UMA Trusted Claims

Extending UMA Protocol to support Trusted Claims (tClaims)

Newcastle University

Domenico Catalano and the Smart Team

1 V.313th July, 2011

Wednesday, July 13, 2011

Who I am

• Domenico Catalano

• Senior Sales Consultant @Oracle Italy + Sun

• Identity & Security Architect

• Leadership team member (UX)@Kantara UMA WG

2


Agenda

• UMA Conceptual model

• tClaims Requirements Analysis

• OpenID Connect

• UMA/OpenID Connect Integration approach

• User Interaction

• Trust Model consideration

• Q&A

3


UMA Conceptual Model

4

UMAAM

HOST

Authorizing User

Requester

Requesting Party

Protect

Control

Authorize

policy decisionPoint

ProtectedResource

Access

Manage

UMADomain

ExternalDomain


UMA Trusted Claims

• UMA Trusted Claims approach is designed to support Claims-based Access Control.

• In a Claim-based Access Control, the decision to grant access to a protected resource is made based on Subject’s information, such as name, age, email address, role, location, or credit score, etc.

5

Trusted ClaimsTrusted Claims

usted Claims


tClaims example scenarios

• Enterprise class scenario

‣ Accessing Personal Loan Special Program

• Social/web class scenario

‣ Sharing photo with “[email protected]”

6


mailto:[email protected]


Accessing Personal Loan special programEnterprise Class Scenario

• Bank online service provides an User-Managed Claims access control to restrict and personalize access to special program/service (i.e. personal loan with low interest rate) to users which have determinate employment (i.e. government employee), and have an high credit score.

7


8

Alice atBank sitefor requesting access to a restricted service. An UMA protected resource.

10.0

© copyright 2009 CMInc. All rights reserved.

Bank of Futureonline Banking

Access to Loyalty Program

Personal Loan with low interest rate (2%)

Select your UMA Authorization Manager to provide trusted Claims to grant access to this resource.

Welcome aalice

You have selected a protected resource to access special loyalty program for US Government Employee:

CopMonkey AM


Sharing Photo with “[email protected]/web Class Scenario

• Alice wants share a photo gallery with bob if Bob has an account email “[email protected]” and he is 18 years old.

9




10

Alice definesclaims-based authorization policy, using In-App widget


Requirements Analysis

• Authorizing User (Resource Owner) needs a claims-based access control to restrict access to own resources based on Requesting Party’s Identity attributes.

• Identity attributes must issued by a Trusted Third Party (TTP) and verifiable by a Claims Requester.

• Claims may be logically aggregated to provide a collection of attributes from different Attribute Providers (Claims Host).

11


OpenID Connect

• OpenID Connect provides authentication, authorization, and attribute transmission capability. It allows third party attested claims from distributed sources.

• This specification is largely compliant with OAuth 2.0 draft 15.

12

OpenID Connect Core 1.0 - draft 04


OpenID Connect protocol overview

• OpenID Connect protocol in abstract follows the following steps:

1. The Client sends a request to the Server’s End-User Authorization Endpoint.

2. The Server authenticates the user and obtains appropriate authorization.

3. The Server responds with access_token and a few other variables.

4. The Client sends a request with access_token to the Userinfo Endpoint.

5. Userinfo Endpoint returns the additional user supported by the Server.

13


UMA Conceptual Model

14

UMAAM

HOST

Authorizing User

Requester

Requesting Party

Protect

Control

Authorize


ProtectedResource

Access

Manage

UMADomain

ExternalDomain


UMA Conceptual Modelwith tClaims

15

UMAAM

HOST

Authorizing User

Requester

Requesting Party

OpenIDConnect

AS

Protect

1. Request

Control

Authorize

Protect


ProtectedResource

4. Request Userinfo

Access

UserInfoEndPoint

Manage

SSO

2. AuthNAuthZ

UMADomain

OpenIDDomain

ClaimsClient 3. Access_token

5. Userinfo


UMA/OpenID Connect Integration approach

16

ClaimsClient

UserInfoEndPoint

UMAAuthorization

Manager

Requesting Party

OpenIDIdentity Provider

AuthZServer

AuthN

AuthZ

SSO

Claims Protected Resource

OpenID RP

OpenID Connect

ClaimsProvider


User eXperience

17


Scenario

•Sharing Photo with “[email protected]”

‣ Host In-App Fast Sharing settings.

‣ Requesting Party requests direct access to Protected Resource.

‣ OpenID Connect interaction.

18




19

Alice atHost Site

Protected Resource by CopMonkey AM in-App Fast

AuthZ Settings for sharing


20

Alice definesclaims-based authorization policy, using In-App widget


21

Protected Resource is ready for sharing under authZ policy


22

10.0

© copyright 2009 CMInc. All rights reserved.

Photo4Sharingonline photo Service

Photo View Resource SharingCopMonkey Protected Resource

CopMonkey In-App Claim-based authorization

Home Photo Gallery Places Share Settings Hello Alice

Places> Venice> Bridge Edit

Share

URL photo4sharing.com/AB112FFD

Alice

twitter

Photo4Sharing: Places:Venice:Bridge athttp://photo4sharing.com/AB112FFD

22 hours ago reply

Tweet text goes here.keep it under 140 charactershttp://bit.ly/ds5c6z22 hours ago reply

Never thought I'd say this, but sign out of twitter.com, now! There's a nice new homepage to check out.http://bit.ly/ds5c6z22 hours ago reply

homepage to check out.http://bit.ly/ds5c6z22 hours ago reply

Alice shares the Protected resource through twitter


23

Bob attempts to access to protected resource.

Bob is redirect to AM to convey claims


24

CopMonkey authenticates Bob through OpenID, in order to initialize OpenID Connect protocol


25

Bob is redirect to IdP’s authorization service to grant claims.


26

Bob gets access to the protected resource


Trust Model ConsiderationBootstrapping Trust

27

Subject

AM

Host

Self Registration

Host Introduction

UMA

Self Registration

Subject

AM

Host

Affiliate Registration

Host Introduction

UMA


IdPAuthN

Subject

AM

Host


Host Introduction

UMA


IdPAuthN

TFP

TrustedFramework

LoA Certification

A B CSelf-Registration Affiliate or SSO Affiliate or SSO with

Trusted Framework

ClaimsProvider


Thanks

28


Technology

UMA Trusted Claims