Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Adding Identity Management and Access Control to your Application
Álvaro Alonso
UPM – DIT
Security Chapter. FIWARE
aalonso...
Identity Manager
2
Identity Manager
3
Account
Agenda
• FIWARE Lab Accounts
– Account types
– Creating an account
– Upgrading your account
• Using FIWARE Lab Cloud Infra...
FIWARE Lab Accounts
• Basic
– Manage organizations
– Register applications
– Use Cloud if other users authorize him
• Tria...
FIWARE Lab Accounts
Basic
Trial
Community
1
2
4
3
5
6
7
FIWARE Account (Identity Manager) Demo
7
Using FIWARE Lab Cloud Infrastructure
• If you are a Trial or a Community user
– Your Cloud organization is “purchaser” of...
Using FIWARE Lab Cloud Infrastructure
• To authorize another user in your Cloud organization.
1. Access Account Portal and...
Using FIWARE Lab Cloud Infrastructure Demo
11
Account
OAuth 2.0
13
OAuth 2.0
Login with
Oauth 2.0 Message Flow
15
Web App Account
redirect
request access-token
access-token
access-code
OAuthLibrary
Request user...
Oauth 2.0 Libraries
• http://oauth.net/2/
– PHP, Cocoa, iOS, Java, Ruby, Javascript,
Python.
• Example using Node.js
– htt...
Oauth 2.0 Demo
17
Web Applications and GEs
18
Generic Enabler
Account
Request+
access-token
Oauth2 flows
access-token
OK + user info (roles)...
Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
19
Securing your back-end
20
Back-end
Apps
Account
Request+
access-token
Web App OauthLibrary
PEP Proxy
access-token
OK + use...
Securing your back-end
• Level 1: Authentication
– Check if a user has a FIWARE account
• Level 2: Basic Authorization
– C...
Level 1: Authentication
22
Back-end
Apps
Account
Request+
access-token
Web App OauthLibrary
PEP Proxy
access-token
OK + us...
Level 2: Basic Authorization
23
Back-end
Apps
Account
Request+
access-token
Web App OauthLibrary
PEP Proxy
access-token
OK...
Level 3: Advanced Authorization
24
Back-end
Apps
Account
Request+
access-token
Web App OauthLibrary
PEP Proxy extension
Oa...
FIWARE PEP Proxy Demo
25
Security GEs – IdM - KeyRock
• Keystone + Horizon +Extensions
• APIs
– OAuth2
– Keystone v3
– SCIM 2.0
• Source Code
– htt...
Security GEs – Authorization PDP - AuthZForce
• Policy Decision Point
• Polici Administration Point
• XACML 3.0
• Document...
Security GEs – PEP Proxy - Wilma
• Policy Enforcement Point
• Compatible with OAuth2 and Keystone tokens
• Source code:
– ...
Security GEs
• Privacy GE
• Cyber Sec GE
• Trustworthy Factory GE
29
Adding Identity Management and Access Control to your Application
Álvaro Alonso
UPM – DIT
Security Chapter. FIWARE
aalonso...
Adding Identity Management and Access Control to your Application
Upcoming SlideShare
Loading in …5
×

Adding Identity Management and Access Control to your Application

698 views

Published on

Adding Identity Management and Access Control to your Application

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Adding Identity Management and Access Control to your Application

  1. 1. Adding Identity Management and Access Control to your Application Álvaro Alonso UPM – DIT Security Chapter. FIWARE aalonsog@dit.upm.es, @larsonalonso
  2. 2. Identity Manager 2
  3. 3. Identity Manager 3 Account
  4. 4. Agenda • FIWARE Lab Accounts – Account types – Creating an account – Upgrading your account • Using FIWARE Lab Cloud Infrastructure • Registering an application – OAuth2 protocol – Application example • Using FIWARE GEs from your application • Securing your backend • Security GEs
  5. 5. FIWARE Lab Accounts • Basic – Manage organizations – Register applications – Use Cloud if other users authorize him • Trial – Cloud 14 days Trial period – Spain2 region • Community – Cloud during 9 months – Assigned region
  6. 6. FIWARE Lab Accounts Basic Trial Community 1 2 4 3 5 6 7
  7. 7. FIWARE Account (Identity Manager) Demo 7
  8. 8. Using FIWARE Lab Cloud Infrastructure • If you are a Trial or a Community user – Your Cloud organization is “purchaser” of the Cloud application – You can authorize other users in your organization • If you are a Basic user – Upgrade to Trial (if available) – Apply for a Community account – Ask a Trial or Community user to authorize you in his Cloud organization • Developers week… – Request a Trial account in fiware-developers-week@lists.fiware.org
  9. 9. Using FIWARE Lab Cloud Infrastructure • To authorize another user in your Cloud organization. 1. Access Account Portal and login 2. Switch to your Cloud organization using the "Switch session" option in the dropdown in the left upper corner 3. Go to "Members" in the left side panel 4. Add the user you want to authorize as a member of the org using the "Manage" button 5. Authorize the user inside Cloud Application giving him the role "Member" using the "Authorize" button
  10. 10. Using FIWARE Lab Cloud Infrastructure Demo
  11. 11. 11 Account
  12. 12. OAuth 2.0 13
  13. 13. OAuth 2.0 Login with
  14. 14. Oauth 2.0 Message Flow 15 Web App Account redirect request access-token access-token access-code OAuthLibrary Request user info using access-token
  15. 15. Oauth 2.0 Libraries • http://oauth.net/2/ – PHP, Cocoa, iOS, Java, Ruby, Javascript, Python. • Example using Node.js – https://github.com/ging/oauth2-example- client 16
  16. 16. Oauth 2.0 Demo 17
  17. 17. Web Applications and GEs 18 Generic Enabler Account Request+ access-token Oauth2 flows access-token OK + user info (roles) Web App OAuthLibrary access_token
  18. 18. Web Applications and GEs GET https://GE_URL HTTP/1.1 Host: GE_hostname X-Auth-Token: access_token 19
  19. 19. Securing your back-end 20 Back-end Apps Account Request+ access-token Web App OauthLibrary PEP Proxy access-token OK + user info (roles) Oauth2 flows access_token
  20. 20. Securing your back-end • Level 1: Authentication – Check if a user has a FIWARE account • Level 2: Basic Authorization – Checks if a user has permissions to access a resource – HTTP verb + resource path • Level 3: Advanced Authorization – Custom XACML policies
  21. 21. Level 1: Authentication 22 Back-end Apps Account Request+ access-token Web App OauthLibrary PEP Proxy access-token OK + user info (roles) Oauth2 flows access_token
  22. 22. Level 2: Basic Authorization 23 Back-end Apps Account Request+ access-token Web App OauthLibrary PEP Proxy access-token OK + user info Oauth2 flows access_token Auth PDP GE roles + verb + path OK
  23. 23. Level 3: Advanced Authorization 24 Back-end Apps Account Request+ access-token Web App OauthLibrary PEP Proxy extension Oauth2 flows access_token Auth PDP GE access-token OK + user info roles + XACML <Request> OK
  24. 24. FIWARE PEP Proxy Demo 25
  25. 25. Security GEs – IdM - KeyRock • Keystone + Horizon +Extensions • APIs – OAuth2 – Keystone v3 – SCIM 2.0 • Source Code – https://github.com/ging/fi-ware-idm • Documentation – http://catalogue.fiware.org/enablers/identity- management-keyrock • FIWARE OAuth2 Demo: – https://github.com/ging/oauth2-example-client 26
  26. 26. Security GEs – Authorization PDP - AuthZForce • Policy Decision Point • Polici Administration Point • XACML 3.0 • Documentation – http://catalogue.fi-ware.org/enablers/access-control-tha- implementation/documentation 27
  27. 27. Security GEs – PEP Proxy - Wilma • Policy Enforcement Point • Compatible with OAuth2 and Keystone tokens • Source code: – https://github.com/ging/fi-ware-pep-proxy • Documentation – http://catalogue.fiware.org/enablers/pep-proxy-wilma 28
  28. 28. Security GEs • Privacy GE • Cyber Sec GE • Trustworthy Factory GE 29
  29. 29. Adding Identity Management and Access Control to your Application Álvaro Alonso UPM – DIT Security Chapter. FIWARE aalonsog@dit.upm.es, @larsonalonso

×