Trailblazer Community - Flows Workshop (Session 2)
The WSO2 Identity Server - An answer to your common XACML dilemmas
1. An answer to your common XACML
dilemmas
Asela Pathberiya
Senior Software Engineer
2. WSO2
Founded in 2005 by acknowledged leaders in XML, Web
Services Technologies & Standards and Open Source
Producing entire middleware platform 100% open source
under Apache license
Business model is to sell comprehensive support &
maintenance for our products
Venture funded by Intel Capital and Quest Software.
Global corporation with offices in USA, UK & Sri Lanka
150+ employees and growing
3. What are we going to cover
What is XACML?
Why is XACML important for your
organization?
What are the disadvantages of
XACML?
How can WSO2 Identity Server help
you to overcome those disadvantages?
7. Authentication
Some functions and data in the Application System
must not be accessed by all employees in the
company.
Therefore authentication is not enough..!!!
11. Growth of ETag Group
Effect of company growth
No. of Application Systems were increased. For
each application system, authorization logics were
needed to implemented.
Authorization logics became more complex
Authorization logics were needed to be updated
frequently
Maintaining of authorization logics became a
tricky task
13. ETag Common Authorization
System (ECAS)
Denis was asked to lead
“ECAS” project
“ECAS” project must fulfill
following six requirements as
decided in the board meeting.
14. Externalized
Authorization system is not bound to an application. Each
application must be able to query a single authorization
system for all authorization queries
23. Standard which is ratified by OASIS
standards organization
The first meeting 21st March 2001
XACML 1.0 - OASIS Standard – 6 February 2003
XACML 1.1 – Committee Specification – 7th August 2003
XACML 2.0 – OASIS Standard – 1 February 2005
XACML 3.0 – OASIS Standard – 10th Aug 2010
29. XACML Implementation for ECAS
Denis was really happy as he
found the solution for all
requirements
Denis thought to start to implement
XACML based authorization
system for ECAS project
30. Meeting
“Denis, It is hard to implement a XACML
solution from the scratch”
“It is better to find an existing implementation and
plug it in to ECAS project “
32. Disadvantages
Performances of XACML based authorization system
would be less than the existing system
Complexity of defining and managing XACML policies
How to integrate current authorization logics in to new
system as XACML policies.
How to provide a standard interface to communicate with
with PDP.
PDP would be able to handle lager number of (10000
-100000) policies
How to achieve reliability and High availability.
Can XACML solutions support "What are the resources
that Bob can access?"
34. An Open source XACML
Implementation
"Open source XACML solution, WSO2 identity Server, Just
download and can run the PDP with out any configuration.
how fast is that..? I do not want to write mail asking for
evaluation copies"
"I can just write simple XACML policy and try this
out... Nice web based UI. "
37. Performance bottleneck
There would be less performance than the
traditional authorization systems.
It is a trade-off for the advantages, offered
But WSO2 Identity Server team has identify this
performance bottleneck and has provided a
solution to overcome this to a greater extent.
Caching technologies
Thrift protocol for PDP – PEP communication
39. Load Test Figures
Environment
Intel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS -
Debian 6.0 (64bit) - with a single instance of Identity Server
[-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m]
Policy Complexity
L1: 10 rules per policy while one rule dealing with 1 attribute
L2: 100 rules per policy while one rule dealing with more than 10 attributes
Requests
one million XACML requests.
XACML requests are randomly retrieved from a pool where 10 000 different
requests are available
Resources
http://people.wso2.com/~asela/xacml_load_test/
51. What we discussed Today
Identified XACML as a standard way of
implementing authorization
How XACML answers the authorization
requirements of your organization
What are the negative points of XACML
How WSO2 Identity Server has provided an
answer for them
55. WSO2 Engagement Model
QuickStart
Development
Support
Development
Services
Production
Support
Turnkey Solutions
WSO2 Mobile Services Solution
WSO2 FIX Gateway Solution
WSO2 SAP Gateway Solution