Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | Keeping Up With The Kantarians - Thomas Hardjono | Identiverse | Day 1, June 25


Published on

2019 marks Kantara's 10 year anniversary. What a ride! Kantara's provenance can help folks newer to the digital identity domain appreciate why recent history informs the current challenges. It also helps contextualize Kantara's 'raison d'etre' in drawing the community together to work on a range of specifications, best practice, R&D and conformity assessment programs. This session will connect the recent past with the 'here and now' to give attendees a rich tapestry of understanding to appreciate the role of industry consortia and standards development organizations to transition the digital economy to a more mature state.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2019 | Keeping Up With The Kantarians - Thomas Hardjono | Identiverse | Day 1, June 25

  1. 1. User-Managed Access (UMA) WG Update Thomas Hardjono – UMA Work Group @UMAWG | Identiverse | 25 June 2019
  2. 2. OAuth enables constrained delegation of access to apps 2 Authorization server Resource server Resource owner Client A T Benefits: • Flexible, clever API security framework • Alice can agree to app connections and also revoke them D TA authorization token D discovery
  3. 3. OpenID Connect does modern-day federation 3 Authorization server Resource server Resource owner Client U A T Benefits: • Layers identity/ authentication tech with delegation/ authorization tech • Translates federated identity for mobile and the API economy D TA authorization token D discovery Federation user Relying party Identity provider (OP) Standard UserInfo endpoint
  4. 4. To OAuth, UMA adds cross-party sharing… 4 Resource server Authorization server A T Requesting party Client Resource owner Benefits: • Secure delegation • Alice can be absent when Bob attempts access • Helpful error handling for client applications
  5. 5. …in a wide ecosystem… 5 Resource server Client Authorization server A T Requesting party Resource owner Benefits: • Alice controls trust between a service that hosts her resources and a service that authorizes access to them
  6. 6. …of resource hosts 6 Client Requesting party Resource owner Benefits: • Resource hosts can outsource authorization management – and liability – to a specialist service • Alice can manage sharing at a centralizable service • Bob can revoke his access to Alice’s resources T Resource serverResource server A authorization token D discovery R resource registration P permission I token introspection C claims interaction Resource server Authorization server A T PR I D C
  7. 7. UMA user experience opportunities 7 Resource owner UX Opt in At run time Share Ahead of time Approve After the fact Monitor Anytime Withdraw Anytime
  8. 8. Benefits for service providers 8 8 True secure delegation; no password sharing Scale permissioning through self-service Resources accessed from distributed locations Foster compliance through standards control transparency protection
  9. 9. Benefits for individuals 9 9 Choice in sharing with other parties Convenient sharing/approval with no outside influence Centralizable monitoring and management Control of who/what/how at a fine grain
  10. 10. Known implementations (more detail at • ForgeRock – financial, healthcare, IoT, G2C… • Gluu (open source) – API protection, enterprise, G2C… • ShareMedData – healthcare • HIE of One / Trustee (open source) – healthcare • IDENTOS – healthcare, G2C • Pauldron (open source) – healthcare • RedHat Keycloak (open source) – API protection, enterprise, IoT… • WSO2 (open source) – enterprise… Interop report session upcoming at Identiverse in June 10
  11. 11. UMA in a nutshell  Developed at Kantara Initiative  V1 done in 2015, V2 done in 2018  Leverages existing open standards  OAuth2  OpenID Connect and SAML (optional but popular)  Specs contributed to IETF OAuth WG in Feb  Profiled by multiple industry sectors  Financial, healthcare, government  UMA business model effort supports legal licensing for personal digital assets  Some 1:1 interop testing done; more soon? 11
  12. 12. ® About IDENTOS Products In ◇ Mobile authentication ◇ data encryption ◇ compliance management Segments ◇ Healthcare ◇ Government ◇ Finance ◇ Education ◇ IoT ◇ B2C Community of Practice
  13. 13. ® We. Put people first to protect & authorize access to (Private) data beyond the enterprise. Authenticate Digital Identities across a zero-knowledge Privacy respecting UMA 2.0 Server Enable Trusted Digital Ecosystems & Marketplaces Anywhere. Anytime. Provide Explicit Compliance with Authorization & Consent management On- demand Distribute Security with decentralized access in a Mobile Wallet
  14. 14. ® Niagara - Patient Digital Health Experience Delivery a mobile 1st digital experience for patients, to leverage Niagara Hospital infrastructure to access all of the regions digital health services, and have a seamlessly consent experience for digital applications accessing their health data. Why UMA? Why IDENTOS? • User directed sharing of health data • Sharing from party to party • Relying party integration (OAuth 2) • Choice of authorization server • Fine grained control of resources • Mobile Wallet, Discovery & SSO • Privacy respecting Authorization Server • Reduced cost/effort with Hub/Spoke pattern • Centralized resource definition/governance • Revocation and enforcement
  15. 15. ® 1 32 Trusted Connectivity Discoverability Secure & PrivateBetter care Digital Service Providers Patient Data Result: User-Centric Digital Ecosystem
  16. 16. ® Designed for an Ecosystem Service Providers
  17. 17. Resource Owner: Legal Advantages • Legal Tool: Resource [RIGHTS] Owner - Protected Resources: Many Categories • Data Subject - Natural Person - Legal Person • Representative of Data Subject - Appointment by Law (ex. Parent/Guardian of a Minor) - Designation by Data Subject (ex. Power of Attorney/Personal Representative/Executor) 17
  18. 18. Authorization Server: Legal Advantages • Legal Tool: Agent of Resource Owner • Scalable - Extension of Person/Legal Person: Space - Extension of Person/Legal Person: Time • Relational Trust – UMA as Process for Mediating Relationships • Fiduciary Duties 18
  19. 19. UMA Consent Management: Legal Advantages • Legal Tool: Permissions/Consent as a LICENSE - UMA Tokens Functioning as Licenses - Machine-Readable (ex. Creative Commons Copyright Licenses: Common Accord Legal Consent Forms) • Asynchronous Permission/Consent Granting - Access, Collection, Use, Transfer, and Destruction • Dynamic and Diachronic Policy Enforcement - GDPR Compliance 19