Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Slides:

Advertisements

Similar presentations

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May

Advertisements

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug

© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;

Securing Insecure Prabath Siriwardena, WSO2 Twitter

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

WSO2 Identity Server Road Map

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

Protecting “Personal Clouds” with UMA and OpenID #UMApcloud for questions 19 June 2014 tinyurl.com/umawg for slides, recording, and more.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Windows Azure Dave Glover Developer Evangelist Microsoft Australia Tel:

The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

ArcGIS Server for Administrators

Windows Role-Based Access Control Longhorn Update

UMA’s relationship to distributed authorization concepts 19 October 2013

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

User-Managed Access Eve Maler, UMA Work Group | tinyurl.com/umawg 9 December

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.

Secure Mobile Development with NetIQ Access Manager

Prabath Siriwardena, Director of Security, WSO2 Twitter

Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

UMA and OpenID Connect Plugins for Apache It would be so awesome if we (meaning the citizens of the Internet) had plugins for popular web servers to make.

Application Authentication using Azure AD

Access Policy - Federation March 23, 2016

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Azure Active Directory - Business 2 Consumer

Consuming OAuth Services in Alfresco Share

Federation made simple

Join the Lean Wave Asanka Abeysinghe

Data and Applications Security Developments and Directions

SaaS Application Deep Dive

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Dominik Pinter, CMS.IO, Authentication Dominik Pinter,

Azure AD Line Of Business Application Integration

Ashish Pandit Louis Zelus

Office 365 Identity Management

Agenda OAuth Concepts Programming OAuth.

Matthew Levy Azure AD B2B vs B2C Matthew Levy

SharePoint Online Authentication Patterns

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

API Security: OAuth, OpenID Connect & ABAC

Presentation transcript:

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1

Agenda The realities and challenges of modern access control (CA) “UMA for the Enterprise 101” Enterprise UMA case study and demo (Gluu) What vendors are saying and doing about UMA Q&A 2 Thanks to CA Technologies for sponsoring this webinar! Thanks to Kantara for supporting the UMA work! Thanks to our additional webinar participants!

The realities and challenges of modern access control 3 Further reading: tinyurl.com/umaam20 Further reading: tinyurl.com/umaam20

4 Copyright © 2014 CA. All rights reserved. UMA Continues The Shift In Identity Management That Began With OAuth The Traditional Enterprise The 21 st Century Enterprise This is the secret to achieving scale and agile federation

“UMA for the Enterprise 101” 5 Further reading: tinyurl.com/umafaq Further reading: tinyurl.com/umafaq

OAuth is a three-entity protocol for securing API calls in a user context 6 Source: The OAuth 2.0 Authorization Framework, End-user resource owner gets redirected to AS to log in and consent to access token issuance AS and RS are typically in the same domain and communicate in a proprietary way

UMA’s original goal: apply privacy- by-design to OAuth data sharing 7 Standardized APIs for privacy and “selective sharing” Outsources protection to a centralized “digital footprint control console” The “user” in User-Managed Access (UMA) Some guy not accounted for in OAuth… Further reading: tinyurl.com/umapbd Further reading: tinyurl.com/umapbd

Emergent UMA properties: flexible, modern, claims-based authorization 8 Source: XACMLinfo.org, consumes authz data associated with token admin by human – or org native or a client of offboard source(s), in any language(s) claims gathered through user interaction and/or consuming ID tokens UMA and XACML can coexist nicely

The RS exposes whatever value-add API it wants, protected by an AS 9 App-specific API UMA-enabled client RPT requesting party token

The AS exposes an UMA- standardized protection API to the RS 10 Protection API Protection client PAT protection API token includes resource registration API and token introspection API

The AS exposes an UMA- standardized authorization API to the client 11 Authorization API Authorization client AAT authorization API token supports OpenID Connect-based claims- gathering for authz UMA, SAML, and OpenID Connect can coexist nicely

Key use cases Managing personal data store access E-transcript sharing Patient-centric health data access …and enterprise access management Source: MIT Consortium for Kerberos and Internet Trust,

AM1.0 vs AM2.0 Complex and feature-rich Usually proprietary Mobile/API-unfriendly Brittle deployment architecture Not agnostic to authn method Hard to source distributed policies Usually coarse-grained RESTful and simpler Standard interop baseline Mobile/API-friendly Just call authz endpoints vs. deploying an agent Agnostic to authn method and federation usage Flexible in policy expression and sourcing Leverages API’s “scope- grained authorization” 13

Enterprise UMA case study 14

What vendors are saying and doing about UMA 15 Further reading: tinyurl.com/uma1iop Further reading: tinyurl.com/uma1iop

NuveAM by Cloud Identity UMA-compliant AS: –Access control to Web data –API security and management –Real-time monitoring and audit Use cases: Securing Personal Data Services (PDS) and access management 2.0 (API security) Uses open standards, including UMA, OAuth 2.0, OpenID Connect, and SAML 2.0 Open source frameworks: Java and Python Support for mobile (Android) Integrates with Identity Management and Identity Federation 16

NuveAM by Cloud Identity 17

NuveAM for the enterprises 18 Management of resources, APIs, permissions, and access control policies Access control on demand Detailed audit information Application management: resource servers and clients (with NuveLogin) Integration with identity management Integration with identity federation and SSO

NuveAM for the enterprises 19

NuveAM for the enterprises 20

Next steps 21

Next steps for the WG…and you Get involved! –Become an “UMAnitarian” (it’s free) –Participate in the interop and our implementation discussions –Follow and engage on Twitter Current work: –Technical: claim profiling to allow claim-gathering using SAML, OpenID Connect, LDAP… –Business: Binding Obligations spec to tie “terms of authorization” to multi-party state changes Stay tuned for another webinar in Q2 22 Join at: tinyurl.com/umawg Join at: tinyurl.com/umawg

Questions? Thank #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 23