UMA Could I Manage My Own Data. Please?

Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation Why UMA? Use-cases UMA overview Current status & more information No tokens were harmed during the making of these slides!

ORG BORG AORG Trend 1: Decentralisation

Examples & Challenges Examples Extended organisations Supply Chain Distribution Channel Outsourcing Partners SaaS Challenges Identity not resident with apps Secure identity transport Trust

Solution : SAML Org A (IdP) Org B (SP) ✓ Identity Federation (Cross-domain SSO) ✗ Non-browser clients Ease of implementation ✓ Identity Federation (Cross-domain SSO) ✗ Non-browser clients Ease of implementation Honourable mentions ID-FF Shibboleth WS-Federation Authenticate Assert

ORG BORG A Trend 2: Mobility & Automation

Examples & Challenges Examples Mobile (devices, “Things”) Data monetization Challenges Authorization of ‘Client’ Persistance Trust

Solution - OAuth Org A (AS) Org A (AS) Org B (RS) Org B (RS) Honourable mentions SAML ECP WS-Trust Get Token (AT +/ RT) Request Access Validate Token ✓ Client security & identity (Client != User) ✗ Identity Transport ✓ Client security & identity (Client != User) ✗ Identity Transport

Evolution – OIDC Org A (OP) Org A (OP) Org B (RP) Org B (RP) Token & Claims AuthN/Z Validation +/ Userinfo

OAuth OIDC

Deployments : Side Note SAML OIDC

ORG CORG AORG B Trend 3: Delegation

Solution – XACML? ✓ Attributed-based & App-External ✗ Cross-domain? Service Registration? ✓ Attributed-based & App-External ✗ Cross-domain? Service Registration? Res. PDP PEP Res. PEP Res. PEP Res. PEP New Profiles ALFA JSON/REST Res. PE P Res. PE P Res. PE P Res. PEP

Meet Alice Control Access

So What? Electronic Healthcare Records Alice grants selective access to GP, Insurance Company, Relatives Financial Services Grant limited access to financial records to accountant; loan providers etc. Enterprise Applications Centralised control across multiple applications; individuals can control their own data IoT Alice grants Bob access to the Garden; Jim access to the House Facilities Management; Industrial & Engineering Applications See more examplesmore examples

Issues Summary User control / ownership Third party access Centralised control for multiple services Persistence (Security) Cross-domain Access Control

Status Summary OpenID Connect (practically) Secure identity transport Trust XACML (notionally) ABAC Externalised access control

What is UMA User Managed Access A profile of OAuth “UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy.”

UMA

UMA : Privacy by Design I want to share this stuff selectively Among my own apps With family and friends With organizations I want to protect this stuff from being seen by everyone in the world I want to control access proactively, not just feel forced to consent over and over

UMA Summary Standardized APIs for privacy and “selective sharing” Outsources protection to a centralized “digital footprint control console”

UMA Flow 1.RS registers resource sets and scopes (ongoing) 2.C requests resource 3.RS registers permission 4.AS returns permission ticket 5.RS error with ticket 6.C requests authz data and RPT with ticket 7.AS gives RPT and authz data (after optional claim flows) 8.C requests resource with RPT 9.RS returns resource representation Resource owner Resource server Authorization server Client Authorization API UI Requesting party Protection API AuthZ client Protection client RS-specific API RS-specific client RPT PAT 9 9 AAT PAT RPT choose resources to protect – out of band set policies – out of band AAT Resource server Authorization server PAT RO Client Authorization server AAT RqP Resource server Client Authorization server RPT RqP

UMA Status UMA v0.9 public review Core, Resource Set Registration & Claim Profiles Completed: 06 September 2014 Interop in progress Next steps Core & Resource Reg: H1/15 Claim Profiles & Binding Obligations(?): H2/15 IETF

Implementations & More Info Known implementations Gluu CloudIdentity OpenUMA (ForgeRock) Implementations List (Kantara) Implementations List More info UMA WG Home (Kantara) New Venn of Access Control (Maler)

Thoughts to Leave With Standards OAuth, OpenID Connect: start now Infrastructure Avoid vendor lock-in – ensure vendors can support upcoming standards quickly Avoid rip & replace – it’s unnecessary. There are good solutions that will overlay what you have to add what you need Do not trust to home-grown implementations; this is too easy to get wrong (and way too important) Participate in the WG Security is not all about security Security drives improved user experience drives better business

THANK YOU linkedin.com/in/ahindle