Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

UDDI v3.0 (Universal Description, Discovery and Integration)

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug

WSO2 Identity Server Road Map

A View into the Mi$t 1 RL "Bob" Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

OASIS Reference Model for Service Oriented Architecture 1.0

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

Protecting “Personal Clouds” with UMA and OpenID #UMApcloud for questions 19 June 2014 tinyurl.com/umawg for slides, recording, and more.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

X-Road – Estonian Interoperability Platform

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

An XML based Security Assertion Markup Language

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.

Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.

UMA’s relationship to distributed authorization concepts 19 October 2013

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

User-Managed Access Eve Maler, UMA Work Group | tinyurl.com/umawg 9 December

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

© Drexel University Software Engineering Research Group (SERG) 1 The OASIS SOA Reference Model Brian Mitchell.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Automate Blue Button Initiative Pull Workgroup Meeting December 13, 2012.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Secure Mobile Development with NetIQ Access Manager

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

OpenID Connect Working Group May 10, 2016 Mike Jones Identity Standards Architect – Microsoft.

DOCUMENT #:GSC15-PLEN-27 FOR:Presentation SOURCE:ETSI AGENDA ITEM:PLEN 6.4 CONTACT(S): Amardeo Sarma, ISG INS Chair Identity & Access Management activities.

OpenID Certification June 7, 2016 Michael B. Jones Identity Standards Architect – Microsoft.

Connected Identity & the role of the Identity Bus Prabath Siriwardena Director of Security Architecture WSO2.

Access Policy - Federation March 23, 2016

Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.

Azure Active Directory - Business 2 Consumer

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

Phil Hunt, Hannes Tschofenig

SAML New Features and Standardization Status

SAP Enterprise Digital Rights Management by NextLabs

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

OpenID Enhanced Authentication Profile (EAP) Working Group

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft

Distributing resource protection to third parties is hard Identity federation solutions outsource only authentication, and that’s already hard – And a few attributes, which the “relying party” gets to use in making its own authorization decisions (thank you very much) XACML offers a strict separation of policy decision points and enforcement points – But it’s mostly used within a single enterprise or circle of trust – because the alternative is hard

User-Managed Access (UMA) goes there Why? Primarily to empower individual resource owners to: – Consolidate management of sharing into one place – Set claims-based policies at config time, and then be absent at run time if they like – Share with other people and orgs, not just other apps they themselves use – Solve managed access Internet-style, with radical loose coupling and light weight

What else will need UMA’s abilities? In small part: – OAuth, as it seeks to make resource server/authorization server communication interoperable In large part: – OpenID Connect, as it seeks models for IdPs to broker user-authorized access by other people and orgs, not just other apps, to third-party- asserted attributes

In the “BLT sandwich of trust”, UMA specs provide the B and the T UMA Core Protocol Binding Obligations on UMA Participants Binding Obligations on UMA Participants Web protocol specification Deals in endpoints Operators of software endpoints can declare conformance Contractual framework Deals in Subjects that operate or use endpoints Subjects declaring conformance take on obligations Mutual document cross-references Business Technical

The contractual framework is not a full trust framework It dictates only the lowest-common-denominator responsibilities that anyone “doing UMA” would take on – These are precisely what “doing UMA” entails! – E.g., “If you register a resource to be protected by somebody else, you commit to letting them do it” It is designed to be pulled into higher-order contracts – Both pairwise agreements and trust frameworks – Both sector-specific and “horizontal” use cases

UMA endpoints UMA Subjects Authorizing Party Host Operator AM Operator Requester Operator Requesting Party

The UMA technical-business relationship is subtle FICAM thinking: For flexibility, operational and legal profiles try to remain apart from technical profiles UMA thinking: For enforceability, behavioral obligations are tied to specific protocol interactions – This way, audit trails can support findings of fault that are as unambiguous as possible

Example When the AM issues a “protection API token” to the host… …the Host Operator, AM Operator, and Authorizing Party gain a number of obligations to others Each obligation has a clause ID in the contractual framework (full diagrams for Phase 1 and Phases 2/3) Phase 1Phases 2/3

Example clauses: they have three parts H1. When the AM issues a PAT to a Host, the Host Operator gains an obligation to the Authorizing Party to delegate protection services to the AM Operator for the set of protectable resources for which it represents this capability to the Authorizing Party, and to respect the access constraints represented by RPTs generated by the AM. AP2. When the AM issues a PAT to a Host, the Authorizing Party gains an obligation to the AM Operator to introduce the desired Host to this AM in outsourcing protection of this host's resources.

What is needed to make this a “minimum viable approach”?... Vetting of the contractual framework clauses Vetting of the security and auditing provisions in the UMA core spec Vetting of the spec/contractual connection UMA conformance must have concrete meaning – Interop feature test development is under way A way for operators of UMA endpoints to declare (first-party) or be certified (third-party) as “UMA- conformant” – UMA already has a logo; does it need a Kantara- administered “UMA-conformant” logo?

Thank tinyurl.com/umawg | tinyurl.com/umafaq tinyurl.com/umav1 | tinyurl.com/umatrust tinyurl.com/umaiop