UMACould I Manage My Own Data. Please?

Agenda• Business Trends & Technical Solutions

• Distributed Business (Decentralisation)• Mobility & Automation• Delegation

• Why UMA?• Use-cases

• UMA overview• Current status & more information• No tokens were harmed during the making of these slides!

ORG BORG A ORG

Trend 1: Decentralisation

Examples & Challenges• Examples

• Extended organisations• Supply Chain• Distribution Channel• Outsourcing Partners

• SaaS

• Challenges• Identity not resident with apps• Secure identity transport• Trust

Solution : SAML

Org A (IdP)

Org B (SP)

✓ Identity Federation (Cross-domain SSO)

✗ Non-browser clients Ease of implementation

Honourable mentions• ID-FF• Shibboleth• WS-Federation

Authenticate

Assert

ORG BORG A

Trend 2: Mobility & Automation

Examples & Challenges• Examples

• Mobile (devices, “Things”)• Data monetization

• Challenges• Authorization of ‘Client’• Persistance• Trust

Solution - OAuth

Org A(AS)

Org B(RS)

Honourable mentions• SAML ECP• WS-Trust

Get Token (AT +/ RT)Request Access

Validate Token

✓ Client security & identity (Client != User) ✗ Identity Transport

Evolution – OIDC

Org A(OP)

Org B(RP)

Token & Claims

Token & Claims

AuthN/Z

Validation +/ Userinfo

OAuth

OIDC

Deployments : Side Note

SAML OIDC

ORG CORG A ORG B

Trend 3: Delegation

Solution – XACML?

✓ Attributed-based & App-External ✗ Cross-domain? Service Registration?

Res. PDPPEPRes. PEP

Res. PEPRes. PEP

New Profiles• ALFA• JSON/RESTRes. PE

PRes. PEPRes. PE

PRes. PEP

Meet Alice

ControlAccess

So What?• Electronic Healthcare Records

• Alice grants selective access to GP, Insurance Company, Relatives

• Financial Services• Grant limited access to financial records to accountant; loan

providers etc.

• Enterprise Applications• Centralised control across multiple applications; individuals can

control their own data

• IoT• Alice grants Bob access to the Garden; Jim access to the House• Facilities Management; Industrial & Engineering Applications

• See more examples

Issues Summary• User control / ownership• Third party access• Centralised control for multiple services• Persistence• (Security)• Cross-domain Access Control

Status Summary• OpenID Connect (practically)

• Secure identity transport• Trust

• XACML (notionally)• ABAC• Externalised access control

What is UMA• User Managed Access• A profile of OAuth• “UMA defines how resource owners can control

protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy.”

UMA

UMA : Privacy by DesignI want to share this stuff selectively• Among my own

apps• With family and

friends• With organizations

I want to protect this stuff from being seen by everyone in the world

I want to control access proactively, not just feel forced to consent over and over

UMA Summary

Standardized APIs for privacy and “selective sharing”

Outsources protection to a centralized “digital footprint control console”

UMA Flow

1. RS registers resource sets and scopes (ongoing)

2. C requests resource3. RS registers permission4. AS returns permission ticket5. RS error with ticket6. C requests authz data and RPT with

ticket7. AS gives RPT and authz data (after

optional claim flows)8. C requests resource with RPT9. RS returns resource representation

Resource owner

Resource server

Authorization server

Client

Authorization API

UI

UI

UI

Requesting party

ProtectionAPI

AuthZ client

Protectionclient

RS-specificAPI

RS-specific client

2

1

5RPT

6

7

8

3

4

PAT

9

AAT

PAT

PAT

RPT

choose resources toprotect – out of band

set policies –out of band

AAT

Resource server

Authorization server

PAT

ROClient

Authorization server

AAT

RqPResource

serverClient

Authorization server

RPT

RqP

UMA Status• UMA v0.9 public review

• Core, Resource Set Registration & Claim Profiles• Completed: 06 September 2014

• Interop in progress• Next steps

• Core & Resource Reg: H1/15• Claim Profiles & Binding Obligations(?): H2/15• IETF

Implementations & More Info• Known implementations

• Gluu• CloudIdentity• OpenUMA (ForgeRock)• Implementations List (Kantara)

• More info• UMA WG Home (Kantara)• New Venn of Access Control (Maler)

Thoughts to Leave With• Standards

• OAuth, OpenID Connect: start now

• Infrastructure• Avoid vendor lock-in – ensure vendors can support upcoming

standards quickly• Avoid rip & replace – it’s unnecessary. There are good solutions

that will overlay what you have to add what you need• Do not trust to home-grown implementations; this is too easy to get

wrong (and way too important)

• Participate in the WG• Security is not all about security

• Security drives improved user experience drives better business

THANK YOUQuestions?

@andrewhindlelinkedin.com/in/ahindle