UMA Trusted Claims

Extending UMA Protocol to support Trusted Claims (tClaims) Newcastle University Domenico Catalano and the Smart Team 13th July, 2011 1 V.3Wednesday, July 13, 2011

Who I am • Domenico Catalano • Senior Sales Consultant @Oracle Italy + Sun • Identity & Security Architect • Leadership team member (UX) @Kantara UMA WG 2Wednesday, July 13, 2011

Agenda • UMA Conceptual model • tClaims Requirements Analysis • OpenID Connect • UMA/OpenID Connect Integration approach • User Interaction • Trust Model consideration • Q&A 3Wednesday, July 13, 2011

UMA Conceptual Model UMA AM policy decision Control Point Protect Authorize Authorizing User Requesting Manage Party UMA External Domain Domain Protected HOST Resource Requester Access 4Wednesday, July 13, 2011

UMA Trusted Claims • UMA Trusted Claims approach is designed to support Claims-based Access Control. • In a Claim-based Access Control, the decision to grant access to a protected resource is made based on Subject’s information, such as name, age, email address, role, location, or credit score, etc. Claims Trusted Claims Trusted usted C laims 5Wednesday, July 13, 2011

tClaims example scenarios • Enterprise class scenario ‣ Accessing Personal Loan Special Program • Social/web class scenario ‣ Sharing photo with “bob@gmail.com” 6Wednesday, July 13, 2011

Accessing Personal Loan special program Enterprise Class Scenario • Bank online service provides an User- Managed Claims access control to restrict and personalize access to special program/ service (i.e. personal loan with low interest rate) to users which have determinate employment (i.e. government employee), and have an high credit score. 7Wednesday, July 13, 2011

Alice at Bank site Bank of Future for requesting 10.0 online Banking access to a Welcome aalice restricted service. Access to Loyalty Program You have selected a protected resource to access special loyalty An UMA program for US Government Employee: Personal Loan with low interest rate (2%) protected Select your UMA Authorization Manager to provide trusted Claims to grant access to this resource. resource. CopMonkey AM © copyright 2009 CMInc. All rights reserved. 8Wednesday, July 13, 2011

Sharing Photo with “bob@gmail.com Social/web Class Scenario • Alice wants share a photo gallery with bob if Bob has an account email “bob@gmail.com” and he is 18 years old. 9Wednesday, July 13, 2011

Alice deﬁnes claims-based authorization policy, using In- App widget 10Wednesday, July 13, 2011

Requirements Analysis • Authorizing User (Resource Owner) needs a claims- based access control to restrict access to own resources based on Requesting Party’s Identity attributes. • Identity attributes must issued by a Trusted Third Party (TTP) and veriﬁable by a Claims Requester. • Claims may be logically aggregated to provide a collection of attributes from different Attribute Providers (Claims Host). 11Wednesday, July 13, 2011

OpenID Connect • OpenID Connect provides authentication, authorization, and attribute transmission capability. It allows third party attested claims from distributed sources. • This speciﬁcation is largely compliant with OAuth 2.0 draft 15. OpenID Connect Core 1.0 - draft 04 12Wednesday, July 13, 2011

OpenID Connect protocol overview • OpenID Connect protocol in abstract follows the following steps: 1. The Client sends a request to the Server’s End-User Authorization Endpoint. 2. The Server authenticates the user and obtains appropriate authorization. 3. The Server responds with access_token and a few other variables. 4. The Client sends a request with access_token to the Userinfo Endpoint. 5. Userinfo Endpoint returns the additional user supported by the Server. 13Wednesday, July 13, 2011

UMA Conceptual Model UMA AM policy decision Control Point Protect Authorize Authorizing User Requesting Manage Party UMA External Domain Domain Protected HOST Resource Requester Access 14Wednesday, July 13, 2011

UMA Conceptual Model with tClaims OpenID UMA Claims 1. Request Client 3. Access_token Connect AM AS policy decision Control Point 5. Userinfo 2. AuthN AuthZ 4. Request Userinfo Protect Protect Authorize UserInfo Authorizing User EndPoint Requesting Manage Party SSO UMA OpenID Domain Domain Protected HOST Resource Requester Access 15Wednesday, July 13, 2011

UMA/OpenID Connect Integration approach UserInfo EndPoint Claims Claims Provider Protected Resource UMA Claims AuthZ OpenID Authorization Client Server Identity Provider Manager OpenID RP OpenID Connect SSO AuthN AuthZ Requesting Party 16Wednesday, July 13, 2011

User eXperience 17Wednesday, July 13, 2011

Scenario • Sharing Photo with “bob@gmail.com” ‣ Host In-App Fast Sharing settings. ‣ Requesting Party requests direct access to Protected Resource. ‣ OpenID Connect interaction. 18Wednesday, July 13, 2011

Alice at Host Site Protected Resource by CopMonkey AM in-App Fast AuthZ Settings for sharing 19Wednesday, July 13, 2011

Alice deﬁnes claims-based authorization policy, using In- App widget 20Wednesday, July 13, 2011

Protected Resource is ready for sharing under authZ policy 21Wednesday, July 13, 2011

Alice shares the Protected Photo4Sharing resource 10.0 online photo Service through twitter Home Photo Gallery Places Share Settings Hello Alice Alice twitter Photo View Resource Sharing Photo4Sharing: Places:Venice:Bridge at Places> Venice> Bridge Edit CopMonkey Protected http://photo4sharing.com/AB112FFD Resource 22 hours ago reply CopMonkey In-App Claim- based authorization Tweet text goes here. URL keep it under 140 characters photo4sharing.com/AB112FFD http://bit.ly/ds5c6z 22 hours ago reply Share Never thought Id say this, but sign out of twitter.com, now! Theres a nice new homepage to check out. http://bit.ly/ds5c6z 22 hours ago reply homepage to check out. http://bit.ly/ds5c6z 22 hours ago reply © copyright 2009 CMInc. All rights reserved. 22Wednesday, July 13, 2011

Bob attempts to access to protected resource. Bob is redirect to AM to convey claims 23Wednesday, July 13, 2011

CopMonkey authenticates Bob through OpenID, in order to initialize OpenID Connect protocol 24Wednesday, July 13, 2011

Bob is redirect to IdP’s authorization service to grant claims. 25Wednesday, July 13, 2011

Bob gets access to the protected resource 26Wednesday, July 13, 2011

Trust Model Consideration Bootstrapping Trust Claims Provider AuthN IdP AuthN IdP Subject Subject Subject Self Registration Affiliate Registration Affiliate Registration LoA Certification UMA UMA UMA AM AM AM Trusted Self Registration Affiliate Registration Affiliate Registration Framework Host Introduction Host Introduction Host Introduction Host Host Host TFP A B C Self-Registration Affiliate or SSO Affiliate or SSO with Trusted Framework 27Wednesday, July 13, 2011

Thanks 28Wednesday, July 13, 2011

http://identitycube.blogspot.com	726
http://identitycube.blogspot.co.uk	140
http://identitycube.blogspot.it	51
http://www.slideshare.net	46
http://identitycube.blogspot.se	4
http://identitycube.blogspot.in	3
http://identitycube.blogspot.fr	3
http://identitycube.blogspot.com.es	2
http://identitycube.blogspot.jp	2
http://identitycube.blogspot.com.au	2
http://127.0.0.1:8795	1
http://identitycube.blogspot.ca	1

UMA Trusted Claims

by Domenico Catalano on Jul 13, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

12 Embeds 981

Statistics

UMA Trusted Claims — Presentation Transcript