Your SlideShare is downloading. ×
0
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
CIS14: User-Managed Access
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CIS14: User-Managed Access

263

Published on

Allan Foster, ForgeRock …

Allan Foster, ForgeRock
Eve Maler, ForgeRock

Examination of UMA (User Managed Access) as an emerging standard, presenting both individual and enterprise use cases and showing how UMA could address many of them in an open, lightweight approachable way, while still allowing and interoperating with other technologies.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
263
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Authorization What’s Next?
  • 2. 2 User-Managed Access FORGEROCK.COM Allan Foster VP Technology & Standards guruallan Eve Maler VP Innovation & Emerging Technology xmlgrrl
  • 3. Defining authorization and the authorization V.next landscape
  • 4. 4
  • 5. 5 XACML OAUTH OpenID Connect ABAC RBAC SAML
  • 6. 6 What is Authorization?
  • 7. 7 Policy
  • 8. ACIs and ACLs RBAC ABAC
  • 9. ACIs and ACLs RBAC ABAC Doesn’t scale, becomes unmanageable as users and resources grow
  • 10. ACIs and ACLs RBAC ABAC Doesn’t scale, becomes unmanageable as users and resources grow Doesn’t scale, leads to role proliferation and multiplexing
  • 11. 11
  • 12. 12 Attributes
  • 13. 13 OAuth2
  • 14. 14 Token
  • 15. 15
  • 16. UMA 101
  • 17. 17 The vicissitudes of personal data sharing ■  Back-channel ■  Typing ■  Connecting ■  Private URLs
  • 18. 18 What is, and isn’t, UMA? ■  It’s a draft standard for authorization V.next ■  It’s a profile and application of OAuth ■  It’s not a new, disconnected technology ■  It’s a set of privacy-by-design and consent APIs ■  It’s not an “XACML killer”
  • 19. 19 resource   owner   reques+ng   party   authoriza+on   server   resource   server   manage consent control negotiateprotect authorize access manage client   *Thanks to UMAnitarian Domenico Catalano for the “marvelous spiral”
  • 20. 20 The AS exposes an UMA- standardized protection API to the RS 2 ProtectionAPI Protectionclient PAT protection API token includes resource registration API and token introspection API
  • 21. 21 The AS exposes an UMA- standardized authorization API to the client 2 Authorization API Authorization client AAT authorization API token supports OpenID Connect-based claims- gathering for authz
  • 22. 22 The RS exposes whatever value-add API it wants, protected by an AS 2 App-specific API UMA-enabled client RPTrequesting party token
  • 23. 23 Collecting claims from the requesting party to assess policy 2 manage control protect authorize access negotiate consentmanage resource owner resource server authorization server Authenticate OIDC Server client requesting party Client acting as claims conveyor Client redirects the Requesting Party to AS
  • 24. Real-life UMA use cases
  • 25. 25 Patient-centric health data sharing ■  UMA uniquely solves for Consent Directives ■  Special requirements: –  Impeccable security –  “Context, control, choice, and respect” –  Wide ecosystem –  Accounting of Disclosures –  Meaningful Use –  (Relationship Locator Service)
  • 26. 26 pa+ent   AS  fron+ng   a  consent   direc+ve   server   FHIR  EHR   API/  lab   results/FitBit…   manage consent control negotiateprotect authorize access manage web  or   na+ve  app   care   provider/   family/Alice   herself  
  • 27. 27 Delegated authorization from SaaS to enterprise ■  Allow Enterprise business logic as policy ■  Easy to define Resources and actions ■  Allow Enterprise freedom in evaluation ■  Each Enterprise provides its own AS ■  Attributes stay in the enterprise
  • 28. 28 enterprise   enterprise   AS   third-­‐party   SaaS  APIs   manage consent control negotiateprotect authorize access manage web  or   na+ve  app   enterprise   employees  
  • 29. Let us sum up
  • 30. 30 Resource Server ■  Concerned with protecting Resources ■  Concerned with Clients ■  Supplies resource and scope Attributes to AS ■  Uses OAuth token for access to protection API ■  Redirects Client if its UMA token is insufficient ■  Could have multiple AS relationships
  • 31. 31 Client ■  Accesses resources on RS ■  Uses OAuth token for access to authorization API ■  Receives UMA token from AS ■  Asks to add authorization to UMA token for access ■  Provides Subject Attributes via Claims or redirects Subject to AS for further claims-gathering
  • 32. 32 Resource Owner ■  Provides Resource Owner attributes to AS ■  Can provide Authorization policy to AS ■  Manages access settings of protected resources
  • 33. 33 Authorization Server ■  Consumes attributes from all parties ■  Evaluates Policy in context of attributes ■  Associates entitlements with UMA token so client can access RS ■  Leaves RS to judge entitlements against access attempt
  • 34. 34 Summing up ■  OAuth-based framework ■  Facilitates Constrained Delegated Authorization ■  Policy evaluation agnostic ■  Enables humans to control their digital footprint
  • 35. 35FORGEROCK.COM Allan Foster allan.foster@forgerock.com guruallan Eve Maler eve.maler@forgerock.com xmlgrrl Thanks! Questions?

×