The WSO2 Identity Server - An answer to your common XACML dilemmas

The WSO2 Identity Server - An answer to your common XACML dilemmas






Total Views
Views on SlideShare
Embed Views



4 Embeds 2,307 1397 907 2 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas Presentation Transcript

  • An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer
  • WSO2 Founded in 2005 by acknowledged leaders in XML, Web Services Technologies & Standards and Open Source Producing entire middleware platform 100% open source under Apache license Business model is to sell comprehensive support & maintenance for our products Venture funded by Intel Capital and Quest Software. Global corporation with offices in USA, UK & Sri Lanka 150+ employees and growing
  • What are we going to cover What is XACML? Why is XACML important for your organization? What are the disadvantages of XACML? How can WSO2 Identity Server help you to overcome those disadvantages? View slide
  • ETag GroupETag group is a trading company, which is established in 2001. View slide
  • Application SystemETag group deployed their 1st Application System in 2005.
  • AuthenticationApplication System included an authentication mechanism
  • AuthenticationSome functions and data in the Application System must not be accessed by all employees in the company.Therefore authentication is not enough..!!!
  • AuthorizationETag group wanted to build an authorization logic for their Application System.
  • Role Based Access Control (RBAC)Set of people who has same set of privileges, putin to a role and assign permission for that role.
  • Role Based Access Control (RBAC)
  • Growth of ETag GroupEffect of company growth No. of Application Systems were increased. For each application system, authorization logics were needed to implemented. Authorization logics became more complex Authorization logics were needed to be updated frequently Maintaining of authorization logics became a tricky task
  • MeetingDecided implement a new authorization system
  • ETag Common Authorization System (ECAS) Denis was asked to lead “ECAS” project “ECAS” project must fulfill following six requirements as decided in the board meeting.
  • ExternalizedAuthorization system is not bound to an application. Eachapplication must be able to query a single authorizationsystem for all authorization queries
  • Policy basedAuthorization logics can be modified frequently without any source code changes.
  • StandardizedEven business managers and external people must be aware of the technology which is used to design this.
  • Attribute Based"X resource can be accessed by the Users who are from domain and whose age is not less than 18 years old”
  • Fine-grainedNeed to achieve the fine grain without defining a large number of static combinations in the source code or database
  • Real Time “Can user, Bob transfer X amount from current account Y between 9.00am to 4.00pm”
  •  Externalized Policy based Standardized Attribute based Fine-grained DynamicAuthorization Solution
  • XACMLXACML is standard for eXtensible Access Control Markup Language
  • Standard which is ratified by OASIS standards organizationThe first meeting 21st March 2001XACML 1.0 - OASIS Standard – 6 February 2003XACML 1.1 – Committee Specification – 7th August 2003XACML 2.0 – OASIS Standard – 1 February 2005XACML 3.0 – OASIS Standard – 10th Aug 2010
  • Policy language implemented using XML
  • Externalization is provided byXACML Reference architecture
  • Attribute Based Access Control (ABAC)
  • Fine-grained authorizationFine-grained authorization with higher level of abstraction by means of policy sets policies and rules.
  • Real time evaluation
  • XACML Implementation for ECAS Denis was really happy as he found the solution for all requirements Denis thought to start to implement XACML based authorization system for ECAS project
  • Meeting “Denis, It is hard to implement a XACML solution from the scratch”“It is better to find an existing implementation and plug it in to ECAS project “
  • Meeting“We need a closer look on XACML... Let have areview on it”
  • Disadvantages Performances of XACML based authorization system would be less than the existing system Complexity of defining and managing XACML policies How to integrate current authorization logics in to new system as XACML policies. How to provide a standard interface to communicate with with PDP. PDP would be able to handle lager number of (10000 -100000) policies How to achieve reliability and High availability. Can XACML solutions support "What are the resources that Bob can access?"
  • XACML Implementations
  • An Open source XACML Implementation"Open source XACML solution, WSO2 identity Server, Just download and can run the PDP with out any configuration. how fast is that..? I do not want to write mail asking for evaluation copies" "I can just write simple XACML policy and try this out... Nice web based UI. "
  • WSO2 Identity Server
  • WSO2 Identity Server
  • Performance bottleneck There would be less performance than the traditional authorization systems. It is a trade-off for the advantages, offered But WSO2 Identity Server team has identify this performance bottleneck and has provided a solution to overcome this to a greater extent. Caching technologies Thrift protocol for PDP – PEP communication
  • Caching
  • Load Test Figures EnvironmentIntel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS - Debian 6.0 (64bit) - with a single instance of Identity Server [-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m] Policy ComplexityL1: 10 rules per policy while one rule dealing with 1 attributeL2: 100 rules per policy while one rule dealing with more than 10 attributes Requestsone million XACML requests.XACML requests are randomly retrieved from a pool where 10 000 different requests are available Resources
  • Load Test Result - Caching
  • Load Test Result - Thrift
  • Complexity of defining and managing XACML policiesWeb based UI as PAP for defining and managing XACML policies.
  • XACML Policy EditorsTwo policy editors, Basic and Advance.
  • Integrating current authorization logics
  • Standard interface for PDP and PAPAll PDP and PAP functionality has been exposed as Web services
  • Handling large number of policies Policy distribution On demand Policy Loading
  • Reliability and High Availability PDP clustering
  • Listing entitled resources for user
  • What we discussed Today Identified XACML as a standard way of implementing authorization How XACML answers the authorization requirements of your organization What are the negative points of XACML How WSO2 Identity Server has provided an answer for them
  • Q and A
  • Customers
  • WSO2 Engagement ModelQuickStartDevelopment SupportDevelopment ServicesProduction SupportTurnkey SolutionsWSO2 Mobile Services SolutionWSO2 FIX Gateway SolutionWSO2 SAP Gateway Solution
  • Thank You...!!!Contact Us…