Opensource Authentication and Authorization

14,241 views

Published on

2 Comments
13 Likes
Statistics
Notes
  • Good stuff Allan !
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Great presentation about how important single sign on is for users of applications on the web today! The typical user is not going to remember different user names and passwords for the dozens of different sites they have accounts with.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
14,241
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
356
Comments
2
Likes
13
Embeds 0
No embeds

No notes for slide

Opensource Authentication and Authorization

  1. 1. Open Source Authentication & Authorization Allan Foster ForgeRock allan.foster@forgerock.comWednesday, March 9, 2011
  2. 2. “Build us a Web App” 2Wednesday, March 9, 2011
  3. 3. Lots of examples.... 3Wednesday, March 9, 2011
  4. 4. New Application Demands Collaborative Workgroups Client - Server Multi user... In the cloud? 4Wednesday, March 9, 2011
  5. 5. Its a WebApp! 5Wednesday, March 9, 2011
  6. 6. Business Logic Your Business... Your Logic... You know how to do this! 6Wednesday, March 9, 2011
  7. 7. Lots of Help Language... . Net PH P Ru by Pe r l a va J + Py t C+ hon vy C& Groo 7Wednesday, March 9, 2011
  8. 8. Oh yes, LOTS of help! Frameworks... Vel JSF o cit y AJA PEAR X te Sp r rn a es ing e ce Fa c H ib I 8Wednesday, March 9, 2011
  9. 9. And don’t forget... 9Wednesday, March 9, 2011
  10. 10. Access Control Who are our users? Who can access what? What can they do? How do we manage this? 10Wednesday, March 9, 2011
  11. 11. Its not that complicated.. Authentication SSO Authorization 11Wednesday, March 9, 2011
  12. 12. Authentication? Corporate LDAP 12Wednesday, March 9, 2011
  13. 13. But what about... 13Wednesday, March 9, 2011
  14. 14. or... 14Wednesday, March 9, 2011
  15. 15. or SecureID  RSA  Logo 15Wednesday, March 9, 2011
  16. 16. Maybe all? 16Wednesday, March 9, 2011
  17. 17. Authentication isn’t enough... 17Wednesday, March 9, 2011
  18. 18. Authentication isn’t enough... SSO is expected! I have one set of credentials, Why can’t I just use them ONCE? 18Wednesday, March 9, 2011
  19. 19. Even between multiple Organizations Federation eGov GoogleApps 19Wednesday, March 9, 2011
  20. 20. SSO implies having a single trusted Authentication service... 20Wednesday, March 9, 2011
  21. 21. That can be used by MANY different applications! 21Wednesday, March 9, 2011
  22. 22. Without regard to HOW the authentication is being performed 22Wednesday, March 9, 2011
  23. 23. What About Authorization? 23Wednesday, March 9, 2011
  24. 24. Is this user allowed to perform this action on this resource? 24Wednesday, March 9, 2011
  25. 25. Group Membership? Roles? Some Complex Matrix? Dynamic Conditions? 25Wednesday, March 9, 2011
  26. 26. Access control logic can be embedded in our application... BUT.. 26Wednesday, March 9, 2011
  27. 27. New Specs New Rules Exceptions Changes... and more changes! ...And testing! 27Wednesday, March 9, 2011
  28. 28. Reprogram the door? 28Wednesday, March 9, 2011
  29. 29. Centrally managed service Ca n  I ? 29Wednesday, March 9, 2011
  30. 30. AuthN and AuthZ as a service IdenAty  services  (OpenAM) 30Wednesday, March 9, 2011
  31. 31. Authentication SSO Authorization 31Wednesday, March 9, 2011
  32. 32. 32Wednesday, March 9, 2011
  33. 33. Authentication is NOT Identity Management Validation against EXISTING identity sources! 33Wednesday, March 9, 2011
  34. 34. We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes. 34Wednesday, March 9, 2011
  35. 35. Integrate into existing process Plugable Authentication modules Built on Standards - JAAS Multiple Modules & Chains 35Wednesday, March 9, 2011
  36. 36. Se AP cu LD reI D n ix U rti f i c ate S afeW x5 0 9 Ce o rd JD BC SAML2 O EG Custom ds PN ar r tC -S a Sm AD MSISDN Extens ible Me m be rs h ip 36Wednesday, March 9, 2011
  37. 37. Authentication determines identity Identity is what matters.. NOT the method it is determined 37Wednesday, March 9, 2011
  38. 38. 38Wednesday, March 9, 2011
  39. 39. Browser ApplicaAon OpenAM Request  applicaAon  content Redirect  for  AuthenAcaAon Request  AuthenAcaAon  from  AuthenAcaAon  server NegoAate  AuthenAcaAon... Redirect  back  to  ApplicaAon  with  Token Request  applicaAon  content Validate  Token ValidaAon  Response Provide  applicaAon  content 39Wednesday, March 9, 2011
  40. 40. Authentication SSO Authorization 40Wednesday, March 9, 2011
  41. 41. 41Wednesday, March 9, 2011
  42. 42. 42Wednesday, March 9, 2011
  43. 43. 43Wednesday, March 9, 2011
  44. 44. Allan Foster Speaker ConFoo 2011 44Wednesday, March 9, 2011
  45. 45. 45Wednesday, March 9, 2011
  46. 46. Allan Foster Speaker ConFoo 2011 46Wednesday, March 9, 2011
  47. 47. 47Wednesday, March 9, 2011
  48. 48. One Pass Multiple Doors Single Sign On 48Wednesday, March 9, 2011
  49. 49. Application validates credentials... Does NOT issue them! 49Wednesday, March 9, 2011
  50. 50. We don’t “Login” We validate Identity. This is a conceptual hurdle for developers! 50Wednesday, March 9, 2011
  51. 51. Authentication service determines identity Authentication service issues tokens 51Wednesday, March 9, 2011
  52. 52. Browser ApplicaAon OpenAM Request  applicaAon Validate  Token ValidaAon  Response Provide  applicaAon  content 52Wednesday, March 9, 2011
  53. 53. New applications easily integrate into existing infrastructure 53Wednesday, March 9, 2011
  54. 54. And for many projects This is success! Single Sign on! 54Wednesday, March 9, 2011
  55. 55. Authentication SSO Authorization 55Wednesday, March 9, 2011
  56. 56. Multi User Application Access Control Rights and Privileges 56Wednesday, March 9, 2011
  57. 57. Access Control can be Very Complex Domain Specific Dependent on Many Conditions 57Wednesday, March 9, 2011
  58. 58. Several Options • Ad Hoc • J2EE Policy • URL Access • Custom Developed • External Policy Engine 58Wednesday, March 9, 2011
  59. 59. Ad Hoc •Localized if - then - else •Cumbersome •No Reuse •Inconsistent enforcement •Unverifiable •Possible security holes 59Wednesday, March 9, 2011
  60. 60. J2EE Policy •Standards.. •Role Based •Supported in the deployment •Designed from the start •Difficult to change •Domino Effect 60Wednesday, March 9, 2011
  61. 61. URL Access •Course Grained •Tree Level Access •Often at Application or server Level •Access Control NOT Entitlements 61Wednesday, March 9, 2011
  62. 62. Custom Policy •Expensive •Hard to Maintain •Proprietary •Administration is Daunting! •Difficult to change and adapt 62Wednesday, March 9, 2011
  63. 63. External Policy Engine •Policy Evaluation •Extensible •Flexible •Centralized Administration •What about domain specifics? 63Wednesday, March 9, 2011
  64. 64. EnAtlement  services  (OpenAM) 27 64Wednesday, March 9, 2011
  65. 65. Can This User access This Resource under These Conditions? 65Wednesday, March 9, 2011
  66. 66. Define Rules for Access Rules can be changed dynamically Standards based - XACML3 66Wednesday, March 9, 2011
  67. 67. Rules Resources Actions Subjects Conditions Response Attributes Advice 67Wednesday, March 9, 2011
  68. 68. Resources URLs Accounts Buttons Projects etc...... Hierarchical Scalable Plugable API 68Wednesday, March 9, 2011
  69. 69. Actions Performed on a resource Fine Grained access C re at Withdraw e G ET T Re ad OS E Balance Upda P ET te EL D Y Transfer De let OP e C 69Wednesday, March 9, 2011
  70. 70. Subjects Who does the rule apply to? D at a o up sto re Gr Att r DA P ib u te b er L M em Se s s io o re Att r i b u te nA Custom Subject D at a st tt r i bu te Plugable API Combination Logic 70Wednesday, March 9, 2011
  71. 71. Conditions Simple or Complex Dependencies dr ess ib u te Ba n k B a la n c e IP Ad Att r Ti me o ut of im Da T y Au io n the nti S ess tt r i b u te lev c atio Sess io n A el n Plugable API Combination Logic 71Wednesday, March 9, 2011
  72. 72. Access control can be: Role based, Attribute based, or Dynamic. 72Wednesday, March 9, 2011
  73. 73. Policy Enforcement Point Policy Decision Point Policy Administration Point 73Wednesday, March 9, 2011
  74. 74. Policy Enforcement Point 74Wednesday, March 9, 2011
  75. 75. Policy Enforcement Point Simplest case Agent plugged into web container. ISapi NSApi Mod_auth 75Wednesday, March 9, 2011
  76. 76. Zero changes to app. Simple to install.. Easily protect “Closed” apps 76Wednesday, March 9, 2011
  77. 77. Policy Enforcement Point Fine for URL access control when resource is a URL. But how do we address entitlements? 77Wednesday, March 9, 2011
  78. 78. Policy Enforcement Point Simple Web Service Call wrapper Coded into Application This  User This  Resource These  CondiAons if (entitled(userToken, resource, env)) { ... ... } Language Agnostic! 78Wednesday, March 9, 2011
  79. 79. Simple JSON responses { "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http:/ /www.anotherexample.com:80/index.html" } } 79Wednesday, March 9, 2011
  80. 80. Policy Decision Point 80Wednesday, March 9, 2011
  81. 81. Policy Decision Point Policy Evaluation Separate the Rule evaluation from the enforcement 81Wednesday, March 9, 2011
  82. 82. Scalable and extensible policy engine Scalable to millions of entitlements Standards based - XACML3 82Wednesday, March 9, 2011
  83. 83. 83Wednesday, March 9, 2011
  84. 84. Policy Administration Administration UI Dynamic rule changes Auditability Consistency 84Wednesday, March 9, 2011
  85. 85. Standards based XACML3 Any editor... Any workflow... 85Wednesday, March 9, 2011
  86. 86. Rule changes take immediate effect No impact on application development 86Wednesday, March 9, 2011
  87. 87. Keep track of rules and changes Reuse rules for reusable resources 87Wednesday, March 9, 2011
  88. 88. Separate Administration Application Administration is separate from Entitlement Administration 88Wednesday, March 9, 2011
  89. 89. Simplify the app admin Consistent administration of permissions for all apps. 89Wednesday, March 9, 2011
  90. 90. ForgeRock 90Wednesday, March 9, 2011
  91. 91. OpenAM OpenAM As A Service gives Flexibility, Consistency & Management to Authentication and Entitlements. 91Wednesday, March 9, 2011
  92. 92. OpenAM Started life as Sun Access Manager OpenSourced in 2007 Strong Community 92Wednesday, March 9, 2011
  93. 93. OpenAM OpenAM is fully opensource, 100% Java, scalable, high performance, AuthN and AuthZ 93Wednesday, March 9, 2011
  94. 94. OpenAM Full XACML3 Support Simple policies and Complex Entitlements Extensible Plugins Central Administration Leverage existing SSO 94Wednesday, March 9, 2011
  95. 95. OpenAM OpenAM Community ForgeRock http:/ /www.forgerock.com 95Wednesday, March 9, 2011
  96. 96. Download it. Use it. Get involved! info@forgerock.com 96Wednesday, March 9, 2011
  97. 97. Questions? 97Wednesday, March 9, 2011
  98. 98. Demo 98Wednesday, March 9, 2011
  99. 99. Open Source Authentication & Authorization Allan Foster ForgeRockWednesday, March 9, 2011
  100. 100. Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility 100Wednesday, March 9, 2011

×