Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Slides:

Advertisements

Similar presentations

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Advertisements

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Securing Insecure Prabath Siriwardena, WSO2 Twitter

WSO2 Identity Server Road Map

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Authz work in GGF David Chadwick

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

WebFTS as a first WLCG/HEP FIM pilot

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Finn Frisch Access Management for the Cloud.

Identity Management Report By Jean Carreon and Marlon Gonzales.

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt & Prateek Mishra

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

XACML MAP Authorization Profile Richard Hill, John Tolbert May 16, 2013.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Secure Mobile Development with NetIQ Access Manager

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

Prabath Siriwardena, Director of Security, WSO2 Twitter

In Vivo Imaging Middleware — Phase 6 Ashish Sharma, Tony Pan, Y. Nadir Saghar.

Connected Identity & the role of the Identity Bus Prabath Siriwardena Director of Security Architecture WSO2.

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Argus EMI Authorization Integration

Presented By: Smriti Bhatt

Using Your Own Authentication System with ArcGIS Online

Open standard based Identity Provisioning for Cloud

API (Application Program Interface)

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Matthew Levy Azure AD B2B vs B2C Matthew Levy

Groups and Permissions

Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.

Presentation transcript:

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena

About Me Director of Security Architecture at WSO2 Leads WSO2 Identity Server – an open source identity and entitlement management product. Apache Axis2/Rampart committer / PMC A member of OASIS Identity Metasystem Interoperability (IMI) TC, OASIS eXtensible Access Control Markup Language (XACML) TC and OASIS Security Services (SAML) TC. Twitter Blog : LinkedIn :

Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)

With the Discretionary Access Control, the user can be the owner of the data and at his discretion can transfer the rights to another user.

With Mandatory Access Control, only designated users are allowed to grant rights and, users cannot transfer them.

All WSO2 Carbon based products are based on Mandatory Access Control.

Group is a collection of Users - while a Role is a collection of permissions.

Authorization Table vs. Access Control Lists vs. Capabilities

Authorization Table is a three column table with subject, action and resource.

With Access Control Lists, each resource is associated with a list, indicating, for each subject, the actions that the subject can exercise on the resource.

With Capabilities, each subject has an associated list, called capability list, indicating, for each resource, the accesses that the user is allowed to exercise on the resource.

Access Control List is resource driven while capabilities are subject driven.

With policy based access control we can have authorization policies with a fine granularity.

Capabilities and Access Control Lists can be dynamically derived from policies.

XACML is the de facto standard for policy based access control.

XACML provides a reference architecture, a request response protocol and a policy language.

Policy Enforcement Point (PEP) Policy Information Point (PIP) Policy Administration Point (PAP) Policy Decision Point (PDP) Policy Store XACML Reference Architecture

WSO2 Application Server (SOAP Service) WSO2 Identity Server (STS) Client Application SAML token request SAML token with Authentication and Authorization Assertions (Capabilities) SAML token with Authentication and Authorization Assertion + Service Request WSO2 Identity Server (XACML PDP) XACML Response XACML Request XACML with Capabilities (WS-Trust) Hierarchical Resource Profile

WSO2 Application Server (Web Application) WSO2 Identity Server (SAML2 IdP) Browser Redirect with SAML Request WSO2 Identity Server (XACML PDP) Unauthenticated Request SAML token with Authentication and Authorization Assertion (Capabilities) XACML Response XACML Request XACML with Capabilities (WS-Trust) Hierarchical Resource Profile

WSO2 ESB (Policy Enforcement Point) Client Application Service Request + Credentials WSO2 Application Server (SOAP Service) RBAC Role Based Access Control

WSO2 ESB (Policy Enforcement Point) Client Application Service Request + Credentials WSO2 Identity Server (XACML PDP) WSO2 Application Server (SOAP Service) XACML Response XACML Request WSO2 ESB as the XACML PEP (SOAP and REST)

WSO2 Application Server Client Application Service Request + Credentials WSO2 Identity Server (XACML PDP) XACML Response XACML Request XACML Servlet Filter XACML PEP as a Servlet Filter

WSO2 Identity Server (XACML PDP) XACML Response XACML Request WSO2 Identity Server (OAuth Authorization Server) API Gateway Access Token Client Application Validate() OAuth + XACML

WSO2 Application Server (Web Application) External SAML2 IdP (Salesforce) Browser Redirect with SAML Request Unauthenticated Request SAML token with Authentication and Attribute Assertions with IdP groups WSO2 Identity Server Web App roles IdP Groups Authorization with External IdPs (Role Mapping)

Login WSO2 Identity Server (XAML PDP) XACML Request XACML Response Liferay Portal XACML Multiple Decisions and Application Specific Roles

lean. enterprise. middleware