Download as PDF, PPTX
Uploaded byWSO2
Identity and Entitlement Management Concepts
This document provides an overview of entitlement management and identity management concepts. It discusses different access control models like access control lists, role-based access control, attribute-based access control and policy-based access control using XACML. The presenter Chamath Gunawardana is a technical lead at WSO2 who works on their identity server. WSO2 provides open source identity and access management solutions.
More Related Content
Similar to Identity and Entitlement Management Concepts
![[EIC 2021] The Rise of the Developer in IAM](https://cdn.slidesharecdn.com/ss_thumbnails/eric-riseofthedeveloper1-210928092415-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service](https://cdn.slidesharecdn.com/ss_thumbnails/choreo-deck-250328074645-511dded7-thumbnail.jpg?width=640&height=640&fit=bounds)
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
Identity and Entitlement Management Concepts
- 1. Last Updated: Jan.2014 Tech Lead Chamath Gunawardana Iden/ty and En/tlement Management – Concepts and Theories
- 2. 2 About the Presenter(s) ๏ Chamath Gunawardana Chamath Gunwardana is a technical lead at WSO2 working for the integra/on technology group. He's engaged in the developments of the WSO2 Iden/ty Server and also a commiKer of the WSO2 Iden/ty Server. Chamath is also a SUN cer/fied java programmer.
- 3. 3 About WSO2 ๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source ๏ Provides only open source plaVorm-‐as-‐a-‐service for private, public and hybrid cloud deployments ๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0. ๏ Is an Ac/ve Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Founda/on and W3C. ๏ Driven by Innova/on ๏ Launched first open source API Management solu/on in 2012 ๏ Launched App Factory in 2Q 2013 ๏ Launched Enterprise Store and first open source Mobile solu/on in 4Q 2013
- 4. 4 What WSO2 delivers
- 5. Agenda ๏ En/tlement management ๏ overview ๏ Access control concepts ๏ XACML ๏ En/tlement architecture in iden/ty server ๏ Iden/ty management ๏ overview ๏ Features of iden/ty management systems ๏ Couple of Iden/ty Management Capabili/es in iden/ty server ๏ Demo 5
- 6. What is En/tlement Mng.. ๏ En#tlement management is technology that grants, resolves, enforces, revokes and administers fine-‐ grained access en/tlements. ๏ Also referred to as authoriza/ons, privileges, access rights, permissions and/or rules -‐ Gartner Glossary 6
- 7. En/tlement Management ๏ It s a broader concept ๏ Types of access control includes, ๏ Access control lists ๏ Role based access control ๏ AKribute based access control ๏ Policy based access control 7
- 8. Access control lists ๏ Oldest and most basic form of access control ๏ Primarily Opera/ng systems adopted ๏ Maintains set of user and opera/ons can performed on a resource as a mapping ๏ Also easier to implement using maps ๏ Not scalable for large user bases ๏ Difficult to manage 8
- 9. Role based access control ๏ System having users that belongs to roles ๏ Role defines which resources will be allowed ๏ Reduces the management overhead ๏ Users and roles can be externalized using user stores ๏ Need to manage the roles ๏ User may belong to mul/ple roles 9
- 10. AKribute based access control ๏ Authoriza/on based on aKributes ๏ Addresses the limita/on of role based approach to define fine grain access control ๏ AKributes of user, environment as well as resource it self ๏ More flexible than role based approach ๏ No need for knowing the user prior to gran/ng access 10
- 11. Policy based access control ๏ Address the requirement to have more uniform access control mechanism ๏ Helps to large enterprises to have uniform access control amount org units ๏ Helps for security audits to be carried out ๏ Complex than any other access control system ๏ Specify policies unambiguously with XACML ๏ Use of authorized aKribute sources in the enterprise 11
- 12. Advantages ๏ Reduce the development /me on cri/cal business func/ons ๏ Easy management of en/tlements ๏ Based on industry standard specifica/ons ๏ Support for future development with minimum effort 12
- 13. XACML ๏ XACML is a policy based authoriza/on/en/tlement system ๏ De-‐facto standard for authoriza/on ๏ Evaluated of 1.0, 2.0 and 3.0 versions ๏ Externalized ๏ Policy based ๏ Fine grained ๏ Standardized 13
- 14. XACML ๏ Iden/ty Server supports XACML 2.0 and 3.0 versions ๏ Supports mul/ple PIPs ๏ Policy distribu/on ๏ UI wizards for defining policies ๏ Try it tool ๏ Decision / AKribute caching 14
- 15.
- 16.
- 17.
- 18.
- 19. Try it tool 19
- 20. Try it tool request 20
- 21.
- 22. Iden/ty Management ๏ Managing Iden/ty of users in a system ๏ Control access to resources ๏ Important component in an enterprise ๏ Enterprises depends on the security provided by iden/ty management systems 22
- 23. Why Iden/ty Management ๏ Directly influences the security and produc/vity of an organiza/on ๏ To enforce consistency in security policies across organiza/on ๏ To comply with rules and regula/ons enforced in some cri/cal domains by governments ๏ Provide access to resources to outside par/es without compromising security 23
- 24. Why Iden/ty Management Cont. ๏ Controlled resource access increases organiza/onal security ๏ Increased audit-‐ability of the systems ๏ Automated password reset capabili/es 24
- 25. Features of IDM System ๏ User Stores / Directories ๏ Authen/ca/on ๏ Authoriza/on ๏ Single Sign On ๏ Provisioning ๏ Delega/on ๏ Password reset ๏ Self registra/on with locking 25
- 26. User stores / Directories ๏ Grouping of user and roles ๏ Easy management in authoriza/on decisions ๏ Different types of user stores support 26
- 27. Authen/ca/on ๏ Iden/fying which en/ty are we communica/ng with ๏ En/ty can be users or systems ๏ Most basic form is user name and password ๏ Authen/ca/on against user store ๏ Concept of mul/ factor authen/ca/on 27
- 28. Authoriza/on ๏ What an en/ty allowed to access in the system ๏ En/tlement management aspects ๏ Discussed 28
- 29. Single Sign On ๏ Having mul/ple applica/ons with login requirements ๏ Once login to the applica/on automa/c login to other applica/ons ๏ Token usage ๏ Iden/ty Federa/on ๏ Technologies used ๏ OpenID ๏ SAML ๏ Kerboros ๏ WS-‐Federa/on passive 29
- 30. Provisioning ๏ Concept of adding and removing iden//es from user store ๏ Provisioning to external systems ๏ Technologies ๏ SPML ๏ SCIM 30
- 31. Delega/on ๏ Giving responsibility to another en/ty to carry out tasks on behalf of you ๏ Creden/al sharing systems ๏ Technologies ๏ OAuth 31
- 32. Users and roles ๏ Enterprise user stores with users and roles ๏ Managing user stores ๏ Support for mul/ple user stores ๏ Easy configura/on of user stores in UI ๏ Types of user stores ๏ LDAP, Ac/ve Directory, JDBC ๏ Support for mul/-‐tenancy 32
- 33. Password reset ๏ Web apps needing end user password reset func/onality ๏ Supports, ๏ Reset with no/fica/on ๏ Reset with secret ques/ons ๏ Increased security with mul/ple keys in the reset flow ๏ UI based email templates configura/on 33
- 34. Self registra/on with locking ๏ Separate web service to self registra/on with account lock ๏ Upon registra/on sending confirma/on link to account unlock ๏ Only users with valid email address gain access to system ๏ Configurable email no/fica/on template 34
- 35.
- 36.
- 37. 37 More Informa/on ! ๏ The slides and webinar will be available soon. ๏ Please refer Iden/ty Server documenta/on -‐ hKps:// docs.wso2.org/display/IS500/WSO2+Iden/ty+Server +Documenta/on
- 38.