Identity and Entitlement Management Concepts

1,291 views
1,134 views

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,291
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
62
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Identity and Entitlement Management Concepts

  1. 1. Last Updated: Jan. 2014 Tech  Lead   Chamath  Gunawardana   Iden/ty  and  En/tlement   Management  –  Concepts  and   Theories  
  2. 2. 2   About  the  Presenter(s)   ๏  Chamath  Gunawardana   Chamath  Gunwardana  is  a  technical  lead  at   WSO2  working  for  the  integra/on  technology   group.  He's  engaged  in  the  developments  of   the  WSO2  Iden/ty  Server  and  also  a   commiKer  of  the  WSO2  Iden/ty  Server.   Chamath  is  also  a  SUN  cer/fied  java   programmer.    
  3. 3. 3   About  WSO2   ๏  Global  enterprise,  founded  in  2005   by  acknowledged  leaders  in  XML,   web  services    technologies,   standards    and  open  source   ๏  Provides  only  open  source   plaVorm-­‐as-­‐a-­‐service  for  private,   public  and  hybrid  cloud   deployments   ๏  All  WSO2  products  are  100%  open   source  and  released  under  the   Apache  License  Version  2.0.   ๏  Is  an  Ac/ve  Member  of  OASIS,   Cloud  Security  Alliance,  OSGi   Alliance,  AMQP  Working  Group,   OpenID  Founda/on  and  W3C.   ๏  Driven  by  Innova/on   ๏  Launched  first  open  source  API   Management  solu/on  in  2012   ๏  Launched  App  Factory  in  2Q  2013   ๏  Launched  Enterprise  Store  and   first  open  source  Mobile  solu/on   in  4Q  2013  
  4. 4. 4   What  WSO2  delivers  
  5. 5. Agenda   ๏  En/tlement  management   ๏  overview   ๏  Access  control  concepts   ๏  XACML   ๏  En/tlement  architecture  in  iden/ty  server   ๏  Iden/ty  management   ๏  overview   ๏  Features  of  iden/ty  management  systems   ๏  Couple  of  Iden/ty  Management  Capabili/es  in  iden/ty  server   ๏  Demo   5  
  6. 6. What  is  En/tlement  Mng..   ๏  En#tlement  management  is  technology  that  grants,   resolves,  enforces,  revokes  and  administers  fine-­‐ grained  access  en/tlements.   ๏  Also  referred  to  as   authoriza/ons, privileges, access  rights, permissions  and/or   rules        -­‐  Gartner  Glossary   6  
  7. 7. En/tlement  Management   ๏  It s  a  broader  concept   ๏  Types  of  access  control  includes,   ๏  Access  control  lists   ๏  Role  based  access  control   ๏  AKribute  based  access  control   ๏  Policy  based  access  control   7  
  8. 8. Access  control  lists   ๏  Oldest  and  most    basic  form  of  access  control   ๏  Primarily  Opera/ng  systems  adopted   ๏  Maintains  set  of  user  and  opera/ons  can  performed  on   a  resource  as  a  mapping   ๏  Also  easier  to  implement  using  maps   ๏  Not  scalable  for  large  user  bases   ๏  Difficult  to  manage   8  
  9. 9. Role  based  access  control   ๏  System  having  users  that  belongs  to  roles   ๏  Role  defines  which  resources  will  be  allowed   ๏  Reduces  the  management  overhead   ๏  Users  and  roles  can  be  externalized  using  user  stores   ๏  Need  to  manage  the  roles   ๏  User  may  belong  to  mul/ple  roles   9  
  10. 10. AKribute  based  access  control   ๏  Authoriza/on  based  on  aKributes   ๏  Addresses  the  limita/on  of  role  based  approach  to   define  fine  grain  access  control   ๏  AKributes  of  user,  environment  as  well  as  resource  it   self   ๏  More  flexible  than  role  based  approach   ๏  No  need  for  knowing  the  user  prior  to  gran/ng  access   10  
  11. 11. Policy  based  access  control   ๏  Address  the  requirement  to  have  more  uniform  access   control  mechanism   ๏  Helps  to  large  enterprises  to  have  uniform  access   control  amount  org  units   ๏  Helps  for  security  audits  to  be  carried  out   ๏  Complex  than  any  other  access  control  system   ๏  Specify  policies  unambiguously  with  XACML   ๏  Use  of  authorized  aKribute  sources  in  the  enterprise   11  
  12. 12. Advantages   ๏  Reduce  the  development  /me  on  cri/cal  business   func/ons   ๏  Easy  management  of  en/tlements   ๏  Based  on  industry  standard  specifica/ons   ๏  Support  for  future  development  with  minimum  effort   12  
  13. 13. XACML   ๏  XACML  is  a  policy  based  authoriza/on/en/tlement   system   ๏  De-­‐facto  standard  for  authoriza/on   ๏  Evaluated  of  1.0,  2.0  and  3.0  versions   ๏  Externalized   ๏  Policy  based   ๏  Fine  grained   ๏  Standardized   13  
  14. 14. XACML   ๏  Iden/ty  Server  supports  XACML  2.0  and  3.0  versions   ๏  Supports  mul/ple  PIPs   ๏  Policy  distribu/on   ๏  UI  wizards  for  defining  policies   ๏  Try  it  tool   ๏  Decision  /  AKribute  caching   14  
  15. 15. XACML   15  
  16. 16. Create  policy  op/ons   16  
  17. 17. Simple  policy  editor   17  
  18. 18. Basic  policy  editor   18  
  19. 19. Try  it  tool   19  
  20. 20. Try  it  tool  request   20  
  21. 21. Extensions   21  
  22. 22. Iden/ty  Management   ๏  Managing  Iden/ty  of  users  in  a  system   ๏  Control  access  to  resources   ๏  Important  component  in  an  enterprise   ๏  Enterprises  depends  on  the  security  provided  by   iden/ty  management  systems   22  
  23. 23. Why  Iden/ty  Management   ๏  Directly  influences  the  security  and  produc/vity  of  an   organiza/on   ๏  To  enforce  consistency  in  security  policies  across   organiza/on   ๏  To  comply  with  rules  and  regula/ons  enforced  in  some   cri/cal  domains  by  governments   ๏  Provide  access  to  resources  to  outside  par/es  without   compromising  security   23  
  24. 24. Why  Iden/ty  Management  Cont.   ๏  Controlled  resource  access  increases  organiza/onal   security   ๏  Increased  audit-­‐ability  of  the  systems   ๏  Automated  password  reset  capabili/es   24  
  25. 25. Features  of  IDM  System   ๏  User  Stores  /  Directories   ๏  Authen/ca/on   ๏  Authoriza/on   ๏  Single  Sign  On   ๏  Provisioning   ๏  Delega/on   ๏  Password  reset   ๏  Self  registra/on  with  locking  25  
  26. 26. User  stores  /  Directories   ๏  Grouping  of  user  and  roles   ๏  Easy  management  in  authoriza/on  decisions   ๏  Different  types  of  user  stores  support   26  
  27. 27. Authen/ca/on   ๏  Iden/fying  which  en/ty  are  we  communica/ng  with   ๏  En/ty  can  be  users  or  systems   ๏  Most  basic  form  is  user  name  and  password   ๏  Authen/ca/on  against  user  store   ๏  Concept  of  mul/  factor  authen/ca/on   27  
  28. 28. Authoriza/on   ๏  What  an  en/ty  allowed  to  access  in  the  system   ๏  En/tlement  management  aspects   ๏  Discussed   28  
  29. 29. Single  Sign  On   ๏  Having  mul/ple  applica/ons  with  login  requirements   ๏  Once  login  to  the  applica/on  automa/c  login  to  other   applica/ons   ๏  Token  usage   ๏  Iden/ty  Federa/on   ๏  Technologies  used   ๏  OpenID   ๏  SAML   ๏  Kerboros   ๏  WS-­‐Federa/on  passive   29  
  30. 30. Provisioning   ๏  Concept  of  adding  and  removing  iden//es  from  user   store   ๏  Provisioning  to  external  systems   ๏  Technologies   ๏  SPML   ๏  SCIM   30  
  31. 31. Delega/on   ๏  Giving  responsibility  to  another  en/ty  to  carry  out  tasks   on  behalf  of  you   ๏  Creden/al  sharing  systems   ๏  Technologies   ๏  OAuth   31  
  32. 32. Users  and  roles   ๏  Enterprise  user  stores  with  users  and  roles   ๏  Managing  user  stores   ๏  Support  for  mul/ple  user  stores   ๏  Easy  configura/on  of  user  stores  in  UI   ๏  Types  of  user  stores     ๏  LDAP,  Ac/ve  Directory,  JDBC   ๏  Support  for  mul/-­‐tenancy   32  
  33. 33. Password  reset   ๏  Web  apps  needing  end  user  password  reset   func/onality   ๏  Supports,   ๏  Reset  with  no/fica/on   ๏  Reset  with  secret  ques/ons   ๏  Increased  security  with  mul/ple  keys  in  the  reset  flow   ๏  UI  based  email  templates  configura/on   33  
  34. 34. Self  registra/on  with  locking   ๏  Separate  web  service  to  self  registra/on  with  account   lock   ๏  Upon  registra/on  sending  confirma/on  link  to  account   unlock   ๏  Only  users  with  valid  email  address  gain  access  to   system   ๏  Configurable  email  no/fica/on  template   34  
  35. 35. Demo   35  
  36. 36. 36   Business  Model  
  37. 37. 37   More  Informa/on  !   ๏  The  slides  and  webinar  will  be  available  soon.   ๏  Please  refer  Iden/ty  Server  documenta/on  -­‐  hKps:// docs.wso2.org/display/IS500/WSO2+Iden/ty+Server +Documenta/on  
  38. 38. Contact  us  !  

×