SlideShare a Scribd company logo
1 of 56
Download to read offline
An answer to your common XACML
            dilemmas


         Asela Pathberiya
         Senior Software Engineer
WSO2

    Founded in 2005 by acknowledged leaders in XML, Web
    Services Technologies & Standards and Open Source

    Producing entire middleware platform 100% open source
    under Apache license

    Business model is to sell comprehensive support &
    maintenance for our products

    Venture funded by Intel Capital and Quest Software.

    Global corporation with offices in USA, UK & Sri Lanka

    150+ employees and growing
What are we going to cover

    What is XACML?

    Why is XACML important for your
    organization?

    What are the disadvantages of
    XACML?

     How can WSO2 Identity Server help
    you to overcome those disadvantages?
ETag Group




ETag group is a trading company, which is
 established in 2001.
Application System




ETag group deployed their 1st Application
 System in 2005.
Authentication




Application System included an authentication
 mechanism
Authentication




Some functions and data in the Application System
 must not be accessed by all employees in the
 company.
Therefore authentication is not enough..!!!
Authorization




ETag group wanted to build an authorization
 logic for their Application System.
Role Based Access Control (RBAC)




Set of people who has same set of privileges, put
in to a role and assign permission for that role.
Role Based Access Control (RBAC)
Growth of ETag Group
Effect of company growth

    No. of Application Systems were increased. For
    each application system, authorization logics were
    needed to implemented.

    Authorization logics became more complex

     Authorization logics were needed to be updated
    frequently

     Maintaining of authorization logics became a
    tricky task
Meeting




Decided implement a new authorization system
ETag Common Authorization
            System (ECAS)


     Denis was asked to lead
    “ECAS” project


     “ECAS” project must fulfill
    following six requirements as
    decided in the board meeting.
Externalized




Authorization system is not bound to an application. Each
application must be able to query a single authorization
system for all authorization queries
Policy based




Authorization logics can be modified frequently
 without any source code changes.
Standardized




Even business managers and external people must be
 aware of the technology which is used to design this.
Attribute Based




"X resource can be accessed by the Users who
  are from etag.com domain and whose age is not
  less than 18 years old”
Fine-grained




Need to achieve the fine grain without defining a
 large number of static combinations in the
 source code or database
Real Time




   “Can user, Bob transfer X
     amount from current
     account Y between
     9.00am to 4.00pm”

  Externalized

  Policy based

  Standardized

  Attribute based

  Fine-grained

  Dynamic

Authorization Solution
The WSO2 Identity Server - An answer to your common XACML dilemmas
XACML



XACML is standard for eXtensible Access Control
              Markup Language
Standard which is ratified by OASIS
      standards organization




The first meeting 21st March 2001
XACML 1.0 - OASIS Standard – 6 February 2003
XACML 1.1 – Committee Specification – 7th August 2003
XACML 2.0 – OASIS Standard – 1 February 2005
XACML 3.0 – OASIS Standard – 10th Aug 2010
Policy language implemented using
               XML
Externalization is provided by
XACML Reference architecture
Attribute Based Access Control
            (ABAC)
Fine-grained authorization




Fine-grained authorization with higher level of
  abstraction by means of policy sets policies and
  rules.
Real time evaluation
XACML Implementation for ECAS

         Denis was really happy as he
          found the solution for all
          requirements


         Denis thought to start to implement
           XACML based authorization
          system for ECAS project
Meeting
    “Denis, It is hard to implement a XACML
      solution from the scratch”




“It is better to find an existing implementation and
   plug it in to ECAS project “
Meeting




“We need a closer look on XACML... Let have a
review on it”
Disadvantages

    Performances of XACML based authorization system
    would be less than the existing system

    Complexity of defining and managing XACML policies

     How to integrate current authorization logics in to new
    system as XACML policies.

    How to provide a standard interface to communicate with
    with PDP.

    PDP would be able to handle lager number of (10000
    -100000) policies

    How to achieve reliability and High availability.

    Can XACML solutions support "What are the resources
    that Bob can access?"
XACML Implementations
An Open source XACML
              Implementation
"Open source XACML solution, WSO2 identity Server, Just
  download and can run the PDP with out any configuration.
  how fast is that..? I do not want to write mail asking for
  evaluation copies"




         "I can just write simple XACML policy and try this
 out... Nice web based UI. "
WSO2 Identity Server
WSO2 Identity Server
Performance bottleneck

     There would be less performance than the
    traditional authorization systems.

    It is a trade-off for the advantages, offered

     But WSO2 Identity Server team has identify this
    performance bottleneck and has provided a
    solution to overcome this to a greater extent.
       Caching technologies
       Thrift protocol for PDP – PEP communication
Caching
Load Test Figures

    Environment
Intel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS -
   Debian 6.0 (64bit) - with a single instance of Identity Server
    [-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m]

    Policy Complexity
L1: 10 rules per policy while one rule dealing with 1 attribute
L2: 100 rules per policy while one rule dealing with more than 10 attributes

    Requests
one million XACML requests.
XACML requests are randomly retrieved from a pool where 10 000 different
 requests are available

    Resources
http://people.wso2.com/~asela/xacml_load_test/
Load Test Result - Caching
Load Test Result - Thrift
Complexity of defining and
    managing XACML policies




Web based UI as PAP for defining and managing
 XACML policies.
XACML Policy Editors




Two policy editors, Basic and Advance.
Integrating current authorization
             logics
Standard interface for PDP and PAP




All PDP and PAP functionality has been exposed
  as Web services
Handling large number of policies





  Policy distribution

  On demand Policy Loading
Reliability and High Availability




           PDP clustering
Listing entitled resources for user
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
What we discussed Today


     Identified XACML as a standard way of
    implementing authorization

     How XACML answers the authorization
    requirements of your organization

    What are the negative points of XACML

    How WSO2 Identity Server has provided an
    answer for them
References

www.oasis-open.org/committees/xacml


http://xacmlinfo.com/


http://blog.facilelogin.com
Q and A
Customers
WSO2 Engagement Model
QuickStart
Development
  Support
Development
  Services
Production
  Support
Turnkey Solutions
WSO2 Mobile Services Solution
WSO2 FIX Gateway Solution
WSO2 SAP Gateway Solution
Thank You...!!!
Contact Us…
bizdev@wso2.com

More Related Content

What's hot

Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Kelly Grizzle
 
Logic Networks presents - PROTONES
Logic Networks presents - PROTONESLogic Networks presents - PROTONES
Logic Networks presents - PROTONESrajlogicnet
 
Web- and Mobile-Oriented Architectures with Oracle Fusion Middleware (OOW 2014)
Web- and Mobile-Oriented Architectures with Oracle Fusion Middleware (OOW 2014)Web- and Mobile-Oriented Architectures with Oracle Fusion Middleware (OOW 2014)
Web- and Mobile-Oriented Architectures with Oracle Fusion Middleware (OOW 2014)Lucas Jellema
 
Java enterprise paradise
Java enterprise paradiseJava enterprise paradise
Java enterprise paradiseAmr Salah
 
Building a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementBuilding a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementOracleIDM
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMWSO2
 
Oracle 10g Application Server
Oracle 10g Application ServerOracle 10g Application Server
Oracle 10g Application ServerMark J. Feldman
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012Twobo Technologies
 
Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001jucaab
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817   api management - enable your infrastructure for secure mobile and c...Con8817   api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
Sgs Technologie Corporate Profile
Sgs Technologie Corporate ProfileSgs Technologie Corporate Profile
Sgs Technologie Corporate ProfileSGS Technologie LLC
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesBrian Huff
 
Oracle soa suite 11g introduction slide share
Oracle soa suite 11g introduction slide shareOracle soa suite 11g introduction slide share
Oracle soa suite 11g introduction slide shareSrinivasarao Mataboyina
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingKelly Grizzle
 

What's hot (20)

Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0
 
Logic Networks presents - PROTONES
Logic Networks presents - PROTONESLogic Networks presents - PROTONES
Logic Networks presents - PROTONES
 
Web- and Mobile-Oriented Architectures with Oracle Fusion Middleware (OOW 2014)
Web- and Mobile-Oriented Architectures with Oracle Fusion Middleware (OOW 2014)Web- and Mobile-Oriented Architectures with Oracle Fusion Middleware (OOW 2014)
Web- and Mobile-Oriented Architectures with Oracle Fusion Middleware (OOW 2014)
 
Scim overview
Scim overviewScim overview
Scim overview
 
Java enterprise paradise
Java enterprise paradiseJava enterprise paradise
Java enterprise paradise
 
Building a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementBuilding a Secure Cloud with Identity Management
Building a Secure Cloud with Identity Management
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
Oracle 10g Application Server
Oracle 10g Application ServerOracle 10g Application Server
Oracle 10g Application Server
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
 
Intorduction to Datapower
Intorduction to DatapowerIntorduction to Datapower
Intorduction to Datapower
 
Sap Traning Course Material
Sap Traning Course MaterialSap Traning Course Material
Sap Traning Course Material
 
Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817   api management - enable your infrastructure for secure mobile and c...Con8817   api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
Sgs Technologie Corporate Profile
Sgs Technologie Corporate ProfileSgs Technologie Corporate Profile
Sgs Technologie Corporate Profile
 
Hands-On with Oracle SOA
Hands-On with Oracle SOAHands-On with Oracle SOA
Hands-On with Oracle SOA
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Software as a Service
Software as a ServiceSoftware as a Service
Software as a Service
 
Oracle soa suite 11g introduction slide share
Oracle soa suite 11g introduction slide shareOracle soa suite 11g introduction slide share
Oracle soa suite 11g introduction slide share
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is Growing
 

Viewers also liked

otomodachi-kakumei
otomodachi-kakumeiotomodachi-kakumei
otomodachi-kakumeiUchio Kondo
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity serversureshattanayake
 
Assurity seminar 24 jan
Assurity seminar 24 janAssurity seminar 24 jan
Assurity seminar 24 janJason Kong
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
Cara Set Up FTP server di ubuntu
Cara Set Up FTP server di ubuntuCara Set Up FTP server di ubuntu
Cara Set Up FTP server di ubuntuRobby Firmansyah
 
ペパボ福岡支社におけるRubyの活用事例
ペパボ福岡支社におけるRubyの活用事例ペパボ福岡支社におけるRubyの活用事例
ペパボ福岡支社におけるRubyの活用事例Uchio Kondo
 
Green Leaf The Design Studio, Nerul
Green Leaf The Design Studio, NerulGreen Leaf The Design Studio, Nerul
Green Leaf The Design Studio, NerulFurtilal Fatafat
 
ペパボのサービスとRuby
ペパボのサービスとRubyペパボのサービスとRuby
ペパボのサービスとRubyUchio Kondo
 
インフラ自動化とHashicorp tools
インフラ自動化とHashicorp toolsインフラ自動化とHashicorp tools
インフラ自動化とHashicorp toolsUchio Kondo
 
Narrative elements
Narrative elementsNarrative elements
Narrative elementssmitka
 

Viewers also liked (17)

otomodachi-kakumei
otomodachi-kakumeiotomodachi-kakumei
otomodachi-kakumei
 
กาแลกซี
กาแลกซีกาแลกซี
กาแลกซี
 
Staff Bios 2011
Staff Bios 2011Staff Bios 2011
Staff Bios 2011
 
Instalasi Ubuntu
Instalasi UbuntuInstalasi Ubuntu
Instalasi Ubuntu
 
Skenario
SkenarioSkenario
Skenario
 
Webquest
WebquestWebquest
Webquest
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
 
Assurity seminar 24 jan
Assurity seminar 24 janAssurity seminar 24 jan
Assurity seminar 24 jan
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
Sso walk-through
Sso walk-throughSso walk-through
Sso walk-through
 
Cara Set Up FTP server di ubuntu
Cara Set Up FTP server di ubuntuCara Set Up FTP server di ubuntu
Cara Set Up FTP server di ubuntu
 
ペパボ福岡支社におけるRubyの活用事例
ペパボ福岡支社におけるRubyの活用事例ペパボ福岡支社におけるRubyの活用事例
ペパボ福岡支社におけるRubyの活用事例
 
Deficiencia en el rendimiento
Deficiencia en el rendimientoDeficiencia en el rendimiento
Deficiencia en el rendimiento
 
Green Leaf The Design Studio, Nerul
Green Leaf The Design Studio, NerulGreen Leaf The Design Studio, Nerul
Green Leaf The Design Studio, Nerul
 
ペパボのサービスとRuby
ペパボのサービスとRubyペパボのサービスとRuby
ペパボのサービスとRuby
 
インフラ自動化とHashicorp tools
インフラ自動化とHashicorp toolsインフラ自動化とHashicorp tools
インフラ自動化とHashicorp tools
 
Narrative elements
Narrative elementsNarrative elements
Narrative elements
 

Similar to The WSO2 Identity Server - An answer to your common XACML dilemmas

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
IT Modernization For Process Modernization
IT Modernization For Process ModernizationIT Modernization For Process Modernization
IT Modernization For Process ModernizationDheeraj Remella
 
Software Licensing In The Cloud (CloudWorld 2009)
Software Licensing In The Cloud  (CloudWorld 2009)Software Licensing In The Cloud  (CloudWorld 2009)
Software Licensing In The Cloud (CloudWorld 2009)Stuart Charlton
 
The elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioThe elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioInho Kang
 
12월 16일 Meetup [Deep Dive] Microservice 트래픽 관리를 위한 Istio 알아보기 | 강인호 컨설턴트, 오라클
12월 16일 Meetup [Deep Dive] Microservice 트래픽 관리를 위한 Istio 알아보기 | 강인호 컨설턴트, 오라클12월 16일 Meetup [Deep Dive] Microservice 트래픽 관리를 위한 Istio 알아보기 | 강인호 컨설턴트, 오라클
12월 16일 Meetup [Deep Dive] Microservice 트래픽 관리를 위한 Istio 알아보기 | 강인호 컨설턴트, 오라클Oracle Korea
 
Soa12c launch 1 overview cr
Soa12c launch 1 overview crSoa12c launch 1 overview cr
Soa12c launch 1 overview crVasily Demin
 
Leveraging Hybid IT for More Robust Business Services
Leveraging Hybid IT for More Robust Business ServicesLeveraging Hybid IT for More Robust Business Services
Leveraging Hybid IT for More Robust Business ServicesAmazon Web Services
 
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloudA1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloudDr. Wilfred Lin (Ph.D.)
 
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Brian Huff
 
Oracle OpenWorld 2010大会发布的新公告及关键信息
Oracle OpenWorld 2010大会发布的新公告及关键信息Oracle OpenWorld 2010大会发布的新公告及关键信息
Oracle OpenWorld 2010大会发布的新公告及关键信息slidethanks
 
Technical Compentency Document
Technical Compentency DocumentTechnical Compentency Document
Technical Compentency Documentamitdesai
 
Drools Presentation for Tallink.ee
Drools Presentation for Tallink.eeDrools Presentation for Tallink.ee
Drools Presentation for Tallink.eeAnton Arhipov
 
Cloud Computing Realities - Getting past the hype and setting your cloud stra...
Cloud Computing Realities - Getting past the hype and setting your cloud stra...Cloud Computing Realities - Getting past the hype and setting your cloud stra...
Cloud Computing Realities - Getting past the hype and setting your cloud stra...Compuware APM
 
Why Cloud Management Makes Sense
Why Cloud Management Makes SenseWhy Cloud Management Makes Sense
Why Cloud Management Makes SenseRightScale
 
Roadmap to Enterprise Cloud Computing
Roadmap to Enterprise Cloud ComputingRoadmap to Enterprise Cloud Computing
Roadmap to Enterprise Cloud ComputingRex Wang
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
RESUME_NEHA _SELENIUM
RESUME_NEHA _SELENIUMRESUME_NEHA _SELENIUM
RESUME_NEHA _SELENIUMNeha Samal
 
Kluczowe elementy infrastruktury...
Kluczowe elementy infrastruktury...Kluczowe elementy infrastruktury...
Kluczowe elementy infrastruktury...Alicja Sieminska
 
Open sso enterprise customer pitch
Open sso enterprise customer pitchOpen sso enterprise customer pitch
Open sso enterprise customer pitchxKinAnx
 

Similar to The WSO2 Identity Server - An answer to your common XACML dilemmas (20)

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
IT Modernization For Process Modernization
IT Modernization For Process ModernizationIT Modernization For Process Modernization
IT Modernization For Process Modernization
 
Software Licensing In The Cloud (CloudWorld 2009)
Software Licensing In The Cloud  (CloudWorld 2009)Software Licensing In The Cloud  (CloudWorld 2009)
Software Licensing In The Cloud (CloudWorld 2009)
 
The elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioThe elegant way of implementing microservices with istio
The elegant way of implementing microservices with istio
 
12월 16일 Meetup [Deep Dive] Microservice 트래픽 관리를 위한 Istio 알아보기 | 강인호 컨설턴트, 오라클
12월 16일 Meetup [Deep Dive] Microservice 트래픽 관리를 위한 Istio 알아보기 | 강인호 컨설턴트, 오라클12월 16일 Meetup [Deep Dive] Microservice 트래픽 관리를 위한 Istio 알아보기 | 강인호 컨설턴트, 오라클
12월 16일 Meetup [Deep Dive] Microservice 트래픽 관리를 위한 Istio 알아보기 | 강인호 컨설턴트, 오라클
 
Soa12c launch 1 overview cr
Soa12c launch 1 overview crSoa12c launch 1 overview cr
Soa12c launch 1 overview cr
 
Leveraging Hybid IT for More Robust Business Services
Leveraging Hybid IT for More Robust Business ServicesLeveraging Hybid IT for More Robust Business Services
Leveraging Hybid IT for More Robust Business Services
 
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloudA1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
 
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
 
AWS Workloads on AWS
AWS Workloads on AWSAWS Workloads on AWS
AWS Workloads on AWS
 
Oracle OpenWorld 2010大会发布的新公告及关键信息
Oracle OpenWorld 2010大会发布的新公告及关键信息Oracle OpenWorld 2010大会发布的新公告及关键信息
Oracle OpenWorld 2010大会发布的新公告及关键信息
 
Technical Compentency Document
Technical Compentency DocumentTechnical Compentency Document
Technical Compentency Document
 
Drools Presentation for Tallink.ee
Drools Presentation for Tallink.eeDrools Presentation for Tallink.ee
Drools Presentation for Tallink.ee
 
Cloud Computing Realities - Getting past the hype and setting your cloud stra...
Cloud Computing Realities - Getting past the hype and setting your cloud stra...Cloud Computing Realities - Getting past the hype and setting your cloud stra...
Cloud Computing Realities - Getting past the hype and setting your cloud stra...
 
Why Cloud Management Makes Sense
Why Cloud Management Makes SenseWhy Cloud Management Makes Sense
Why Cloud Management Makes Sense
 
Roadmap to Enterprise Cloud Computing
Roadmap to Enterprise Cloud ComputingRoadmap to Enterprise Cloud Computing
Roadmap to Enterprise Cloud Computing
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases
 
RESUME_NEHA _SELENIUM
RESUME_NEHA _SELENIUMRESUME_NEHA _SELENIUM
RESUME_NEHA _SELENIUM
 
Kluczowe elementy infrastruktury...
Kluczowe elementy infrastruktury...Kluczowe elementy infrastruktury...
Kluczowe elementy infrastruktury...
 
Open sso enterprise customer pitch
Open sso enterprise customer pitchOpen sso enterprise customer pitch
Open sso enterprise customer pitch
 

Recently uploaded

CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 

Recently uploaded (20)

CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 

The WSO2 Identity Server - An answer to your common XACML dilemmas

  • 1. An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer
  • 2. WSO2  Founded in 2005 by acknowledged leaders in XML, Web Services Technologies & Standards and Open Source  Producing entire middleware platform 100% open source under Apache license  Business model is to sell comprehensive support & maintenance for our products  Venture funded by Intel Capital and Quest Software.  Global corporation with offices in USA, UK & Sri Lanka  150+ employees and growing
  • 3. What are we going to cover  What is XACML?  Why is XACML important for your organization?  What are the disadvantages of XACML?  How can WSO2 Identity Server help you to overcome those disadvantages?
  • 4. ETag Group ETag group is a trading company, which is established in 2001.
  • 5. Application System ETag group deployed their 1st Application System in 2005.
  • 6. Authentication Application System included an authentication mechanism
  • 7. Authentication Some functions and data in the Application System must not be accessed by all employees in the company. Therefore authentication is not enough..!!!
  • 8. Authorization ETag group wanted to build an authorization logic for their Application System.
  • 9. Role Based Access Control (RBAC) Set of people who has same set of privileges, put in to a role and assign permission for that role.
  • 10. Role Based Access Control (RBAC)
  • 11. Growth of ETag Group Effect of company growth  No. of Application Systems were increased. For each application system, authorization logics were needed to implemented.  Authorization logics became more complex  Authorization logics were needed to be updated frequently  Maintaining of authorization logics became a tricky task
  • 12. Meeting Decided implement a new authorization system
  • 13. ETag Common Authorization System (ECAS)  Denis was asked to lead “ECAS” project  “ECAS” project must fulfill following six requirements as decided in the board meeting.
  • 14. Externalized Authorization system is not bound to an application. Each application must be able to query a single authorization system for all authorization queries
  • 15. Policy based Authorization logics can be modified frequently without any source code changes.
  • 16. Standardized Even business managers and external people must be aware of the technology which is used to design this.
  • 17. Attribute Based "X resource can be accessed by the Users who are from etag.com domain and whose age is not less than 18 years old”
  • 18. Fine-grained Need to achieve the fine grain without defining a large number of static combinations in the source code or database
  • 19. Real Time “Can user, Bob transfer X amount from current account Y between 9.00am to 4.00pm”
  • 20.  Externalized  Policy based  Standardized  Attribute based  Fine-grained  Dynamic Authorization Solution
  • 22. XACML XACML is standard for eXtensible Access Control Markup Language
  • 23. Standard which is ratified by OASIS standards organization The first meeting 21st March 2001 XACML 1.0 - OASIS Standard – 6 February 2003 XACML 1.1 – Committee Specification – 7th August 2003 XACML 2.0 – OASIS Standard – 1 February 2005 XACML 3.0 – OASIS Standard – 10th Aug 2010
  • 25. Externalization is provided by XACML Reference architecture
  • 26. Attribute Based Access Control (ABAC)
  • 27. Fine-grained authorization Fine-grained authorization with higher level of abstraction by means of policy sets policies and rules.
  • 29. XACML Implementation for ECAS Denis was really happy as he found the solution for all requirements Denis thought to start to implement XACML based authorization system for ECAS project
  • 30. Meeting “Denis, It is hard to implement a XACML solution from the scratch” “It is better to find an existing implementation and plug it in to ECAS project “
  • 31. Meeting “We need a closer look on XACML... Let have a review on it”
  • 32. Disadvantages  Performances of XACML based authorization system would be less than the existing system  Complexity of defining and managing XACML policies  How to integrate current authorization logics in to new system as XACML policies.  How to provide a standard interface to communicate with with PDP.  PDP would be able to handle lager number of (10000 -100000) policies  How to achieve reliability and High availability.  Can XACML solutions support "What are the resources that Bob can access?"
  • 34. An Open source XACML Implementation "Open source XACML solution, WSO2 identity Server, Just download and can run the PDP with out any configuration. how fast is that..? I do not want to write mail asking for evaluation copies" "I can just write simple XACML policy and try this out... Nice web based UI. "
  • 37. Performance bottleneck  There would be less performance than the traditional authorization systems.  It is a trade-off for the advantages, offered  But WSO2 Identity Server team has identify this performance bottleneck and has provided a solution to overcome this to a greater extent. Caching technologies Thrift protocol for PDP – PEP communication
  • 39. Load Test Figures  Environment Intel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS - Debian 6.0 (64bit) - with a single instance of Identity Server [-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m]  Policy Complexity L1: 10 rules per policy while one rule dealing with 1 attribute L2: 100 rules per policy while one rule dealing with more than 10 attributes  Requests one million XACML requests. XACML requests are randomly retrieved from a pool where 10 000 different requests are available  Resources http://people.wso2.com/~asela/xacml_load_test/
  • 40. Load Test Result - Caching
  • 41. Load Test Result - Thrift
  • 42. Complexity of defining and managing XACML policies Web based UI as PAP for defining and managing XACML policies.
  • 43. XACML Policy Editors Two policy editors, Basic and Advance.
  • 45. Standard interface for PDP and PAP All PDP and PAP functionality has been exposed as Web services
  • 46. Handling large number of policies  Policy distribution  On demand Policy Loading
  • 47. Reliability and High Availability PDP clustering
  • 51. What we discussed Today  Identified XACML as a standard way of implementing authorization  How XACML answers the authorization requirements of your organization  What are the negative points of XACML  How WSO2 Identity Server has provided an answer for them
  • 55. WSO2 Engagement Model QuickStart Development Support Development Services Production Support Turnkey Solutions WSO2 Mobile Services Solution WSO2 FIX Gateway Solution WSO2 SAP Gateway Solution