Upload
domenico-catalano
View
2.664
Download
0
Embed Size (px)
Citation preview
Extending UMA Protocol to support Trusted Claims (tClaims)
Newcastle University
Domenico Catalano and the Smart Team
1 V.313th July, 2011
Wednesday, July 13, 2011
Who I am
• Domenico Catalano
• Senior Sales Consultant @Oracle Italy + Sun
• Identity & Security Architect
• Leadership team member (UX)@Kantara UMA WG
2
Wednesday, July 13, 2011
Agenda
• UMA Conceptual model
• tClaims Requirements Analysis
• OpenID Connect
• UMA/OpenID Connect Integration approach
• User Interaction
• Trust Model consideration
• Q&A
3
Wednesday, July 13, 2011
UMA Conceptual Model
4
UMAAM
HOST
Authorizing User
Requester
Requesting Party
Protect
Control
Authorize
policy decisionPoint
ProtectedResource
Access
Manage
UMADomain
ExternalDomain
Wednesday, July 13, 2011
UMA Trusted Claims
• UMA Trusted Claims approach is designed to support Claims-based Access Control.
• In a Claim-based Access Control, the decision to grant access to a protected resource is made based on Subject’s information, such as name, age, email address, role, location, or credit score, etc.
5
Trusted ClaimsTrusted Claims
usted Claims
Wednesday, July 13, 2011
tClaims example scenarios
• Enterprise class scenario
‣ Accessing Personal Loan Special Program
• Social/web class scenario
‣ Sharing photo with “[email protected]”
6
Wednesday, July 13, 2011
Accessing Personal Loan special programEnterprise Class Scenario
• Bank online service provides an User-Managed Claims access control to restrict and personalize access to special program/service (i.e. personal loan with low interest rate) to users which have determinate employment (i.e. government employee), and have an high credit score.
7
Wednesday, July 13, 2011
8
Alice atBank sitefor requesting access to a restricted service. An UMA protected resource.
10.0
© copyright 2009 CMInc. All rights reserved.
Bank of Futureonline Banking
Access to Loyalty Program
Personal Loan with low interest rate (2%)
Select your UMA Authorization Manager to provide trusted Claims to grant access to this resource.
Welcome aalice
You have selected a protected resource to access special loyalty program for US Government Employee:
CopMonkey AM
Wednesday, July 13, 2011
Sharing Photo with “[email protected]/web Class Scenario
• Alice wants share a photo gallery with bob if Bob has an account email “[email protected]” and he is 18 years old.
9
Wednesday, July 13, 2011
10
Alice definesclaims-based authorization policy, using In-App widget
Wednesday, July 13, 2011
Requirements Analysis
• Authorizing User (Resource Owner) needs a claims-based access control to restrict access to own resources based on Requesting Party’s Identity attributes.
• Identity attributes must issued by a Trusted Third Party (TTP) and verifiable by a Claims Requester.
• Claims may be logically aggregated to provide a collection of attributes from different Attribute Providers (Claims Host).
11
Wednesday, July 13, 2011
OpenID Connect
• OpenID Connect provides authentication, authorization, and attribute transmission capability. It allows third party attested claims from distributed sources.
• This specification is largely compliant with OAuth 2.0 draft 15.
12
OpenID Connect Core 1.0 - draft 04
Wednesday, July 13, 2011
OpenID Connect protocol overview
• OpenID Connect protocol in abstract follows the following steps:
1. The Client sends a request to the Server’s End-User Authorization Endpoint.
2. The Server authenticates the user and obtains appropriate authorization.
3. The Server responds with access_token and a few other variables.
4. The Client sends a request with access_token to the Userinfo Endpoint.
5. Userinfo Endpoint returns the additional user supported by the Server.
13
Wednesday, July 13, 2011
UMA Conceptual Model
14
UMAAM
HOST
Authorizing User
Requester
Requesting Party
Protect
Control
Authorize
policy decisionPoint
ProtectedResource
Access
Manage
UMADomain
ExternalDomain
Wednesday, July 13, 2011
UMA Conceptual Modelwith tClaims
15
UMAAM
HOST
Authorizing User
Requester
Requesting Party
OpenIDConnect
AS
Protect
1. Request
Control
Authorize
Protect
policy decisionPoint
ProtectedResource
4. Request Userinfo
Access
UserInfoEndPoint
Manage
SSO
2. AuthNAuthZ
UMADomain
OpenIDDomain
ClaimsClient 3. Access_token
5. Userinfo
Wednesday, July 13, 2011
UMA/OpenID Connect Integration approach
16
ClaimsClient
UserInfoEndPoint
UMAAuthorization
Manager
Requesting Party
OpenIDIdentity Provider
AuthZServer
AuthN
AuthZ
SSO
Claims Protected Resource
OpenID RP
OpenID Connect
ClaimsProvider
Wednesday, July 13, 2011
User eXperience
17
Wednesday, July 13, 2011
Scenario
•Sharing Photo with “[email protected]”
‣ Host In-App Fast Sharing settings.
‣ Requesting Party requests direct access to Protected Resource.
‣ OpenID Connect interaction.
18
Wednesday, July 13, 2011
19
Alice atHost Site
Protected Resource by CopMonkey AM in-App Fast
AuthZ Settings for sharing
Wednesday, July 13, 2011
20
Alice definesclaims-based authorization policy, using In-App widget
Wednesday, July 13, 2011
21
Protected Resource is ready for sharing under authZ policy
Wednesday, July 13, 2011
22
10.0
© copyright 2009 CMInc. All rights reserved.
Photo4Sharingonline photo Service
Photo View Resource SharingCopMonkey Protected Resource
CopMonkey In-App Claim-based authorization
Home Photo Gallery Places Share Settings Hello Alice
Places> Venice> Bridge Edit
Share
URL photo4sharing.com/AB112FFD
Alice
Photo4Sharing: Places:Venice:Bridge athttp://photo4sharing.com/AB112FFD
22 hours ago reply
Tweet text goes here.keep it under 140 charactershttp://bit.ly/ds5c6z22 hours ago reply
Never thought I'd say this, but sign out of twitter.com, now! There's a nice new homepage to check out.http://bit.ly/ds5c6z22 hours ago reply
homepage to check out.http://bit.ly/ds5c6z22 hours ago reply
Alice shares the Protected resource through twitter
Wednesday, July 13, 2011
23
Bob attempts to access to protected resource.
Bob is redirect to AM to convey claims
Wednesday, July 13, 2011
24
CopMonkey authenticates Bob through OpenID, in order to initialize OpenID Connect protocol
Wednesday, July 13, 2011
25
Bob is redirect to IdP’s authorization service to grant claims.
Wednesday, July 13, 2011
26
Bob gets access to the protected resource
Wednesday, July 13, 2011
Trust Model ConsiderationBootstrapping Trust
27
Subject
AM
Host
Self Registration
Host Introduction
UMA
Self Registration
Subject
AM
Host
Affiliate Registration
Host Introduction
UMA
Affiliate Registration
IdPAuthN
Subject
AM
Host
Affiliate Registration
Host Introduction
UMA
Affiliate Registration
IdPAuthN
TFP
TrustedFramework
LoA Certification
A B CSelf-Registration Affiliate or SSO Affiliate or SSO with
Trusted Framework
ClaimsProvider
Wednesday, July 13, 2011
Thanks
28
Wednesday, July 13, 2011