CIS14: User-Managed Access

705 views

Published on

Allan Foster, ForgeRock
Eve Maler, ForgeRock

Examination of UMA (User Managed Access) as an emerging standard, presenting both individual and enterprise use cases and showing how UMA could address many of them in an open, lightweight approachable way, while still allowing and interoperating with other technologies.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
705
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CIS14: User-Managed Access

  1. 1. Authorization What’s Next?
  2. 2. 2 User-Managed Access FORGEROCK.COM Allan Foster VP Technology & Standards guruallan Eve Maler VP Innovation & Emerging Technology xmlgrrl
  3. 3. Defining authorization and the authorization V.next landscape
  4. 4. 4
  5. 5. 5 XACML OAUTH OpenID Connect ABAC RBAC SAML
  6. 6. 6 What is Authorization?
  7. 7. 7 Policy
  8. 8. ACIs and ACLs RBAC ABAC
  9. 9. ACIs and ACLs RBAC ABAC Doesn’t scale, becomes unmanageable as users and resources grow
  10. 10. ACIs and ACLs RBAC ABAC Doesn’t scale, becomes unmanageable as users and resources grow Doesn’t scale, leads to role proliferation and multiplexing
  11. 11. 11
  12. 12. 12 Attributes
  13. 13. 13 OAuth2
  14. 14. 14 Token
  15. 15. 15
  16. 16. UMA 101
  17. 17. 17 The vicissitudes of personal data sharing ■  Back-channel ■  Typing ■  Connecting ■  Private URLs
  18. 18. 18 What is, and isn’t, UMA? ■  It’s a draft standard for authorization V.next ■  It’s a profile and application of OAuth ■  It’s not a new, disconnected technology ■  It’s a set of privacy-by-design and consent APIs ■  It’s not an “XACML killer”
  19. 19. 19 resource   owner   reques+ng   party   authoriza+on   server   resource   server   manage consent control negotiateprotect authorize access manage client   *Thanks to UMAnitarian Domenico Catalano for the “marvelous spiral”
  20. 20. 20 The AS exposes an UMA- standardized protection API to the RS 2 ProtectionAPI Protectionclient PAT protection API token includes resource registration API and token introspection API
  21. 21. 21 The AS exposes an UMA- standardized authorization API to the client 2 Authorization API Authorization client AAT authorization API token supports OpenID Connect-based claims- gathering for authz
  22. 22. 22 The RS exposes whatever value-add API it wants, protected by an AS 2 App-specific API UMA-enabled client RPTrequesting party token
  23. 23. 23 Collecting claims from the requesting party to assess policy 2 manage control protect authorize access negotiate consentmanage resource owner resource server authorization server Authenticate OIDC Server client requesting party Client acting as claims conveyor Client redirects the Requesting Party to AS
  24. 24. Real-life UMA use cases
  25. 25. 25 Patient-centric health data sharing ■  UMA uniquely solves for Consent Directives ■  Special requirements: –  Impeccable security –  “Context, control, choice, and respect” –  Wide ecosystem –  Accounting of Disclosures –  Meaningful Use –  (Relationship Locator Service)
  26. 26. 26 pa+ent   AS  fron+ng   a  consent   direc+ve   server   FHIR  EHR   API/  lab   results/FitBit…   manage consent control negotiateprotect authorize access manage web  or   na+ve  app   care   provider/   family/Alice   herself  
  27. 27. 27 Delegated authorization from SaaS to enterprise ■  Allow Enterprise business logic as policy ■  Easy to define Resources and actions ■  Allow Enterprise freedom in evaluation ■  Each Enterprise provides its own AS ■  Attributes stay in the enterprise
  28. 28. 28 enterprise   enterprise   AS   third-­‐party   SaaS  APIs   manage consent control negotiateprotect authorize access manage web  or   na+ve  app   enterprise   employees  
  29. 29. Let us sum up
  30. 30. 30 Resource Server ■  Concerned with protecting Resources ■  Concerned with Clients ■  Supplies resource and scope Attributes to AS ■  Uses OAuth token for access to protection API ■  Redirects Client if its UMA token is insufficient ■  Could have multiple AS relationships
  31. 31. 31 Client ■  Accesses resources on RS ■  Uses OAuth token for access to authorization API ■  Receives UMA token from AS ■  Asks to add authorization to UMA token for access ■  Provides Subject Attributes via Claims or redirects Subject to AS for further claims-gathering
  32. 32. 32 Resource Owner ■  Provides Resource Owner attributes to AS ■  Can provide Authorization policy to AS ■  Manages access settings of protected resources
  33. 33. 33 Authorization Server ■  Consumes attributes from all parties ■  Evaluates Policy in context of attributes ■  Associates entitlements with UMA token so client can access RS ■  Leaves RS to judge entitlements against access attempt
  34. 34. 34 Summing up ■  OAuth-based framework ■  Facilitates Constrained Delegated Authorization ■  Policy evaluation agnostic ■  Enables humans to control their digital footprint
  35. 35. 35FORGEROCK.COM Allan Foster allan.foster@forgerock.com guruallan Eve Maler eve.maler@forgerock.com xmlgrrl Thanks! Questions?

×