Upload
barbara-miller
View
217
Download
0
Embed Size (px)
Citation preview
Agenda• Business Trends & Technical Solutions
• Distributed Business (Decentralisation)• Mobility & Automation• Delegation
• Why UMA?• Use-cases
• UMA overview• Current status & more information• No tokens were harmed during the making of these slides!
Examples & Challenges• Examples
• Extended organisations• Supply Chain• Distribution Channel• Outsourcing Partners
• SaaS
• Challenges• Identity not resident with apps• Secure identity transport• Trust
Solution : SAML
Org A (IdP)
Org B (SP)
✓ Identity Federation (Cross-domain SSO)
✗ Non-browser clients Ease of implementation
Honourable mentions• ID-FF• Shibboleth• WS-Federation
Authenticate
Assert
Examples & Challenges• Examples
• Mobile (devices, “Things”)• Data monetization
• Challenges• Authorization of ‘Client’• Persistance• Trust
Solution - OAuth
Org A(AS)
Org B(RS)
Honourable mentions• SAML ECP• WS-Trust
Get Token (AT +/ RT)Request Access
Validate Token
✓ Client security & identity (Client != User) ✗ Identity Transport
Solution – XACML?
✓ Attributed-based & App-External ✗ Cross-domain? Service Registration?
Res. PDPPEPRes. PEP
Res. PEPRes. PEP
New Profiles• ALFA• JSON/RESTRes. PE
PRes. PEPRes. PE
PRes. PEP
So What?• Electronic Healthcare Records
• Alice grants selective access to GP, Insurance Company, Relatives
• Financial Services• Grant limited access to financial records to accountant; loan
providers etc.
• Enterprise Applications• Centralised control across multiple applications; individuals can
control their own data
• IoT• Alice grants Bob access to the Garden; Jim access to the House• Facilities Management; Industrial & Engineering Applications
• See more examples
Issues Summary• User control / ownership• Third party access• Centralised control for multiple services• Persistence• (Security)• Cross-domain Access Control
Status Summary• OpenID Connect (practically)
• Secure identity transport• Trust
• XACML (notionally)• ABAC• Externalised access control
What is UMA• User Managed Access• A profile of OAuth• “UMA defines how resource owners can control
protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy.”
UMA : Privacy by DesignI want to share this stuff selectively• Among my own
apps• With family and
friends• With organizations
I want to protect this stuff from being seen by everyone in the world
I want to control access proactively, not just feel forced to consent over and over
UMA Summary
Standardized APIs for privacy and “selective sharing”
Outsources protection to a centralized “digital footprint control console”
UMA Flow
1. RS registers resource sets and scopes (ongoing)
2. C requests resource3. RS registers permission4. AS returns permission ticket5. RS error with ticket6. C requests authz data and RPT with
ticket7. AS gives RPT and authz data (after
optional claim flows)8. C requests resource with RPT9. RS returns resource representation
Resource owner
Resource server
Authorization server
Client
Authorization API
UI
UI
UI
Requesting party
ProtectionAPI
AuthZ client
Protectionclient
RS-specificAPI
RS-specific client
2
1
5RPT
6
7
8
3
4
PAT
9
AAT
PAT
PAT
RPT
choose resources toprotect – out of band
set policies –out of band
AAT
Resource server
Authorization server
PAT
ROClient
Authorization server
AAT
RqPResource
serverClient
Authorization server
RPT
RqP
UMA Status• UMA v0.9 public review
• Core, Resource Set Registration & Claim Profiles• Completed: 06 September 2014
• Interop in progress• Next steps
• Core & Resource Reg: H1/15• Claim Profiles & Binding Obligations(?): H2/15• IETF
Implementations & More Info• Known implementations
• Gluu• CloudIdentity• OpenUMA (ForgeRock)• Implementations List (Kantara)
• More info• UMA WG Home (Kantara)• New Venn of Access Control (Maler)
Thoughts to Leave With• Standards
• OAuth, OpenID Connect: start now
• Infrastructure• Avoid vendor lock-in – ensure vendors can support upcoming
standards quickly• Avoid rip & replace – it’s unnecessary. There are good solutions
that will overlay what you have to add what you need• Do not trust to home-grown implementations; this is too easy to get
wrong (and way too important)
• Participate in the WG• Security is not all about security
• Security drives improved user experience drives better business