Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Published byWilfrid Richard Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1."— Presentation transcript:

1 Access Management 2.0: UMA for the Enterprise @UMAWG #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1

2 Agenda The realities and challenges of modern access control (CA) “UMA for the Enterprise 101” Enterprise UMA case study and demo (Gluu) What vendors are saying and doing about UMA Q&A 2 Thanks to CA Technologies for sponsoring this webinar! Thanks to Kantara for supporting the UMA work! Thanks to our additional webinar participants!

3 The realities and challenges of modern access control 3 Further reading: tinyurl.com/umaam20 Further reading: tinyurl.com/umaam20

4 4 Copyright © 2014 CA. All rights reserved. UMA Continues The Shift In Identity Management That Began With OAuth The Traditional Enterprise The 21 st Century Enterprise This is the secret to achieving scale and agile federation

5 “UMA for the Enterprise 101” 5 Further reading: tinyurl.com/umafaq Further reading: tinyurl.com/umafaq

6 OAuth is a three-entity protocol for securing API calls in a user context 6 Source: The OAuth 2.0 Authorization Framework, http://tools.ietf.org/html/rfc6749 End-user resource owner gets redirected to AS to log in and consent to access token issuance AS and RS are typically in the same domain and communicate in a proprietary way

7 UMA’s original goal: apply privacy- by-design to OAuth data sharing 7 Standardized APIs for privacy and “selective sharing” Outsources protection to a centralized “digital footprint control console” The “user” in User-Managed Access (UMA) Some guy not accounted for in OAuth… Further reading: tinyurl.com/umapbd Further reading: tinyurl.com/umapbd

8 Emergent UMA properties: flexible, modern, claims-based authorization 8 Source: XACMLinfo.org, http://xacmlinfo.org/2011/10/30/xacml-reference-architecture/ consumes authz data associated with token admin by human – or org native or a client of offboard source(s), in any language(s) claims gathered through user interaction and/or consuming ID tokens UMA and XACML can coexist nicely

9 The RS exposes whatever value-add API it wants, protected by an AS 9 App-specific API UMA-enabled client RPT requesting party token

10 The AS exposes an UMA- standardized protection API to the RS 10 Protection API Protection client PAT protection API token includes resource registration API and token introspection API

11 The AS exposes an UMA- standardized authorization API to the client 11 Authorization API Authorization client AAT authorization API token supports OpenID Connect-based claims- gathering for authz UMA, SAML, and OpenID Connect can coexist nicely

12 Key use cases Managing personal data store access E-transcript sharing Patient-centric health data access …and enterprise access management 2.0 12 Source: MIT Consortium for Kerberos and Internet Trust, https://kit.mit.edu

13 AM1.0 vs AM2.0 Complex and feature-rich Usually proprietary Mobile/API-unfriendly Brittle deployment architecture Not agnostic to authn method Hard to source distributed policies Usually coarse-grained RESTful and simpler Standard interop baseline Mobile/API-friendly Just call authz endpoints vs. deploying an agent Agnostic to authn method and federation usage Flexible in policy expression and sourcing Leverages API’s “scope- grained authorization” 13

14 Enterprise UMA case study 14

15 What vendors are saying and doing about UMA 15 Further reading: tinyurl.com/uma1iop Further reading: tinyurl.com/uma1iop

16 NuveAM by Cloud Identity UMA-compliant AS: –Access control to Web data –API security and management –Real-time monitoring and audit Use cases: Securing Personal Data Services (PDS) and access management 2.0 (API security) Uses open standards, including UMA, OAuth 2.0, OpenID Connect, and SAML 2.0 Open source frameworks: Java and Python Support for mobile (Android) Integrates with Identity Management and Identity Federation http://www.cloudidentity.co.uk/products/nuveam 16

17 NuveAM by Cloud Identity 17

18 NuveAM for the enterprises 18 Management of resources, APIs, permissions, and access control policies Access control on demand Detailed audit information Application management: resource servers and clients (with NuveLogin) Integration with identity management Integration with identity federation and SSO

19 NuveAM for the enterprises 19

20 NuveAM for the enterprises 20

21 Next steps 21

22 Next steps for the WG…and you Get involved! –Become an “UMAnitarian” (it’s free) –Participate in the interop and our implementation discussions –Follow and engage with @UMAWG on Twitter Current work: –Technical: claim profiling to allow claim-gathering using SAML, OpenID Connect, LDAP… –Business: Binding Obligations spec to tie “terms of authorization” to multi-party state changes Stay tuned for another webinar in Q2 22 Join at: tinyurl.com/umawg Join at: tinyurl.com/umawg

23 Questions? Thank you! @UMAWG #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 23

Download ppt "Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1."

Similar presentations

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug
© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;

© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

Similar presentations

Ads by Google