NYC Identity Summit Tech Day: Authorization for the Modern World
•
0 likes•493 views
Tech Day presentation at the 2016 NY Identity Summit by Victor Ake, co-founder & VP, Customer Innovation, ForgeRock Learn more about ForgeRock Access Management: https://www.forgerock.com/platform/access-management/ Learn more about ForgeRock Identity Management: https://www.forgerock.com/platform/identity-management/
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (6)
Similar to NYC Identity Summit Tech Day: Authorization for the Modern World
Similar to NYC Identity Summit Tech Day: Authorization for the Modern World (20)
More from ForgeRock
More from ForgeRock (20)
Recently uploaded
Recently uploaded (20)
NYC Identity Summit Tech Day: Authorization for the Modern World
- 1. © 2016 ForgeRock. All rights reserved. AUTHORIZATION FORTHE MODERN WORLD I AM AUTHENTICATED! NOW…WHATIS ITTHATI CAN DO? 1 VÍCTOR AKÉ CO-FOUNDER &VP CUSTOMER INNOVATION FORGEROCK victor.ake@forgerock.com
- 2. © 2016 ForgeRock. All rights reserved. REQUIREMENTS FORTHE DIGITAL ERA UNIFIED IDENTITY BEING IN CONTROLOF ACCOUNT, DATA AND ACCESS REGARDLESSOF IT’S SOURCE UNIFIED FLOWS ABILITYTO AUTHENTICATE AND AUTHORIZE RELIABLYFOR ANY IDENTITY UNIFIED ARCHITECTURE KNOWYOU CAN TRUST AN IDENTITYWITHOUT BEING AWARE OF THE PROTOCOL
- 3. © 2016 ForgeRock. All rights reserved. AUTHENTICATION Authentication Service CONTEXTUAL ADAPTIVE STRENGHTS MULTIFACTOR EXTENSIBLE FRICTIONLESS Module STEP UP Module Module Custom Module ANY IDENTITY PLUG-IN SCRIPTABLE EXTERNAL CREDSTORES EXTERNAL CREDSTORES
- 4. © 2016 ForgeRock. All rights reserved. AUTHENTICATION FORMODERNAND LEGACY SYSTEMS § 24+ OUT-OF-BOX MODULES INCLUDING DEVICEID, OTP, ADAPTIVERISK, GOOGLE, FACEBOOK, MS § AUTHENTICATIONMETHODSCAN BE CHAINEDTOGETHERFOR ENFORCING DIFFERENTLEVELS OR STRENGTHOF SECURITY § SCRIPTEDAUTHNMODULES EXTEND FUNCTIONALITYON CLIENTSIDEAND SERVERSIDE USING GROOVYAND JAVASCRIPT Create New Authentication Chain SAML2 Authentication Adaptive Risk / Device ID ForgeRock Mobile Authenticator Save Device Profile
- 5. © 2016 ForgeRock. All rights reserved. ADAPTIVE RISK ENABLESBETTER USER EXPERIENCE § THE ADAPTIVE RISK MODULE ASSESSES THE RISK BASED ON PRE-CONFIGURED PARAMETERS § OVER 20 PARAMETERS, INCLUDING IP ADDRESS, IP HISTORY, COOKIE VALUE, LOGIN HISTORY, GEO-LOCATION, ETC. § RISK SCORES ABOVE THE RISK THRESHOLD REQUIRE ADDITIONAL STRONGER AUTHENTICATION § CAN BE USED IN AUTHENTICATIONCHAIN OR FOR STEP-UP RE-AUTHENTICATION 94 RISK SCORE
- 6. © 2016 ForgeRock. All rights reserved. FORGEROCKAUTHENTICATOR § MULTI-FACTORAUTHENTICATIONWITH ONE-TIMEPASSWORDSCAN BE DELIVEREDVIAMAIL, SMS OR USING THE FORGEROCK MOBILE AUTHENTICATORAPPFOR IOS AND ANDROID § CONTEXTUSINGADAPTIVEAUTHNAND DEVICEID CANADD ADDITIONALLEVEL OF ASSURANCE § THIRD PARTYOPTIONS FOR SMART CARDS, BIOMETRICS,MOBILE PHONE AS ATOKEN,ETC. OneTime Password 585026
- 7. © 2016 ForgeRock. All rights reserved. AUTHORIZATION
- 8. © 2016 ForgeRock. All rights reserved. AUTHORIZATIONTERMINOLOGY PEP PDP PIP PAP PRP PROTECTED RESOURCE PEP – POLICY ENFORCEMENTPOINT PDP – POLICY DECISION POINT PIP – POLICY INFORMATION POINT PRP – POLICY RETRIEVALPOINT PAP – POLICY ADMINSTRATION POINT CLIENT ADMIN
- 9. © 2016 ForgeRock. All rights reserved. RBAC - ROLE BASEDACCESS CONTROL Role A Role B Role C P P P P P P P P P P P PermissionsRoles § MODEL WIDELY USED IN THE ENTERPRISE § HEAVY ARCHITECTING WORK TO DEFINE ROLES AND PERMISSIONS § NOTVERYAGILE WHEN IT COMES TO CONTEXTUAL AUTHORIZATION § EASYTO AUDIT § EASYTO ADMINISTER
- 10. © 2016 ForgeRock. All rights reserved. Authorization Engine ABAC -ATTRIBUTE BASEDACCESS CONTROL A A A A A A A A A A A A A A Policies § MODEL ADOPTED FOR ENTERPRISE AND CUSTOMER FACING APPS § CONTEXT AWARE USING ENVIRONMENTAL ATTRIBUTES § RULES EVALUATED IN REALTIME BY THE AUTHORIZATION ENGINE § FINE GRAINEDACCESS CONTROL § MORE AGILE § REQUIRES BETTER ADMINISTRATION § ROLE NAMES MIGHT BE SEEN AS ATTRIBUTES PIP
- 11. © 2016 ForgeRock. All rights reserved. IDENTITYRELATIONSHIPS Located at § RELATIONSHIPS CONVEY AUTHORIZATION INFORMATION § CAN BE USED TO FEED A POLICY ENGINE TOGETHER WITH ATTRIBUTES
- 12. © 2016 ForgeRock. All rights reserved. AUTHORIZATION SERVICE Authorization Service CONTEXTUAL ABAC RELATIONSHIPS EXTENSIBLE FRICTIONLESS Resource RBAC ANY IDENTITY Directory 3rd Party Subject Environemt Response Attributes Scripted
- 13. © 2016 ForgeRock. All rights reserved. OAUTH2/OIDC RESOURCE SERVER RESOURCE REQUEST AUTHORIZATION SERVER OAUTH2/ OPENID CONNECT SERVER CLIENT RESOURCE OWNER ACCESS TOKEN REQUEST AUTHORIZATION REQUEST CONSENT
- 14. © 2016 ForgeRock. All rights reserved. API PROTECTION – UMA USERMANAGEDACCESS RESOURCE SERVER AUTHORIZATION SERVER OAUTH2/ OPENID CONNECT/ UMASERVER CLIENT RESOURCE OWNER FINE GRAINED CONSENT REQUESTING PARTY
- 15. © 2016 ForgeRock. All rights reserved. API PROTECTION § TOKENBASEDAUTHORIZATION § API INSPECTSTHE REQUESTSAND LOOKS FOR AVALID AUTHORIZATIONTOKEN § USE STANDARDS § OAUTH2.0 § OPENID CONNECT § JWT API Request Access AUTHORIZATION LAYER
- 16. © 2016 ForgeRock. All rights reserved. JSONWEB TOKEN (JWT) JSON WEB TOKEN (JWT) IS A MEANS OF REPRESENTING CLAIMS TO BE TRANSFERRED BETWEEN TWO PARTIES. THE CLAIMS INA JWT ARE ENCODED AS AJSON OBJECT THAT IS DIGITALLYSIGNED USING JSON WEB SIGNATURE (JWS) AND/OR ENCRYPTED USING JSON WEB ENCRYPTION (JWE). AS DEFINED BYTHE OPENID FOUNDATION
- 17. © 2016 ForgeRock. All rights reserved. HOW DO WE ENFORCE AUTHENTICATION AND AUTHORIZATION?
- 18. © 2016 ForgeRock. All rights reserved. POLICYAGENTS POLICY AGENTS OPENAM POLICY AGENTS FOR APPLICATIONSTHAT CAN CONSUME HTTPHEADERS WEB APPLICATION HTTP HEADERS
- 19. © 2016 ForgeRock. All rights reserved. POLICYAGENTS POLICY AGENT + REVERSE PROXY OPENAM POLICY AGENTS FOR APPLICATIONSTHAT CAN CONSUME HTTPHEADERS WEB APPLICATION HTTP HEADERS
- 20. © 2016 ForgeRock. All rights reserved. OPEN IDENTITYGATEWAY OPENIG (OPEN IDENTITYGATEWAY) FOR APPLICATIONSTHAT CAN NOTCONSUME HTTPHEADERS, TO PROTECTAPIS AND INTEGRATEUSING OAUTH2/OIDC/SAML2 & UMA WEB APPLICATION REPLAY CREDENTIALS PROTECTAPIs USING OAUTH2/OIDC & UMA SAML2 RELYING PARTY
- 21. © 2016 ForgeRock. All rights reserved. PROGRAMMATICALLY USING REST REST/OAUTH2/OPENIDCONNECT/UMA DEVELOPER FRIENDLYINTEGRATIONFO NEWAPPLICATIONS REST/ OAUTH/ OIDC/UMA WEB APPLICATION
- 22. © 2016 ForgeRock. All rights reserved. DEMO ROOMS APPLICATION JWTIN ACCESS CARD AUTHORIZATION SERVICE RESOURCE SUBJECT ENV RESPONSE ATTRIBUTES room://* Check OIDC/JWTclaims: iss, Role & audience JWTVerifier script: Validate signature. JWTVerifier script: Extract claims and adds them to the response JWTToken with claims: iss: idp123 audience: openam1.example.com sub: victor.ake@forgerock.com Role: Manager GivenName: Victor Surname: Ake Get me your JWTToken I want to useroom://1 Here my JWTToken Here what subject Can do in room://1
- 23. © 2016 ForgeRock. All rights reserved. ForgeRock ForgeRock ForgeRockIdentity ForgeRock Forgerock.com Blog.forgeroclk.com THANK YOU FOR THE FISH! CREDITS and THANKS to: Simon Moffat (simon.moffatt@forgerock.com) for the JWT token validator and the whole idea for this demo: https://forgerock.org/2016/05/federated-authorization-using-3rd-party-jwts/ Some Icons used in this presentation: Icon made by Freepik from www.flaticon.com VÍCTOR AKÉ CO-FOUNDER &VP CUSTOMER INNOVATION FORGEROCK victor.ake@forgerock.com