Presentation is loading. Please wait.

Presentation is loading. Please wait.

UMA’s relationship to distributed authorization concepts 19 October 2013

Published bySuzanna Arline Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "UMA’s relationship to distributed authorization concepts 19 October 2013"— Presentation transcript:

1 UMA’s relationship to distributed authorization concepts 19 October 2013 tinyurl.com/umawg @UMAWG

2 Basic terms and concepts in UMA AS is capable of being a full PDP Responsible for policy characteristics (thus implicitly a PAP and PIP) AS is capable of being a full PDP Responsible for policy characteristics (thus implicitly a PAP and PIP) RS is capable of being a full PEP Responsible for the “grain” of protected resource access RS is capable of being a full PEP Responsible for the “grain” of protected resource access Interface is standardized in UMA AS and RS are capable of being fully loosely coupled and multitenant Interface is standardized in UMA AS and RS are capable of being fully loosely coupled and multitenant RqP and client together constitute an access requester Require an access decision by some combination of AS and RS RqP and client together constitute an access requester Require an access decision by some combination of AS and RS RO has discretionary access control rights over protected resources Client conveys an access token (requesting party token or RPT) to RS in the OAuth fashion

3 Implications of AS-RS loose coupling and multitenancy AS1 AS2 manage resources protect resources administer policies RS1 RO1 RS2 RO2 (RO1)(RO2)(RO1)(RO2) (RO1)(RO2)(other)(RO2) RO1 uses AS1 to protect resources from more than one RS RO2 uses more than one AS to protect its various resources RS operators and AS operators may all be different parties May need to operate at Internet scale, with mobile and other devices RS operators and AS operators may all be different parties May need to operate at Internet scale, with mobile and other devices

4 Opportunities for distribution of decision-making responsibility in UMA 0% 100% 0% 100% Balance depends on nature of authorization data associated with RPT RS AS

5 Default distribution of decision-making responsibility in UMA 0% 100% 0% 100% Mandatory-to-implement bearer RPT profile gives AS most power because AS and RS operators may differ Conveys current permissions and requires RS to match to access attempt Mandatory-to-implement bearer RPT profile gives AS most power because AS and RS operators may differ Conveys current permissions and requires RS to match to access attempt Many other distribution schemes are possible through RPT profiling Authorization data can be contained in RPT or retrieved by RPT introspection (“bearer” profile requires the latter) Many other distribution schemes are possible through RPT profiling Authorization data can be contained in RPT or retrieved by RPT introspection (“bearer” profile requires the latter) RS AS

6 Some additional options for decision-making responsibility RS AS 0% 100% 0% 100% XACML-like (AS 100%): RPT conveys Permit/Deny decision SSO-like (AS 0%): RPT conveys only claims gathered from the user Sticky policy-like (AS <50%): RPT conveys operative policies in some format

7 Basic elements of policy expression and their authoritative sources subj verb obj RS is exclusively authoritative for protected resource sets (obj) and scopes of operation over them (verb) It registers them with AS through a resource set registration API RS is exclusively authoritative for protected resource sets (obj) and scopes of operation over them (verb) It registers them with AS through a resource set registration API AS is exclusively authoritative for constraints on which access requesters can gain access, binding subj to verb/obj AS and RO together are responsible for administering all relevant policies AS is exclusively authoritative for constraints on which access requesters can gain access, binding subj to verb/obj AS and RO together are responsible for administering all relevant policies Without UMA, OAuth on its own only handles scopes; “resource sets” are implicit (come from API developer documentation)

8 Degree of interoperability of policy expression elements subj verb obj Resource set registration API and format (modular spec called by UMA) enable interop and standardization of resource set types and of scopes Policy expression and evaluation are performed outside UMA AS can serve as a client of other standard or proprietary PDPs, PIPs, and PAPs Policy expression and evaluation are performed outside UMA AS can serve as a client of other standard or proprietary PDPs, PIPs, and PAPs OAuth scopes are specific to the API being protected; their expression is not standardized XACML and several other specifications fully standardize all elements

9 Final observations AS1 AS2 manage resources protect resources administer policies RS1 RO1 RS2 RO2 (RO1)(RO2)(RO1)(RO2) (RO1)(RO2)(other)(RO2) Expression standardized by UMA Each RS operator can define its own resource sets and scopes, or use ones defined by others Expression standardized by UMA Each RS operator can define its own resource sets and scopes, or use ones defined by others Not standardized by UMA UMA can integrate with other solutions (XACML standard, procedural code…) Each AS operator may choose a different solution (impacting multi- AS interop for one RO or RS) Not standardized by UMA UMA can integrate with other solutions (XACML standard, procedural code…) Each AS operator may choose a different solution (impacting multi- AS interop for one RO or RS) Each service has its own proprietary (or standard) API

Download ppt "UMA’s relationship to distributed authorization concepts 19 October 2013"

Similar presentations

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Technical Architectures

Technical Architectures
OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.

OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.

App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.

Similar presentations

Ads by Google