Upload
wso2
View
593
Download
4
Embed Size (px)
Citation preview
Last Updated: Jan. 2014
Tech Lead Chamath Gunawardana
Iden/ty and En/tlement Management – Concepts and
Theories
2
About the Presenter(s)
๏ Chamath Gunawardana
Chamath Gunwardana is a technical lead at WSO2 working for the integra/on technology group. He's engaged in the developments of the WSO2 Iden/ty Server and also a commiKer of the WSO2 Iden/ty Server. Chamath is also a SUN cer/fied java programmer.
3
About WSO2 ๏ Global enterprise, founded in 2005
by acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source plaVorm-‐as-‐a-‐service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an Ac/ve Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Founda/on and W3C.
๏ Driven by Innova/on
๏ Launched first open source API Management solu/on in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile solu/on in 4Q 2013
4
What WSO2 delivers
Agenda
๏ En/tlement management ๏ overview
๏ Access control concepts
๏ XACML
๏ En/tlement architecture in iden/ty server
๏ Iden/ty management ๏ overview
๏ Features of iden/ty management systems
๏ Couple of Iden/ty Management Capabili/es in iden/ty server
๏ Demo
5
What is En/tlement Mng..
๏ En#tlement management is technology that grants, resolves, enforces, revokes and administers fine-‐grained access en/tlements.
๏ Also referred to as “authoriza/ons,” “privileges,” “access rights,” “permissions” and/or “rules”
-‐ Gartner Glossary
6
En/tlement Management
๏ It’s a broader concept
๏ Types of access control includes,
๏ Access control lists
๏ Role based access control
๏ AKribute based access control
๏ Policy based access control
7
Access control lists
๏ Oldest and most basic form of access control
๏ Primarily Opera/ng systems adopted
๏ Maintains set of user and opera/ons can performed on a resource as a mapping
๏ Also easier to implement using maps
๏ Not scalable for large user bases
๏ Difficult to manage
8
Role based access control
๏ System having users that belongs to roles
๏ Role defines which resources will be allowed
๏ Reduces the management overhead
๏ Users and roles can be externalized using user stores
๏ Need to manage the roles
๏ User may belong to mul/ple roles
9
AKribute based access control
๏ Authoriza/on based on aKributes
๏ Addresses the limita/on of role based approach to define fine grain access control
๏ AKributes of user, environment as well as resource it self
๏ More flexible than role based approach
๏ No need for knowing the user prior to gran/ng access
10
Policy based access control
๏ Address the requirement to have more uniform access control mechanism
๏ Helps to large enterprises to have uniform access control amount org units
๏ Helps for security audits to be carried out
๏ Complex than any other access control system
๏ Specify policies unambiguously with XACML
๏ Use of authorized aKribute sources in the enterprise
11
Advantages
๏ Reduce the development /me on cri/cal business func/ons
๏ Easy management of en/tlements
๏ Based on industry standard specifica/ons
๏ Support for future development with minimum effort
12
XACML
๏ XACML is a policy based authoriza/on/en/tlement system
๏ De-‐facto standard for authoriza/on
๏ Evaluated of 1.0, 2.0 and 3.0 versions
๏ Externalized
๏ Policy based
๏ Fine grained
๏ Standardized 13
XACML
๏ Iden/ty Server supports XACML 2.0 and 3.0 versions
๏ Supports mul/ple PIPs
๏ Policy distribu/on
๏ UI wizards for defining policies
๏ Try it tool
๏ Decision / AKribute caching
14
XACML
15
Create policy op/ons
16
Simple policy editor
17
Basic policy editor
18
Try it tool
19
Try it tool request
20
Extensions
21
Iden/ty Management
๏ Managing Iden/ty of users in a system
๏ Control access to resources
๏ Important component in an enterprise
๏ Enterprises depends on the security provided by iden/ty management systems
22
Why Iden/ty Management
๏ Directly influences the security and produc/vity of an organiza/on
๏ To enforce consistency in security policies across organiza/on
๏ To comply with rules and regula/ons enforced in some cri/cal domains by governments
๏ Provide access to resources to outside par/es without compromising security
23
Why Iden/ty Management Cont.
๏ Controlled resource access increases organiza/onal security
๏ Increased audit-‐ability of the systems
๏ Automated password reset capabili/es
24
Features of IDM System
๏ User Stores / Directories
๏ Authen/ca/on
๏ Authoriza/on
๏ Single Sign On
๏ Provisioning
๏ Delega/on
๏ Password reset
๏ Self registra/on with locking 25
User stores / Directories
๏ Grouping of user and roles
๏ Easy management in authoriza/on decisions
๏ Different types of user stores support
26
Authen/ca/on
๏ Iden/fying which en/ty are we communica/ng with
๏ En/ty can be users or systems
๏ Most basic form is user name and password
๏ Authen/ca/on against user store
๏ Concept of mul/ factor authen/ca/on
27
Authoriza/on
๏ What an en/ty allowed to access in the system
๏ En/tlement management aspects
๏ Discussed
28
Single Sign On
๏ Having mul/ple applica/ons with login requirements
๏ Once login to the applica/on automa/c login to other applica/ons
๏ Token usage
๏ Iden/ty Federa/on
๏ Technologies used ๏ OpenID
๏ SAML
๏ Kerboros
๏ WS-‐Federa/on passive 29
Provisioning
๏ Concept of adding and removing iden//es from user store
๏ Provisioning to external systems
๏ Technologies
๏ SPML
๏ SCIM
30
Delega/on
๏ Giving responsibility to another en/ty to carry out tasks on behalf of you
๏ Creden/al sharing systems
๏ Technologies
๏ OAuth
31
Users and roles
๏ Enterprise user stores with users and roles
๏ Managing user stores
๏ Support for mul/ple user stores
๏ Easy configura/on of user stores in UI
๏ Types of user stores
๏ LDAP, Ac/ve Directory, JDBC
๏ Support for mul/-‐tenancy
32
Password reset
๏ Web apps needing end user password reset func/onality
๏ Supports,
๏ Reset with no/fica/on
๏ Reset with secret ques/ons
๏ Increased security with mul/ple keys in the reset flow
๏ UI based email templates configura/on
33
Self registra/on with locking
๏ Separate web service to self registra/on with account lock
๏ Upon registra/on sending confirma/on link to account unlock
๏ Only users with valid email address gain access to system
๏ Configurable email no/fica/on template
34
Demo
35
36
Business Model
37
More Informa/on !
๏ The slides and webinar will be available soon.
๏ Please refer Iden/ty Server documenta/on -‐ hKps://docs.wso2.org/display/IS500/WSO2+Iden/ty+Server+Documenta/on
Contact us !