• Like

The WSO2 Identity Server - An answer to your common XACML dilemmas

  • 4,743 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,743
On Slideshare
0
From Embeds
0
Number of Embeds
5

Actions

Shares
Downloads
137
Comments
0
Likes
5

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer
  • 2. WSO2 Founded in 2005 by acknowledged leaders in XML, Web Services Technologies & Standards and Open Source Producing entire middleware platform 100% open source under Apache license Business model is to sell comprehensive support & maintenance for our products Venture funded by Intel Capital and Quest Software. Global corporation with offices in USA, UK & Sri Lanka 150+ employees and growing
  • 3. What are we going to cover What is XACML? Why is XACML important for your organization? What are the disadvantages of XACML? How can WSO2 Identity Server help you to overcome those disadvantages?
  • 4. ETag GroupETag group is a trading company, which is established in 2001.
  • 5. Application SystemETag group deployed their 1st Application System in 2005.
  • 6. AuthenticationApplication System included an authentication mechanism
  • 7. AuthenticationSome functions and data in the Application System must not be accessed by all employees in the company.Therefore authentication is not enough..!!!
  • 8. AuthorizationETag group wanted to build an authorization logic for their Application System.
  • 9. Role Based Access Control (RBAC)Set of people who has same set of privileges, putin to a role and assign permission for that role.
  • 10. Role Based Access Control (RBAC)
  • 11. Growth of ETag GroupEffect of company growth No. of Application Systems were increased. For each application system, authorization logics were needed to implemented. Authorization logics became more complex Authorization logics were needed to be updated frequently Maintaining of authorization logics became a tricky task
  • 12. MeetingDecided implement a new authorization system
  • 13. ETag Common Authorization System (ECAS) Denis was asked to lead “ECAS” project “ECAS” project must fulfill following six requirements as decided in the board meeting.
  • 14. ExternalizedAuthorization system is not bound to an application. Eachapplication must be able to query a single authorizationsystem for all authorization queries
  • 15. Policy basedAuthorization logics can be modified frequently without any source code changes.
  • 16. StandardizedEven business managers and external people must be aware of the technology which is used to design this.
  • 17. Attribute Based"X resource can be accessed by the Users who are from etag.com domain and whose age is not less than 18 years old”
  • 18. Fine-grainedNeed to achieve the fine grain without defining a large number of static combinations in the source code or database
  • 19. Real Time “Can user, Bob transfer X amount from current account Y between 9.00am to 4.00pm”
  • 20.  Externalized Policy based Standardized Attribute based Fine-grained DynamicAuthorization Solution
  • 21. XACMLXACML is standard for eXtensible Access Control Markup Language
  • 22. Standard which is ratified by OASIS standards organizationThe first meeting 21st March 2001XACML 1.0 - OASIS Standard – 6 February 2003XACML 1.1 – Committee Specification – 7th August 2003XACML 2.0 – OASIS Standard – 1 February 2005XACML 3.0 – OASIS Standard – 10th Aug 2010
  • 23. Policy language implemented using XML
  • 24. Externalization is provided byXACML Reference architecture
  • 25. Attribute Based Access Control (ABAC)
  • 26. Fine-grained authorizationFine-grained authorization with higher level of abstraction by means of policy sets policies and rules.
  • 27. Real time evaluation
  • 28. XACML Implementation for ECAS Denis was really happy as he found the solution for all requirements Denis thought to start to implement XACML based authorization system for ECAS project
  • 29. Meeting “Denis, It is hard to implement a XACML solution from the scratch”“It is better to find an existing implementation and plug it in to ECAS project “
  • 30. Meeting“We need a closer look on XACML... Let have areview on it”
  • 31. Disadvantages Performances of XACML based authorization system would be less than the existing system Complexity of defining and managing XACML policies How to integrate current authorization logics in to new system as XACML policies. How to provide a standard interface to communicate with with PDP. PDP would be able to handle lager number of (10000 -100000) policies How to achieve reliability and High availability. Can XACML solutions support "What are the resources that Bob can access?"
  • 32. XACML Implementations
  • 33. An Open source XACML Implementation"Open source XACML solution, WSO2 identity Server, Just download and can run the PDP with out any configuration. how fast is that..? I do not want to write mail asking for evaluation copies" "I can just write simple XACML policy and try this out... Nice web based UI. "
  • 34. WSO2 Identity Server
  • 35. WSO2 Identity Server
  • 36. Performance bottleneck There would be less performance than the traditional authorization systems. It is a trade-off for the advantages, offered But WSO2 Identity Server team has identify this performance bottleneck and has provided a solution to overcome this to a greater extent. Caching technologies Thrift protocol for PDP – PEP communication
  • 37. Caching
  • 38. Load Test Figures EnvironmentIntel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS - Debian 6.0 (64bit) - with a single instance of Identity Server [-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m] Policy ComplexityL1: 10 rules per policy while one rule dealing with 1 attributeL2: 100 rules per policy while one rule dealing with more than 10 attributes Requestsone million XACML requests.XACML requests are randomly retrieved from a pool where 10 000 different requests are available Resourceshttp://people.wso2.com/~asela/xacml_load_test/
  • 39. Load Test Result - Caching
  • 40. Load Test Result - Thrift
  • 41. Complexity of defining and managing XACML policiesWeb based UI as PAP for defining and managing XACML policies.
  • 42. XACML Policy EditorsTwo policy editors, Basic and Advance.
  • 43. Integrating current authorization logics
  • 44. Standard interface for PDP and PAPAll PDP and PAP functionality has been exposed as Web services
  • 45. Handling large number of policies Policy distribution On demand Policy Loading
  • 46. Reliability and High Availability PDP clustering
  • 47. Listing entitled resources for user
  • 48. What we discussed Today Identified XACML as a standard way of implementing authorization How XACML answers the authorization requirements of your organization What are the negative points of XACML How WSO2 Identity Server has provided an answer for them
  • 49. Referenceswww.oasis-open.org/committees/xacmlhttp://xacmlinfo.com/http://blog.facilelogin.com
  • 50. Q and A
  • 51. Customers
  • 52. WSO2 Engagement ModelQuickStartDevelopment SupportDevelopment ServicesProduction SupportTurnkey SolutionsWSO2 Mobile Services SolutionWSO2 FIX Gateway SolutionWSO2 SAP Gateway Solution
  • 53. Thank You...!!!Contact Us…bizdev@wso2.com