SlideShare a Scribd company logo

Securing FIWARE Architectures

FIWARE
FIWARE

This training camp teaches you how FIWARE technologies and iSHARE, brought together under the umbrella of the i4Trust initiative, can be combined to provide the means for creation of data spaces in which multiple organizations can exchange digital twin data in a trusted and efficient manner, collaborating in the development of innovative services based on data sharing and creating value out of the data they share. SMEs and Digital Innovation Hubs (DIHs) will be equipped with the necessary know-how to use the i4Trust framework for creating data spaces!

Technology
1 of 32
Download to read offline
Securing FIWARE Architectures Jason Fox, Senior Technical Evangelist FIWARE Foundation
Learning Goals What are Identity Management and Access Control? Which FIWARE components will you need? What are Authentication and Authorization? How do they differ? What is OAuth2? What flows are supported? What is a PEP Proxy? What does it do? What is a PDP and when will I need one? What terms such as RBAC, PBAC and XACML mean and how are they used? 1
FIWARE Catalogue 2 2 Data/API Management Publication Monetization Core Context Management (Context Broker) Context Processing, Analysis, Visualization Interface to IoT, Robotics and third party systems Deployment tools 2 Development of Context-aware applications (Orion, STH-Comet, Cygnus, QuantumLeap, Draco) Connection to the Internet of Things (IDAS, OpenMTC) Real-time processing of context events (Perseo) Handling authorization and access control to APIs (Keyrock, Wilma, AuthZForce, APInf ) Publication and Monetization of Context Information (CKAN extensions, Data/API Biz Framework, IDRA) Creation of Application Dashboards (Wirecloud) Real-time Processing of media streams (Kurento) Business Intelligence (Knowage) Connection to robots (Fast RTPS,Micro XRCE-DDS) Big Data Context Analysis (Cosmos) Cloud Edge (FogFlow) Documents exchange (Domibus)
IAM Generic Enablers Identity & Access Control Management 3 ● Keyrock – Identity Management ● Wilma – PEP Proxy ● AuthZForce – Authorization PDP
Keyrock Main features 4 Web Interface and Rest API for managing Identity ● Users, devices and groups management ● OAuth 2.0 - based Single Sign On ● Application - scoped roles and permissions management ● Support for local and remote PAP/PDP ● JSON Web Tokens (JWT) and Permanent Tokens support ● MySQL / PostgreSQL and external DB driver ● European eID authentication compatibility (CEF eIDAS)
Keyrock : Identity Management 5 ● Application - A securable FIWARE application consisting of a series of microservices ● User - Any human actor interacting with a FIWARE Application ● Organization - A group of users who can be assigned a series of rights. Organization Role - An association allowing certain users to administer all rights ● PEP Proxy - A proxy for use between generic enablers challenging the rights of a user. ● IoT Agent - A proxy between IoT Sensors and the Context Broker ● Role - A descriptive bucket for a set of permissions assignable to either a single user or an organization. ● Permission - An ability to do something on a resource within the system Other Actors RBAC
Keyrock : Identity Manager 6 ● Offers GUI-based or API-based interaction to administrate users, roles and permissions. ● Allows admins to associate users to roles, roles to applications etc. ● The API is a simple REST API enabling simple CRUD actions via the usual HTTP Verbs ● Simple Policy Decision Point (PDP) also available
OAuth 2 : Common Grant Types 7 User Credentials Grant ● A User wants to log into an application via a web-app client ● The web-app client is absolutely trusted Authorization Code Grant ● Application doesn’t need to store or use passwords directly ● Just needs to confirm who the user is from a trusted source OAuth 2.0 is the industry-standard protocol for authorization https://oauth.net/2/ several common grant types defined
OAuth 2 : Common Grant Types 8 Implicit Grant ● Retrieves access token directly ● Simplified form, used by some client side applications Client Credentials Grant ● No user involved ● Used when the application itself, not the user needs access Refresh Token ● Exchange a token for a new one
9 PEP Proxy for securing service backends ● Basic and complex AC policies support ● OAuth 2.0 Access Tokens support ● JSON Web Tokens (JWT) support ● Custom PDP configuration ● Integrated with API Management tools o APInf & API Umbrella o Kong Wilma Main features
Wilma : PEP Proxy 10 ● Offers a Policy Execution Point (PEP) to protect other microservices ● Request must provide X-Auth-Token header signifying who (or what) is making the request. ○ Token is obtained via an OAuth Flow ● PEP Proxy passes information on to a Policy Decision Point (such a Keyrock) to make a permit/deny decision on the request. ● Keyrock PDP adjudicates based on authentication or Role-based Access Control RBAC
11 PAP and PDP Server for managing complex AC policies ● XACML-3.0 standard-compliant ● Cloud-ready RESTful ABAC framework with XML optimization ● Multi-tenant REST API for PDP and PAP ● Standards: o OASIS: XACML 3.0 + Profiles (REST, RBAC, Multiple Decision) o ISO: Fast Infoset ● Extensible to attribute providers (PIP), functions, etc. AuthZForce Main features
Authzforce : Policy-based Access control 12 ● PEP Proxy passes information on to a Policy Decision Point to make a permit/deny decision on the request. ○ Keyrock declines to adjudicate ○ Authzforce used to make final decision ● Authzforce is an XACML Server offering Policy-Based Access control PBAC: ○ Policies written in XML ○ Policies can be complex ○ Policies can be altered on the fly ● Use Authzforce for fine grained access control.
XACML - Defining Complex Access Policies 13 ● XACML policies are split into a hierarchy: ○ <PolicySet> ■ <Policy> ● <Rule> ● Each <Rule> within a <Policy> is evaluated as to whether it should grant access to a resource ● The overall <Policy> result is defined by the result of all <Rule> elements processed in turn. ● Separate <Policy> results are then evaluated against each other using combining algorithms define which <Policy> wins in case of conflict. A <Rule> element consists of a <Target> and a <Condition>.
14 Identity and AC Management OAuth 2.0 flow
15 Identity and AC Management Accessing GEs and services OAuth2 flow Request + token Check auth
16 Identity and AC Management Accessing GEs and services ● Level 1: Authentication ● Level 2: Basic Authorization ● Level 3: Advanced Authorization
17 Identity and AC Management Accessing GEs and services ● Level 1: Authentication o Check if a user has been authenticated ● Level 2: Basic Authorization ● Level 3: Advanced Authorization
18 Identity and AC Management Level 1: Authentication IAM Infrastructure IdM Service Application Service Backend PEP OAuth2 flow Request + token Check token
19 Identity and AC Management Accessing GEs and services ● Level 1: Authentication ● Level 2: Basic Authorization o Checks if a user has permissions to access a resource o HTTP verb + resource path ● Level 3: Advanced Authorization
20 Identity and AC Management Level 2: Basic Authorization IAM Infrastructure IdM PAP PDP Service Application Service Backend PEP OAuth2 flow Request + token Check token
21 Identity and AC Management Accessing GEs and services ● Level 1: Authentication ● Level 2: Basic Authorization ● Level 3: Advanced Authorization o Custom XACML policies
22 Identity and AC Management Level 3: Advanced Authorization IAM Infrastructure IdP Service Application Service Backend PEP OAuth2 flow Request + token Check token PAP Policies DB PDP Check auth
23 ● A JSON Web Token (JWT) is a JSON object defined in RFC 7519 as a safe way to represent a set of information between two parties. ● The token is composed of a header, a payload, and a signature. Identity and AC Management JSON Web Tokens Encoded Decoded
eID Integration CEF eIDAS 24 ● eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation to enable secure and seamless electronic interactions between businesses, citizens and public authorities. ● Access to European services by national eID eIDAS country 1 eIDAS country 2 eIDAS country 3 Service User country 2 eID
eID Integration FIWARE Identity Gateway 25 ● Integration of FIWARE Security Framework with eIDAS ● Every application registered in Keyrock can be linked to a eIDAS node o By an OAuth 2.0 – SAML2 gateway ● Users can then authenticate using their national eID o AC policies based on user eIDAS profile ● Transparent for applications providers
eID Integration FIWARE Identity Gateway 26 IAM Infrastructure IdP Service Application Oauth 2.0 requests access-token User info request eIDAS eIDAS node 1 IdP 1 eIDAS node 2 IdP 2 … SAML flow Authentication
Data Usage Control 27 ● Security Framework and Data Usage Control o Ensures data sovereignty o Regulates what is allowed to happen with the data (future usage). ● Integration with Big Data and Processing GEs
Summary: Terms Identity Management ensures that only the right individuals get access to resources • Usernames, passwords • Roles and permissions • etc... Access Control is the selective restriction of access to resources Authentication is a mechanism to confirm you are who you claim to be. i.e. Who are you? Authorization is a mechanism to ensure you have permission to access a resource i.e Is X allowed to do Y to Z? Authorization can be either Role Based (RBAC) or Policy Based (PBAC) When attempting to gain access you pass the PEP - Policy Execution Point You are either granted or denied access by a PDP - Policy Decision Point Administrators can set up rules using a PAP - Policy Administration Point 28
Summary: FIWARE Generic Enablers Keyrock - Identity Management to know who can do what • GUI based or API based • Supports human and machine users (such as IoT Agents) • Flexible Role-based administration • Multi-Tenant • OAuth2 Compliant • Simple PDP - Authentication or RBAC Authorization Wilma PEP Proxy - Gatekeeper to confirm permissions prior to access • User identified via a header within the request • Links to either Keyrock or Authzforce • Code can be extended for advanced scenarios Authzforce - Adjudicator to either permit or deny when given information • XACML based ruleset can be modified on the fly • Used in advanced scenarios PBAC Authorization Alternatives are available e.g. Keystone, Steelskin, IDSA Security • Always use the most appropriate tools for your use-case 29
Security GEs documentation 30 ● FIWARE Catalogue o https://www.fiware.org/developers/catalogue ● FIWARE Academy o https://fiware-academy.readthedocs.io/en/latest/index.html ● Identity Management – Keyrock o Repo: https://github.com/ging/fiware-idm ● PEP Proxy – Wilma o Repo: https://github.com/ging/fiware-pep-proxy ● Authorization PDP – AuthZForce o Repo: https://github.com/authzforce/server
Thank you! http://fiware.org Follow @FIWARE on Twitter

Recommended

FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
Fernando Lopez Aguilar
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
FIWARE
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
FIWARE
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
FIWARE
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
FIWARE
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 

Recommended

FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
Fernando Lopez Aguilar
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
FIWARE
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
FIWARE
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
FIWARE
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
FIWARE
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
Red Hat
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
Mahzad Zahedi
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
Netwax Lab
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
Hannes Tschofenig
 
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
FIWARE Global Summit - Keyrock: Protecting Microservices
FIWARE Global Summit - Keyrock: Protecting MicroservicesFIWARE Global Summit - Keyrock: Protecting Microservices
FIWARE Global Summit - Keyrock: Protecting Microservices
FIWARE
 
Fairaccess
FairaccessFairaccess
Fairaccess
aafaf ouaddah
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
Teleport
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
Damian T. Gordon
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber
 
Block Chain.pptx
Block Chain.pptxBlock Chain.pptx
Block Chain.pptx
Lakshmanaraj Sankaralingam
 
Behm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptxBehm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptx
FIWARE
 
Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf
FIWARE
 

More Related Content

Similar to Securing FIWARE Architectures

Similar to Securing FIWARE Architectures (20)

Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
 
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
FIWARE Global Summit - Keyrock: Protecting Microservices
FIWARE Global Summit - Keyrock: Protecting MicroservicesFIWARE Global Summit - Keyrock: Protecting Microservices
FIWARE Global Summit - Keyrock: Protecting Microservices
 
Fairaccess
FairaccessFairaccess
Fairaccess
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Block Chain.pptx
Block Chain.pptxBlock Chain.pptx
Block Chain.pptx
 

More from FIWARE

Behm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptxBehm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptx
FIWARE
 
Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf
FIWARE
 
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
Christoph Mertens_IDSA_Introduction to Data Spaces.pptxChristoph Mertens_IDSA_Introduction to Data Spaces.pptx
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
FIWARE
 
Behm_Herne_NeMo.pptx
Behm_Herne_NeMo.pptxBehm_Herne_NeMo.pptx
Behm_Herne_NeMo.pptx
FIWARE
 
Evangelists + iHubs Promo Slides.pptx
Evangelists + iHubs Promo Slides.pptxEvangelists + iHubs Promo Slides.pptx
Evangelists + iHubs Promo Slides.pptx
FIWARE
 
Lukas Künzel Smart City Operating System.pptx
Lukas Künzel Smart City Operating System.pptxLukas Künzel Smart City Operating System.pptx
Lukas Künzel Smart City Operating System.pptx
FIWARE
 
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptxPierre Golz Der Transformationsprozess im Konzern Stadt.pptx
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
FIWARE
 
Dennis Wendland_The i4Trust Collaboration Programme.pptx
Dennis Wendland_The i4Trust Collaboration Programme.pptxDennis Wendland_The i4Trust Collaboration Programme.pptx
Dennis Wendland_The i4Trust Collaboration Programme.pptx
FIWARE
 
Ulrich Ahle_FIWARE.pptx
Ulrich Ahle_FIWARE.pptxUlrich Ahle_FIWARE.pptx
Ulrich Ahle_FIWARE.pptx
FIWARE
 
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptxAleksandar Vrglevski _FIWARE DACH_OSIH.pptx
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
FIWARE
 
Water Quality - Lukas Kuenzel.pdf
Water Quality - Lukas Kuenzel.pdfWater Quality - Lukas Kuenzel.pdf
Water Quality - Lukas Kuenzel.pdf
FIWARE
 
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptxCameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
FIWARE
 
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptxFiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FIWARE
 
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptxBoris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
FIWARE
 
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
FIWARE
 
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdfAbdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
FIWARE
 
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdfFGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FIWARE
 
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
HTAG_Skalierung_Plattform_lokal_final_versand.pptxHTAG_Skalierung_Plattform_lokal_final_versand.pptx
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
FIWARE
 
WE_LoRaWAN _ IoT.pptx
WE_LoRaWAN _ IoT.pptxWE_LoRaWAN _ IoT.pptx
WE_LoRaWAN _ IoT.pptx
FIWARE
 
EU Opp_Clara Pezuela - German chapter.pptx
EU Opp_Clara Pezuela - German chapter.pptxEU Opp_Clara Pezuela - German chapter.pptx
EU Opp_Clara Pezuela - German chapter.pptx
FIWARE
 

More from FIWARE (20)

Behm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptxBehm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptx
 
Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf
 
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
Christoph Mertens_IDSA_Introduction to Data Spaces.pptxChristoph Mertens_IDSA_Introduction to Data Spaces.pptx
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
 
Behm_Herne_NeMo.pptx
Behm_Herne_NeMo.pptxBehm_Herne_NeMo.pptx
Behm_Herne_NeMo.pptx
 
Evangelists + iHubs Promo Slides.pptx
Evangelists + iHubs Promo Slides.pptxEvangelists + iHubs Promo Slides.pptx
Evangelists + iHubs Promo Slides.pptx
 
Lukas Künzel Smart City Operating System.pptx
Lukas Künzel Smart City Operating System.pptxLukas Künzel Smart City Operating System.pptx
Lukas Künzel Smart City Operating System.pptx
 
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptxPierre Golz Der Transformationsprozess im Konzern Stadt.pptx
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
 
Dennis Wendland_The i4Trust Collaboration Programme.pptx
Dennis Wendland_The i4Trust Collaboration Programme.pptxDennis Wendland_The i4Trust Collaboration Programme.pptx
Dennis Wendland_The i4Trust Collaboration Programme.pptx
 
Ulrich Ahle_FIWARE.pptx
Ulrich Ahle_FIWARE.pptxUlrich Ahle_FIWARE.pptx
Ulrich Ahle_FIWARE.pptx
 
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptxAleksandar Vrglevski _FIWARE DACH_OSIH.pptx
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
 
Water Quality - Lukas Kuenzel.pdf
Water Quality - Lukas Kuenzel.pdfWater Quality - Lukas Kuenzel.pdf
Water Quality - Lukas Kuenzel.pdf
 
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptxCameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
 
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptxFiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
 
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptxBoris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
 
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
 
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdfAbdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
 
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdfFGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
 
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
HTAG_Skalierung_Plattform_lokal_final_versand.pptxHTAG_Skalierung_Plattform_lokal_final_versand.pptx
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
 
WE_LoRaWAN _ IoT.pptx
WE_LoRaWAN _ IoT.pptxWE_LoRaWAN _ IoT.pptx
WE_LoRaWAN _ IoT.pptx
 
EU Opp_Clara Pezuela - German chapter.pptx
EU Opp_Clara Pezuela - German chapter.pptxEU Opp_Clara Pezuela - German chapter.pptx
EU Opp_Clara Pezuela - German chapter.pptx
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Securing FIWARE Architectures

  • 1. Securing FIWARE Architectures Jason Fox, Senior Technical Evangelist FIWARE Foundation
  • 2. Learning Goals What are Identity Management and Access Control? Which FIWARE components will you need? What are Authentication and Authorization? How do they differ? What is OAuth2? What flows are supported? What is a PEP Proxy? What does it do? What is a PDP and when will I need one? What terms such as RBAC, PBAC and XACML mean and how are they used? 1
  • 3. FIWARE Catalogue 2 2 Data/API Management Publication Monetization Core Context Management (Context Broker) Context Processing, Analysis, Visualization Interface to IoT, Robotics and third party systems Deployment tools 2 Development of Context-aware applications (Orion, STH-Comet, Cygnus, QuantumLeap, Draco) Connection to the Internet of Things (IDAS, OpenMTC) Real-time processing of context events (Perseo) Handling authorization and access control to APIs (Keyrock, Wilma, AuthZForce, APInf ) Publication and Monetization of Context Information (CKAN extensions, Data/API Biz Framework, IDRA) Creation of Application Dashboards (Wirecloud) Real-time Processing of media streams (Kurento) Business Intelligence (Knowage) Connection to robots (Fast RTPS,Micro XRCE-DDS) Big Data Context Analysis (Cosmos) Cloud Edge (FogFlow) Documents exchange (Domibus)
  • 4. IAM Generic Enablers Identity & Access Control Management 3 ● Keyrock – Identity Management ● Wilma – PEP Proxy ● AuthZForce – Authorization PDP
  • 5. Keyrock Main features 4 Web Interface and Rest API for managing Identity ● Users, devices and groups management ● OAuth 2.0 - based Single Sign On ● Application - scoped roles and permissions management ● Support for local and remote PAP/PDP ● JSON Web Tokens (JWT) and Permanent Tokens support ● MySQL / PostgreSQL and external DB driver ● European eID authentication compatibility (CEF eIDAS)
  • 6. Keyrock : Identity Management 5 ● Application - A securable FIWARE application consisting of a series of microservices ● User - Any human actor interacting with a FIWARE Application ● Organization - A group of users who can be assigned a series of rights. Organization Role - An association allowing certain users to administer all rights ● PEP Proxy - A proxy for use between generic enablers challenging the rights of a user. ● IoT Agent - A proxy between IoT Sensors and the Context Broker ● Role - A descriptive bucket for a set of permissions assignable to either a single user or an organization. ● Permission - An ability to do something on a resource within the system Other Actors RBAC
  • 7. Keyrock : Identity Manager 6 ● Offers GUI-based or API-based interaction to administrate users, roles and permissions. ● Allows admins to associate users to roles, roles to applications etc. ● The API is a simple REST API enabling simple CRUD actions via the usual HTTP Verbs ● Simple Policy Decision Point (PDP) also available
  • 8. OAuth 2 : Common Grant Types 7 User Credentials Grant ● A User wants to log into an application via a web-app client ● The web-app client is absolutely trusted Authorization Code Grant ● Application doesn’t need to store or use passwords directly ● Just needs to confirm who the user is from a trusted source OAuth 2.0 is the industry-standard protocol for authorization https://oauth.net/2/ several common grant types defined
  • 9. OAuth 2 : Common Grant Types 8 Implicit Grant ● Retrieves access token directly ● Simplified form, used by some client side applications Client Credentials Grant ● No user involved ● Used when the application itself, not the user needs access Refresh Token ● Exchange a token for a new one
  • 10. 9 PEP Proxy for securing service backends ● Basic and complex AC policies support ● OAuth 2.0 Access Tokens support ● JSON Web Tokens (JWT) support ● Custom PDP configuration ● Integrated with API Management tools o APInf & API Umbrella o Kong Wilma Main features
  • 11. Wilma : PEP Proxy 10 ● Offers a Policy Execution Point (PEP) to protect other microservices ● Request must provide X-Auth-Token header signifying who (or what) is making the request. ○ Token is obtained via an OAuth Flow ● PEP Proxy passes information on to a Policy Decision Point (such a Keyrock) to make a permit/deny decision on the request. ● Keyrock PDP adjudicates based on authentication or Role-based Access Control RBAC
  • 12. 11 PAP and PDP Server for managing complex AC policies ● XACML-3.0 standard-compliant ● Cloud-ready RESTful ABAC framework with XML optimization ● Multi-tenant REST API for PDP and PAP ● Standards: o OASIS: XACML 3.0 + Profiles (REST, RBAC, Multiple Decision) o ISO: Fast Infoset ● Extensible to attribute providers (PIP), functions, etc. AuthZForce Main features
  • 13. Authzforce : Policy-based Access control 12 ● PEP Proxy passes information on to a Policy Decision Point to make a permit/deny decision on the request. ○ Keyrock declines to adjudicate ○ Authzforce used to make final decision ● Authzforce is an XACML Server offering Policy-Based Access control PBAC: ○ Policies written in XML ○ Policies can be complex ○ Policies can be altered on the fly ● Use Authzforce for fine grained access control.
  • 14. XACML - Defining Complex Access Policies 13 ● XACML policies are split into a hierarchy: ○ <PolicySet> ■ <Policy> ● <Rule> ● Each <Rule> within a <Policy> is evaluated as to whether it should grant access to a resource ● The overall <Policy> result is defined by the result of all <Rule> elements processed in turn. ● Separate <Policy> results are then evaluated against each other using combining algorithms define which <Policy> wins in case of conflict. A <Rule> element consists of a <Target> and a <Condition>.
  • 15. 14 Identity and AC Management OAuth 2.0 flow
  • 16. 15 Identity and AC Management Accessing GEs and services OAuth2 flow Request + token Check auth
  • 17. 16 Identity and AC Management Accessing GEs and services ● Level 1: Authentication ● Level 2: Basic Authorization ● Level 3: Advanced Authorization
  • 18. 17 Identity and AC Management Accessing GEs and services ● Level 1: Authentication o Check if a user has been authenticated ● Level 2: Basic Authorization ● Level 3: Advanced Authorization
  • 19. 18 Identity and AC Management Level 1: Authentication IAM Infrastructure IdM Service Application Service Backend PEP OAuth2 flow Request + token Check token
  • 20. 19 Identity and AC Management Accessing GEs and services ● Level 1: Authentication ● Level 2: Basic Authorization o Checks if a user has permissions to access a resource o HTTP verb + resource path ● Level 3: Advanced Authorization
  • 21. 20 Identity and AC Management Level 2: Basic Authorization IAM Infrastructure IdM PAP PDP Service Application Service Backend PEP OAuth2 flow Request + token Check token
  • 22. 21 Identity and AC Management Accessing GEs and services ● Level 1: Authentication ● Level 2: Basic Authorization ● Level 3: Advanced Authorization o Custom XACML policies
  • 23. 22 Identity and AC Management Level 3: Advanced Authorization IAM Infrastructure IdP Service Application Service Backend PEP OAuth2 flow Request + token Check token PAP Policies DB PDP Check auth
  • 24. 23 ● A JSON Web Token (JWT) is a JSON object defined in RFC 7519 as a safe way to represent a set of information between two parties. ● The token is composed of a header, a payload, and a signature. Identity and AC Management JSON Web Tokens Encoded Decoded
  • 25. eID Integration CEF eIDAS 24 ● eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation to enable secure and seamless electronic interactions between businesses, citizens and public authorities. ● Access to European services by national eID eIDAS country 1 eIDAS country 2 eIDAS country 3 Service User country 2 eID
  • 26. eID Integration FIWARE Identity Gateway 25 ● Integration of FIWARE Security Framework with eIDAS ● Every application registered in Keyrock can be linked to a eIDAS node o By an OAuth 2.0 – SAML2 gateway ● Users can then authenticate using their national eID o AC policies based on user eIDAS profile ● Transparent for applications providers
  • 27. eID Integration FIWARE Identity Gateway 26 IAM Infrastructure IdP Service Application Oauth 2.0 requests access-token User info request eIDAS eIDAS node 1 IdP 1 eIDAS node 2 IdP 2 … SAML flow Authentication
  • 28. Data Usage Control 27 ● Security Framework and Data Usage Control o Ensures data sovereignty o Regulates what is allowed to happen with the data (future usage). ● Integration with Big Data and Processing GEs
  • 29. Summary: Terms Identity Management ensures that only the right individuals get access to resources • Usernames, passwords • Roles and permissions • etc... Access Control is the selective restriction of access to resources Authentication is a mechanism to confirm you are who you claim to be. i.e. Who are you? Authorization is a mechanism to ensure you have permission to access a resource i.e Is X allowed to do Y to Z? Authorization can be either Role Based (RBAC) or Policy Based (PBAC) When attempting to gain access you pass the PEP - Policy Execution Point You are either granted or denied access by a PDP - Policy Decision Point Administrators can set up rules using a PAP - Policy Administration Point 28
  • 30. Summary: FIWARE Generic Enablers Keyrock - Identity Management to know who can do what • GUI based or API based • Supports human and machine users (such as IoT Agents) • Flexible Role-based administration • Multi-Tenant • OAuth2 Compliant • Simple PDP - Authentication or RBAC Authorization Wilma PEP Proxy - Gatekeeper to confirm permissions prior to access • User identified via a header within the request • Links to either Keyrock or Authzforce • Code can be extended for advanced scenarios Authzforce - Adjudicator to either permit or deny when given information • XACML based ruleset can be modified on the fly • Used in advanced scenarios PBAC Authorization Alternatives are available e.g. Keystone, Steelskin, IDSA Security • Always use the most appropriate tools for your use-case 29
  • 31. Security GEs documentation 30 ● FIWARE Catalogue o https://www.fiware.org/developers/catalogue ● FIWARE Academy o https://fiware-academy.readthedocs.io/en/latest/index.html ● Identity Management – Keyrock o Repo: https://github.com/ging/fiware-idm ● PEP Proxy – Wilma o Repo: https://github.com/ging/fiware-pep-proxy ● Authorization PDP – AuthZForce o Repo: https://github.com/authzforce/server