The document presents an overview of the FIWARE Identity Management and Access Control framework, detailing its components such as Keyrock for identity management, Wilma for policy enforcement, and Authzforce for authorization. It outlines the integration with European eIDAS standards for secure electronic interactions and describes the layered access control levels from basic authentication to advanced authorization. Key terminologies related to identity and access management, such as JWT, XACML, OAuth2, and various control models, are also defined.

1. Session 6 - FIWARE Identity Management and Access Control
Fernando López, Cloud & Platform Senior Expert
fernando.lopez@fiware.org
@flopezaguilar
FIWARE Foundation, e.V.

2. Learning Goals
1
● What are the security components?
● Which types of accessing support are allowed?
● How to offer security access to your applica:ons?
● What is eIDAS and eID? How to integrate with eIDAS, eID?

3. FIWARE Ecosystem
2
● A framework of open source platform components which can be assembled
together and with other third-party components to accelerate the development
of Smart Solutions.

4. FIWARE Ecosystem
3
● A framework of open source platform components which can be assembled
together and with other third-party components to accelerate the development
of Smart Solutions.

5. FIWARE Ecosystem
4
● A framework of open source platform components which can be assembled
together and with other third-party components to accelerate the development
of Smart Solutions.

6. FIWARE Ecosystem
5
● A framework of open source platform components which can be assembled
together and with other third-party components to accelerate the development
of Smart Solutions.

7. FIWARE Ecosystem
6
● A framework of open source pla;orm components which can be assembled
together and with other third-party components to accelerate the development
of Smart Solu<ons.

8. FIWARE Ecosystem
7
● A framework of open source platform components which can be assembled
together and with other third-party components to accelerate the development
of Smart Solutions.

9. FIWARE Ecosystem
8
● A framework of open source pla;orm components which can be assembled
together and with other third-party components to accelerate the development
of Smart Solu<ons.

10. FIWARE Ecosystem
9
● A framework of open source platform components which can be assembled
together and with other third-party components to accelerate the development
of Smart Solutions.
Access Control

11. IAM Generic Enablers
Identity & Access Control Management
10
● Keyrock – Iden:ty Management
● Wilma – PEP Proxy
● AuthZForce – Authoriza:on PDP

12. Keyrock
Main features
11
Web Interface and Rest API for managing Identity
● Users, devices and groups management
● OAuth 2.0 - based Single Sign On
● Application - scoped roles and permissions management
● Support for local and remote PAP/PDP
● JSON Web Tokens (JWT) and Permanent Tokens support
● MySQL / PostgreSQL and external DB driver
● European eID authentication compatibility (CEF eIDAS)

13. 12
PEP Proxy for securing service backends
● Basic and complex AC policies support
● OAuth 2.0 Access Tokens support
● JSON Web Tokens (JWT) support
● Custom PDP configuration
● Integrated with API Management tools
o APInf & API Umbrella
o Kong
Wilma
Main features

14. 13
PAP and PDP Server for managing complex AC policies
● XACML-3.0 standard-compliant
● Cloud-ready RESTful ABAC framework with XML optimization
● Multi-tenant REST API for PDP and PAP
● Standards:
o OASIS: XACML 3.0 + Profiles (REST, RBAC, Multiple Decision)
o ISO: Fast Infoset
● Extensible to attribute providers (PIP), functions, etc.
AuthZForce
Main features

15. 14
Identity and AC Management
OAuth 2.0 flow
IAM Infrastructure
IdM
Service Applica4on
Oauth 2.0 requests
access-token
User info request

16. 15
Identity and AC Management
Accessing GEs and services
IAM Infrastructure
IdM PAP
Policies DB
PDP
Service Applica8on
Service Backend
PEP
OAuth2 flow
Request
+ token
Check auth

17. 16
Identity and AC Management
Accessing GEs and services
● Level 1: Authentication
● Level 2: Basic Authorization
● Level 3: Advanced Authorization

18. 17
Identity and AC Management
Accessing GEs and services
● Level 1: Authen<ca<on
o Check if a user has been authen:cated
● Level 2: Basic Authoriza:on
● Level 3: Advanced Authoriza:on

19. 18
Identity and AC Management
Level 1: Authentication
IAM Infrastructure
IdM
Service Application
Service Backend
PEP
OAuth2 flow
Request
+ token
Check token

20. 19
Identity and AC Management
Accessing GEs and services
● Level 1: Authentication
● Level 2: Basic Authorization
o Checks if a user has permissions to access a resource
o HTTP verb + resource path
● Level 3: Advanced Authorization

21. 20
Identity and AC Management
Level 2: Basic Authorization
IAM Infrastructure
IdM
PAP
PDP
Service Application
Service Backend
PEP
OAuth2 flow
Request
+ token
Check token

22. 21
Iden<ty and AC Management
Accessing GEs and services
● Level 1: Authentication
● Level 2: Basic Authorization
● Level 3: Advanced Authorization
o Custom XACML policies

23. 22
Identity and AC Management
Level 3: Advanced Authorization
IAM Infrastructure
IdP
Service Application
Service Backend
PEP
OAuth2 flow
Request
+ token
Check token
PAP
Policies DB
PDP
Check auth

24. 23
● A JSON Web Token (JWT) is a JSON object defined
in RFC 7519 as a safe way to represent a set of
information between two parties.
● The token is composed of a header, a payload,
and a signature.
Identity and AC Management
JSON Web Tokens
Encoded
Decoded

25. 24
Identity and AC Management
JSON Web Tokens
IAM Infrastructure
Service Application
Service Backend
PEP
OAuth2 flow
(JWT)
Request
+ JWT
IdM
PAP
PDP
Token
validation

26. 25
Iden<ty and AC Management
JSON Web Tokens
IAM Infrastructure
Service Application
Service Backend
PEP
OAuth2 flow
(JWT)
Request
+ JWT
IdM
PAP
PDP
Token
validation
Check
authorization

27. 26
API Management
APInf & PEP Proxy
Request+
APIKey
Web Service
Application
Service Backend Service Backend Service Backend Service Backend

28. Service
Backend
Service
Backend
Service
Backend
Service
Backend
27
API Management
APInf & PEP Proxy
IAM Infrastructure
IdM
PAP
PDP
Web Service
Application
PEP
OAuth2 flow
Request
+ access_token
Check token
access_token
OK + user info
(roles)

29. eID Integration
CEF eIDAS
28
● eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation to enable
secure and seamless electronic interactions between businesses, citizens and public authorities.
● Access to European services by national eID
eIDAS
country 1
eIDAS
country 2
eIDAS
country 3
Service
User
country 2
eID

30. eID Integration
FIWARE Identity Gateway
29
● Integration of FIWARE Security Framework with eIDAS
● Every application registered in Keyrock can be linked to a eIDAS node
o By an OAuth 2.0 – SAML2 gateway
● Users can then authenticate using their national eID
o AC policies based on user eIDAS profile
● Transparent for applications providers

31. eID Integration
FIWARE Identity Gateway
30
IAM Infrastructure
IdP
Service Application
Oauth 2.0 requests
access-token
User info request
eIDAS
eIDAS
node 1
IdP 1
eIDAS
node 2
IdP 2
…
SAML flow
Authentication

32. Data Usage Control
31
● Security Framework and Data Usage Control
o Ensures data sovereignty
o Regulates what is allowed to happen with the data
(future usage).
● Integra:on with Big Data and Processing GEs

33. Data Usage Control
32

34. Data Usage Control
33

35. Data Usage Control
34

36. Data Usage Control
35

37. Summary: Terms
36
● PDP, Policy Decision Point (PDP) evaluates and issues authorization decisions.
● PAP, Policy Administration Point (PAP) is the point which manages policies.
● PEP, The Policy Enforcement Point (PEP) is a network device on which policy decisions are carried out
or enforced.
● PIP
● IAM, Identity and Access Management (IAM) is a framework of policies and technologies for ensuring
that the proper people in an enterprise have the appropriate access to technology resources.
● IdM, Identity Management (IdM), also know as IAM.

38. Summary: Terms
37
● JWT, JSON Web Tokens (JWT) are an open, industry standard RFC 7519 method for representing
claims securely between two parties.
● XACML, the eXtensible Access Control Mark-up Language (XACML) is a standard language policy that
makes decisions through the cooperation of different components in XML format.
● OAuth2, OAuth is an open standard for access delegation, commonly used as a way for Internet users
to grant websites or applications access to their information on other websites but without giving
them the passwords.
● ABAC, Attribute-based access control (ABAC), also known as policy-based access control, defines an
access control paradigm whereby access rights are granted to users through the use of policies which
combine attributes together.

39. Summary: Terms
38
● RBAC, role-based access control (RBAC) or role-based security is an approach to restric:ng system
access to authorized users.
● eID, An electronic iden:fica:on ("eID") is a digital solu:on for proof of iden:ty of ci:zens or
organiza:ons, for example in view to access benefits or services provided by government authori:es,
banks or other companies, for mobile payments, etc.
● eIDAS, electronic IDen:fica:on, Authen:ca:on and trust Services (eIDAS) is an EU regula:on on / a
set of standards for electronic iden:fica:on and trust services for electronic transac:ons in the
European Single Market.
● ODRL, The Open Digital Rights Language (ODRL) is a policy expression language that provides a
flexible and interoperable informa:on model, vocabulary, and encoding mechanisms for represen:ng
statements about the usage of content and services.

40. Security GEs documentation
39
● FIWARE Catalogue
o https://www.fiware.org/developers/catalogue
● FIWARE Academy
o https://fiware-academy.readthedocs.io/en/latest/index.html
● Identity Management – Keyrock
o Repo: https://github.com/ging/fiware-idm
● PEP Proxy – Wilma
o Repo: https://github.com/ging/fiware-pep-proxy
● Authorization PDP – AuthZForce
o Repo: https://github.com/authzforce/server

41. Question & Answer
40
fiware-tech-help@lists.fiware.org

42. 4
1
http://fiware.org
Follow @FIWARE on Twitter

43. 4
2