I have an excuse to check my phone during boring dinner parties. Only my app is paired to the oven so only I am authenticated and authorised to remotely check on my soufflé thus there is no potential risk of a malicious guest could accessing my oven app and destroy the soufflé by changing the temperature.
The majority of my home m2m devices will be static devices, I rarely travel with my oven, and these will in the majority of cases be Wifi enabled. Unfortunately I cannot guarantee wifi coverage throughout my architect’s ivory tower so some mobile internet devices will need to connect over 3G/4G (for example the BBQ in the lower field). The problem for my oven and BBQ manufacturers is that they would need to support both Wifi and the GSMA standard for M2M / smart device SIMs (eUICC). It would then be responsibility of the m2m device to support wifi offload where available.
Authorisation may be necessary when the function of the device is shared amongst a group with one or many people acting as the super administrator. If I sell my oven all of my authentication and authorisation permissions have to be removed from the M2M device but as I will likely buy a new oven with more soufflé capacity I would like to keep my existing settings. Furthermore if my soufflé skills increased I may take a job in Paris and would need to reregister my oven’s eUICC or wifi connection. In this case I would definitely want to keep all of my authorisation permissions and maybe grant further permissions for all the extra soufflés I’d be baking.
Device resale and device portability are supported by the eUICC specification as they are necessary for widespread adoption of M2M devices. What is less supported is a common standard for AuthN & AuthZ that would allow me to keep my device preferences when I either move with or my devices or sell them and replace them with newer devices.
This is where OpenID Connect may be useful as it enables profile information on top of the authorisation model provided by OAuth 2.0. OpenID Connect 1.0 extends OAuth 2.0 so the client can verify claims about the identity of the end user, get profile information about the end user, and log the user out at the end of the OpenAM session. OpenID Connect also makes it possible to discover the provider for an end user, and to register client applications dynamically. OpenID connect services are built on OAuth 2.0, JSON Web Token (JWT), WebFinger and well-Known URIs.
It remains to be seen whether OpenID Connect will be integrated with the standards for eUICC as part of the GSMA Mobile Connect. Furthermore it will need to be supported by the wifi offloading devices (e.g. my BBQ’s manufacturer) as the standard for all M2M AuthN & AuthZ. It seems likely at first that device authorisation and later home M2M gateways will implement proprietary technologies and will maintain identity in individual walled gardens. My architecture ivory tower has a few of those too.
Smart M2M devices require authentication & registration with the mobile network. Standardisation of service is proposed by the ETSI Service Capability Layer deployed to the Mobile Internet Device / Gateway. Security between the network and the mobile internet device requires authentication, key agreement and establishment that enable M2M Service Bootstrap, provisioning and M2M Service Connection procedures that are grounded on a clearly defined key hierarchy of the M2M Node.
The European Telecommunications Standards Institute’s M2M Release 1 provides standardised security mechanism for the reference point mobile internet device. This architecture is based upon the following principles:
- ETSI M2M adopted a RESTful architecture style with information represented by resources structured as a tree
- ETSI M2M standardises resource structure that resides on an M2M Service Capability Layer (SCL) where each SCL contains a resource structure where the information is kept
- M2M Application and/or M2M Service Capability Layer exchange information by means of these resources over the defined reference points
- ETSI M2M standardises the procedure for handling the resources
The SCL is deployed to the M2M mobile Internet device (mId) / gateway and requires authentication & registration with the M2M network. ETSI M2M provides standardised security mechanisms for the reference point mId. Mobile Internet Devices/gateways hold secret keys protecting the connection in a “secured environment” and are provisioned with the key M2M Root Key (Kmr).
This requires using RESTful operations over the mobile internet device:
- M2M Service Bootstrap: provision M2M service provider assigned ID & M2M Root Key (Kmr)
- M2M Service Connection: mutual AuthN of mobile internet device end points & generation of M2M Connection Key (Kmc – derived from Kmr)
- (Optional) Mobile Internet Device security: establishment of secure communication over mobile internet device based on Kmc (and sub-keys)
The Internet of Things, as distinct from the internet of people, requires communication between devices to enable home automation, telematics and health care monitoring. This intercommunication is dependent upon semantically structured and shared data for enabling functions such as identification, authentication, authorisation, bootstrapping and provisioning. Standardising both the semantically structured data and the enabling functions across M2M applications and devices would reduce the cost and extend the life of M2M devices. Standardisation for the Internet of Things is the aim of a common service layer for M2M.
There is no single internet definition for the Internet of Things, but to function as a network “Things” must have representation within the Internet. This representation includes structured data (e.g., status, capabilities, location, measurements) which needs to be semantic in order to be shared, processed and acted upon. The sharing and discoverability of information requires governance according to privacy settings and access rights. Because the Internet of Things (IoT) requires M2M application and device communication within minimal or no human involvement these privacy settings and access rights need to represent the delegated authority of the human user. Therefore M2M devices require bootstrapping of provisioned M2M service credentials (e.g. identities, M2M Root Key) which can be used for connecting and registering with different service layers and service authorities.
M2M devices can be active such as Zigbee sensors or passive such as RFID tags. M2M devices can be connected to an MNOs network using eUICCs or can be connected to an IP extending personal area network (e.g. Zigbee gateway). The ETSI principles for M2M & smart device communication are RESTful resource oriented APIs that are IP based but interwork with specific IP and non IP technologies in the M2M Area networks. The variance between device communication mechanism (IP & non-IP) and behaviour (passive vs active) makes defining an embeddable M2M common service layer a challenge.
The oneM2M group aims to develop technical specifications that address the need for a common M2M Service Layer that can be readily embedded within various hardware and software, and relied upon to connect the myriad of devices in the field with M2M application servers worldwide. The common M2M Service Layer should be agnostic to underlying network technology (yet leveraging the unique features of these underlying networks), and it will use network layer services (such as security (encryption and authentication), QoS, policy, provisioning, etc.) through an adaptation layer/APIs.
The challenge for Authentication, Authorisation & Accounting in M2M will be to build trust between the human user and the delegated authority to the M2M device. In order for an embedded common M2M service layer to operate it must support AAA (authN, authZ & accounting) for smart devices using an agreeable mechanism between multiple device manufacturers and network operators. The Telecommunications Industry Association are defining a functional standard for Authentication, Authorization and Accounting for Smart Device (AAA-SD TIA) which is encapsulated in TIA TR-50 Functional architecture for M2M Smart Device Communication System Architecture describes AAA-SD as ” provide authentication, authorisation and accounting services to other entities in the network to establish and enforce security policies. The services may include generation of keys, generation and validation of certificates, validation of signatures, etc”. The functions proposed by the oneM2M service layer must align with TIA TR-50.
Most identity management software vendors will rationalise their service enablement capability as so:
- Identity and access management has traditionally focused on managing user accounts in the form of directory service entries – the traditional IAM/IdM view
- it has seldom involved managing identities, let alone multiple types. They might digress slightly here on the history of Master Data Management which has had to grow to the side of identity management but often within the organisation so has never been able to support an identity type discovery service.
- Identity and access management (IAM) has traditionally focused on managing user information technology accounts in the enterprise. The rise of different types of accounts and identities such as cloud, mobile and other devices, e-commerce, and social networks has asymmetrically complicated things. – So far so good
- Furthermore the internet of things requires identity management for devices, embedded SIMs and network connections all of which require tying back to potentially enterprise, family or personal accounts. – Note about licence costs likely at this point
- The increase in user and device accounts will require IAM providers to offer more flexible solutions but in all likelihood enterprise will continue to confine their IAM capabilities according to their directory service. – Product pitch coming here…
Depending on the organisations existing IAM capabilities and embedded technologies the software vendor will generally pitch a service enablement capability that sits on top of legacy directory services. This should be an intelligent Master Data Management capability but often is a lightweight OAuth & SAML cloud enabling layer and an upgraded 2FA/3FA service for external authentication & possible BYOD.
As these a vendor driven pitches they do not seek to solve enterprise’s more fundamental issue of how to consolidate all those existing directory services and to support multiple identities. A strategic architecture is needed for that first…