Last Updated: Jan. 2014

Tech  Lead  Chamath  Gunawardana  

Iden/ty  and  En/tlement  Management  –  Concepts  and  

Theories  

2  

About  the  Presenter(s)  

๏  Chamath  Gunawardana  

Chamath  Gunwardana  is  a  technical  lead  at  WSO2  working  for  the  integra/on  technology  group.  He's  engaged  in  the  developments  of  the  WSO2  Iden/ty  Server  and  also  a  commiKer  of  the  WSO2  Iden/ty  Server.  Chamath  is  also  a  SUN  cer/fied  java  programmer.    

3  

About  WSO2  ๏  Global  enterprise,  founded  in  2005  

by  acknowledged  leaders  in  XML,  web  services    technologies,  standards    and  open  source  

๏  Provides  only  open  source  plaVorm-­‐as-­‐a-­‐service  for  private,  public  and  hybrid  cloud  deployments  

๏  All  WSO2  products  are  100%  open  source  and  released  under  the  Apache  License  Version  2.0.  

๏  Is  an  Ac/ve  Member  of  OASIS,  Cloud  Security  Alliance,  OSGi  Alliance,  AMQP  Working  Group,  OpenID  Founda/on  and  W3C.  

๏  Driven  by  Innova/on  

๏  Launched  first  open  source  API  Management  solu/on  in  2012  

๏  Launched  App  Factory  in  2Q  2013  

๏  Launched  Enterprise  Store  and  first  open  source  Mobile  solu/on  in  4Q  2013  

4  

What  WSO2  delivers  

Agenda  

๏  En/tlement  management  ๏  overview  

๏  Access  control  concepts  

๏  XACML  

๏  En/tlement  architecture  in  iden/ty  server  

๏  Iden/ty  management  ๏  overview  

๏  Features  of  iden/ty  management  systems  

๏  Couple  of  Iden/ty  Management  Capabili/es  in  iden/ty  server  

๏  Demo  

5  

What  is  En/tlement  Mng..  

๏  En#tlement  management  is  technology  that  grants,  resolves,  enforces,  revokes  and  administers  fine-­‐grained  access  en/tlements.  

๏  Also  referred  to  as  “authoriza/ons,” “privileges,” “access  rights,” “permissions”  and/or  “rules”  

     -­‐  Gartner  Glossary  

6  

En/tlement  Management  

๏  It’s  a  broader  concept  

๏  Types  of  access  control  includes,  

๏  Access  control  lists  

๏  Role  based  access  control  

๏  AKribute  based  access  control  

๏  Policy  based  access  control  

7  

Access  control  lists  

๏  Oldest  and  most    basic  form  of  access  control  

๏  Primarily  Opera/ng  systems  adopted  

๏  Maintains  set  of  user  and  opera/ons  can  performed  on  a  resource  as  a  mapping  

๏  Also  easier  to  implement  using  maps  

๏  Not  scalable  for  large  user  bases  

๏  Difficult  to  manage  

8  

Role  based  access  control  

๏  System  having  users  that  belongs  to  roles  

๏  Role  defines  which  resources  will  be  allowed  

๏  Reduces  the  management  overhead  

๏  Users  and  roles  can  be  externalized  using  user  stores  

๏  Need  to  manage  the  roles  

๏  User  may  belong  to  mul/ple  roles  

9  

AKribute  based  access  control  

๏  Authoriza/on  based  on  aKributes  

๏  Addresses  the  limita/on  of  role  based  approach  to  define  fine  grain  access  control  

๏  AKributes  of  user,  environment  as  well  as  resource  it  self  

๏  More  flexible  than  role  based  approach  

๏  No  need  for  knowing  the  user  prior  to  gran/ng  access  

10  

Policy  based  access  control  

๏  Address  the  requirement  to  have  more  uniform  access  control  mechanism  

๏  Helps  to  large  enterprises  to  have  uniform  access  control  amount  org  units  

๏  Helps  for  security  audits  to  be  carried  out  

๏  Complex  than  any  other  access  control  system  

๏  Specify  policies  unambiguously  with  XACML  

๏  Use  of  authorized  aKribute  sources  in  the  enterprise  

11  

Advantages  

๏  Reduce  the  development  /me  on  cri/cal  business  func/ons  

๏  Easy  management  of  en/tlements  

๏  Based  on  industry  standard  specifica/ons  

๏  Support  for  future  development  with  minimum  effort  

12  

XACML  

๏  XACML  is  a  policy  based  authoriza/on/en/tlement  system  

๏  De-­‐facto  standard  for  authoriza/on  

๏  Evaluated  of  1.0,  2.0  and  3.0  versions  

๏  Externalized  

๏  Policy  based  

๏  Fine  grained  

๏  Standardized  13  

XACML  

๏  Iden/ty  Server  supports  XACML  2.0  and  3.0  versions  

๏  Supports  mul/ple  PIPs  

๏  Policy  distribu/on  

๏  UI  wizards  for  defining  policies  

๏  Try  it  tool  

๏  Decision  /  AKribute  caching  

14  

XACML  

15  

Create  policy  op/ons  

16  

Simple  policy  editor  

17  

Basic  policy  editor  

18  

Try  it  tool  

19  

Try  it  tool  request  

20  

Extensions  

21  

Iden/ty  Management  

๏  Managing  Iden/ty  of  users  in  a  system  

๏  Control  access  to  resources  

๏  Important  component  in  an  enterprise  

๏  Enterprises  depends  on  the  security  provided  by  iden/ty  management  systems  

22  

Why  Iden/ty  Management  

๏  Directly  influences  the  security  and  produc/vity  of  an  organiza/on  

๏  To  enforce  consistency  in  security  policies  across  organiza/on  

๏  To  comply  with  rules  and  regula/ons  enforced  in  some  cri/cal  domains  by  governments  

๏  Provide  access  to  resources  to  outside  par/es  without  compromising  security  

23  

Why  Iden/ty  Management  Cont.  

๏  Controlled  resource  access  increases  organiza/onal  security  

๏  Increased  audit-­‐ability  of  the  systems  

๏  Automated  password  reset  capabili/es  

24  

Features  of  IDM  System  

๏  User  Stores  /  Directories  

๏  Authen/ca/on  

๏  Authoriza/on  

๏  Single  Sign  On  

๏  Provisioning  

๏  Delega/on  

๏  Password  reset  

๏  Self  registra/on  with  locking  25  

User  stores  /  Directories  

๏  Grouping  of  user  and  roles  

๏  Easy  management  in  authoriza/on  decisions  

๏  Different  types  of  user  stores  support  

26  

Authen/ca/on  

๏  Iden/fying  which  en/ty  are  we  communica/ng  with  

๏  En/ty  can  be  users  or  systems  

๏  Most  basic  form  is  user  name  and  password  

๏  Authen/ca/on  against  user  store  

๏  Concept  of  mul/  factor  authen/ca/on  

27  

Authoriza/on  

๏  What  an  en/ty  allowed  to  access  in  the  system  

๏  En/tlement  management  aspects  

๏  Discussed  

28  

Single  Sign  On  

๏  Having  mul/ple  applica/ons  with  login  requirements  

๏  Once  login  to  the  applica/on  automa/c  login  to  other  applica/ons  

๏  Token  usage  

๏  Iden/ty  Federa/on  

๏  Technologies  used  ๏  OpenID  

๏  SAML  

๏  Kerboros  

๏  WS-­‐Federa/on  passive  29  

Provisioning  

๏  Concept  of  adding  and  removing  iden//es  from  user  store  

๏  Provisioning  to  external  systems  

๏  Technologies  

๏  SPML  

๏  SCIM  

30  

Delega/on  

๏  Giving  responsibility  to  another  en/ty  to  carry  out  tasks  on  behalf  of  you  

๏  Creden/al  sharing  systems  

๏  Technologies  

๏  OAuth  

31  

Users  and  roles  

๏  Enterprise  user  stores  with  users  and  roles  

๏  Managing  user  stores  

๏  Support  for  mul/ple  user  stores  

๏  Easy  configura/on  of  user  stores  in  UI  

๏  Types  of  user  stores    

๏  LDAP,  Ac/ve  Directory,  JDBC  

๏  Support  for  mul/-­‐tenancy  

32  

Password  reset  

๏  Web  apps  needing  end  user  password  reset  func/onality  

๏  Supports,  

๏  Reset  with  no/fica/on  

๏  Reset  with  secret  ques/ons  

๏  Increased  security  with  mul/ple  keys  in  the  reset  flow  

๏  UI  based  email  templates  configura/on  

33  

Self  registra/on  with  locking  

๏  Separate  web  service  to  self  registra/on  with  account  lock  

๏  Upon  registra/on  sending  confirma/on  link  to  account  unlock  

๏  Only  users  with  valid  email  address  gain  access  to  system  

๏  Configurable  email  no/fica/on  template  

34  

Demo  

35  

36  

Business  Model  

37  

More  Informa/on  !  

๏  The  slides  and  webinar  will  be  available  soon.  

๏  Please  refer  Iden/ty  Server  documenta/on  -­‐  hKps://docs.wso2.org/display/IS500/WSO2+Iden/ty+Server+Documenta/on  

Contact  us  !