• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Opensource Authentication and Authorization
 

Opensource Authentication and Authorization

on

  • 8,964 views

 

Statistics

Views

Total Views
8,964
Views on SlideShare
8,962
Embed Views
2

Actions

Likes
11
Downloads
257
Comments
2

1 Embed 2

http://www.scoop.it 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Good stuff Allan !
    Are you sure you want to
    Your message goes here
    Processing…
  • Great presentation about how important single sign on is for users of applications on the web today! The typical user is not going to remember different user names and passwords for the dozens of different sites they have accounts with.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Opensource Authentication and Authorization Opensource Authentication and Authorization Presentation Transcript

    • Open Source Authentication & Authorization Allan Foster ForgeRock allan.foster@forgerock.comWednesday, March 9, 2011
    • “Build us a Web App” 2Wednesday, March 9, 2011
    • Lots of examples.... 3Wednesday, March 9, 2011
    • New Application Demands Collaborative Workgroups Client - Server Multi user... In the cloud? 4Wednesday, March 9, 2011
    • Its a WebApp! 5Wednesday, March 9, 2011
    • Business Logic Your Business... Your Logic... You know how to do this! 6Wednesday, March 9, 2011
    • Lots of Help Language... . Net PH P Ru by Pe r l a va J + Py t C+ hon vy C& Groo 7Wednesday, March 9, 2011
    • Oh yes, LOTS of help! Frameworks... Vel JSF o cit y AJA PEAR X te Sp r rn a es ing e ce Fa c H ib I 8Wednesday, March 9, 2011
    • And don’t forget... 9Wednesday, March 9, 2011
    • Access Control Who are our users? Who can access what? What can they do? How do we manage this? 10Wednesday, March 9, 2011
    • Its not that complicated.. Authentication SSO Authorization 11Wednesday, March 9, 2011
    • Authentication? Corporate LDAP 12Wednesday, March 9, 2011
    • But what about... 13Wednesday, March 9, 2011
    • or... 14Wednesday, March 9, 2011
    • or SecureID  RSA  Logo 15Wednesday, March 9, 2011
    • Maybe all? 16Wednesday, March 9, 2011
    • Authentication isn’t enough... 17Wednesday, March 9, 2011
    • Authentication isn’t enough... SSO is expected! I have one set of credentials, Why can’t I just use them ONCE? 18Wednesday, March 9, 2011
    • Even between multiple Organizations Federation eGov GoogleApps 19Wednesday, March 9, 2011
    • SSO implies having a single trusted Authentication service... 20Wednesday, March 9, 2011
    • That can be used by MANY different applications! 21Wednesday, March 9, 2011
    • Without regard to HOW the authentication is being performed 22Wednesday, March 9, 2011
    • What About Authorization? 23Wednesday, March 9, 2011
    • Is this user allowed to perform this action on this resource? 24Wednesday, March 9, 2011
    • Group Membership? Roles? Some Complex Matrix? Dynamic Conditions? 25Wednesday, March 9, 2011
    • Access control logic can be embedded in our application... BUT.. 26Wednesday, March 9, 2011
    • New Specs New Rules Exceptions Changes... and more changes! ...And testing! 27Wednesday, March 9, 2011
    • Reprogram the door? 28Wednesday, March 9, 2011
    • Centrally managed service Ca n  I ? 29Wednesday, March 9, 2011
    • AuthN and AuthZ as a service IdenAty  services  (OpenAM) 30Wednesday, March 9, 2011
    • Authentication SSO Authorization 31Wednesday, March 9, 2011
    • 32Wednesday, March 9, 2011
    • Authentication is NOT Identity Management Validation against EXISTING identity sources! 33Wednesday, March 9, 2011
    • We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes. 34Wednesday, March 9, 2011
    • Integrate into existing process Plugable Authentication modules Built on Standards - JAAS Multiple Modules & Chains 35Wednesday, March 9, 2011
    • Se AP cu LD reI D n ix U rti f i c ate S afeW x5 0 9 Ce o rd JD BC SAML2 O EG Custom ds PN ar r tC -S a Sm AD MSISDN Extens ible Me m be rs h ip 36Wednesday, March 9, 2011
    • Authentication determines identity Identity is what matters.. NOT the method it is determined 37Wednesday, March 9, 2011
    • 38Wednesday, March 9, 2011
    • Browser ApplicaAon OpenAM Request  applicaAon  content Redirect  for  AuthenAcaAon Request  AuthenAcaAon  from  AuthenAcaAon  server NegoAate  AuthenAcaAon... Redirect  back  to  ApplicaAon  with  Token Request  applicaAon  content Validate  Token ValidaAon  Response Provide  applicaAon  content 39Wednesday, March 9, 2011
    • Authentication SSO Authorization 40Wednesday, March 9, 2011
    • 41Wednesday, March 9, 2011
    • 42Wednesday, March 9, 2011
    • 43Wednesday, March 9, 2011
    • Allan Foster Speaker ConFoo 2011 44Wednesday, March 9, 2011
    • 45Wednesday, March 9, 2011
    • Allan Foster Speaker ConFoo 2011 46Wednesday, March 9, 2011
    • 47Wednesday, March 9, 2011
    • One Pass Multiple Doors Single Sign On 48Wednesday, March 9, 2011
    • Application validates credentials... Does NOT issue them! 49Wednesday, March 9, 2011
    • We don’t “Login” We validate Identity. This is a conceptual hurdle for developers! 50Wednesday, March 9, 2011
    • Authentication service determines identity Authentication service issues tokens 51Wednesday, March 9, 2011
    • Browser ApplicaAon OpenAM Request  applicaAon Validate  Token ValidaAon  Response Provide  applicaAon  content 52Wednesday, March 9, 2011
    • New applications easily integrate into existing infrastructure 53Wednesday, March 9, 2011
    • And for many projects This is success! Single Sign on! 54Wednesday, March 9, 2011
    • Authentication SSO Authorization 55Wednesday, March 9, 2011
    • Multi User Application Access Control Rights and Privileges 56Wednesday, March 9, 2011
    • Access Control can be Very Complex Domain Specific Dependent on Many Conditions 57Wednesday, March 9, 2011
    • Several Options • Ad Hoc • J2EE Policy • URL Access • Custom Developed • External Policy Engine 58Wednesday, March 9, 2011
    • Ad Hoc •Localized if - then - else •Cumbersome •No Reuse •Inconsistent enforcement •Unverifiable •Possible security holes 59Wednesday, March 9, 2011
    • J2EE Policy •Standards.. •Role Based •Supported in the deployment •Designed from the start •Difficult to change •Domino Effect 60Wednesday, March 9, 2011
    • URL Access •Course Grained •Tree Level Access •Often at Application or server Level •Access Control NOT Entitlements 61Wednesday, March 9, 2011
    • Custom Policy •Expensive •Hard to Maintain •Proprietary •Administration is Daunting! •Difficult to change and adapt 62Wednesday, March 9, 2011
    • External Policy Engine •Policy Evaluation •Extensible •Flexible •Centralized Administration •What about domain specifics? 63Wednesday, March 9, 2011
    • EnAtlement  services  (OpenAM) 27 64Wednesday, March 9, 2011
    • Can This User access This Resource under These Conditions? 65Wednesday, March 9, 2011
    • Define Rules for Access Rules can be changed dynamically Standards based - XACML3 66Wednesday, March 9, 2011
    • Rules Resources Actions Subjects Conditions Response Attributes Advice 67Wednesday, March 9, 2011
    • Resources URLs Accounts Buttons Projects etc...... Hierarchical Scalable Plugable API 68Wednesday, March 9, 2011
    • Actions Performed on a resource Fine Grained access C re at Withdraw e G ET T Re ad OS E Balance Upda P ET te EL D Y Transfer De let OP e C 69Wednesday, March 9, 2011
    • Subjects Who does the rule apply to? D at a o up sto re Gr Att r DA P ib u te b er L M em Se s s io o re Att r i b u te nA Custom Subject D at a st tt r i bu te Plugable API Combination Logic 70Wednesday, March 9, 2011
    • Conditions Simple or Complex Dependencies dr ess ib u te Ba n k B a la n c e IP Ad Att r Ti me o ut of im Da T y Au io n the nti S ess tt r i b u te lev c atio Sess io n A el n Plugable API Combination Logic 71Wednesday, March 9, 2011
    • Access control can be: Role based, Attribute based, or Dynamic. 72Wednesday, March 9, 2011
    • Policy Enforcement Point Policy Decision Point Policy Administration Point 73Wednesday, March 9, 2011
    • Policy Enforcement Point 74Wednesday, March 9, 2011
    • Policy Enforcement Point Simplest case Agent plugged into web container. ISapi NSApi Mod_auth 75Wednesday, March 9, 2011
    • Zero changes to app. Simple to install.. Easily protect “Closed” apps 76Wednesday, March 9, 2011
    • Policy Enforcement Point Fine for URL access control when resource is a URL. But how do we address entitlements? 77Wednesday, March 9, 2011
    • Policy Enforcement Point Simple Web Service Call wrapper Coded into Application This  User This  Resource These  CondiAons if (entitled(userToken, resource, env)) { ... ... } Language Agnostic! 78Wednesday, March 9, 2011
    • Simple JSON responses { "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http:/ /www.anotherexample.com:80/index.html" } } 79Wednesday, March 9, 2011
    • Policy Decision Point 80Wednesday, March 9, 2011
    • Policy Decision Point Policy Evaluation Separate the Rule evaluation from the enforcement 81Wednesday, March 9, 2011
    • Scalable and extensible policy engine Scalable to millions of entitlements Standards based - XACML3 82Wednesday, March 9, 2011
    • 83Wednesday, March 9, 2011
    • Policy Administration Administration UI Dynamic rule changes Auditability Consistency 84Wednesday, March 9, 2011
    • Standards based XACML3 Any editor... Any workflow... 85Wednesday, March 9, 2011
    • Rule changes take immediate effect No impact on application development 86Wednesday, March 9, 2011
    • Keep track of rules and changes Reuse rules for reusable resources 87Wednesday, March 9, 2011
    • Separate Administration Application Administration is separate from Entitlement Administration 88Wednesday, March 9, 2011
    • Simplify the app admin Consistent administration of permissions for all apps. 89Wednesday, March 9, 2011
    • ForgeRock 90Wednesday, March 9, 2011
    • OpenAM OpenAM As A Service gives Flexibility, Consistency & Management to Authentication and Entitlements. 91Wednesday, March 9, 2011
    • OpenAM Started life as Sun Access Manager OpenSourced in 2007 Strong Community 92Wednesday, March 9, 2011
    • OpenAM OpenAM is fully opensource, 100% Java, scalable, high performance, AuthN and AuthZ 93Wednesday, March 9, 2011
    • OpenAM Full XACML3 Support Simple policies and Complex Entitlements Extensible Plugins Central Administration Leverage existing SSO 94Wednesday, March 9, 2011
    • OpenAM OpenAM Community ForgeRock http:/ /www.forgerock.com 95Wednesday, March 9, 2011
    • Download it. Use it. Get involved! info@forgerock.com 96Wednesday, March 9, 2011
    • Questions? 97Wednesday, March 9, 2011
    • Demo 98Wednesday, March 9, 2011
    • Open Source Authentication & Authorization Allan Foster ForgeRockWednesday, March 9, 2011
    • Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility 100Wednesday, March 9, 2011