An answer to your common XACML            dilemmas         Asela Pathberiya         Senior Software Engineer
WSO2    Founded in 2005 by acknowledged leaders in XML, Web    Services Technologies & Standards and Open Source    Prod...
What are we going to cover    What is XACML?    Why is XACML important for your    organization?    What are the disadv...
ETag GroupETag group is a trading company, which is established in 2001.
Application SystemETag group deployed their 1st Application System in 2005.
AuthenticationApplication System included an authentication mechanism
AuthenticationSome functions and data in the Application System must not be accessed by all employees in the company.There...
AuthorizationETag group wanted to build an authorization logic for their Application System.
Role Based Access Control (RBAC)Set of people who has same set of privileges, putin to a role and assign permission for th...
Role Based Access Control (RBAC)
Growth of ETag GroupEffect of company growth    No. of Application Systems were increased. For    each application system...
MeetingDecided implement a new authorization system
ETag Common Authorization            System (ECAS)     Denis was asked to lead    “ECAS” project     “ECAS” project must...
ExternalizedAuthorization system is not bound to an application. Eachapplication must be able to query a single authorizat...
Policy basedAuthorization logics can be modified frequently without any source code changes.
StandardizedEven business managers and external people must be aware of the technology which is used to design this.
Attribute Based"X resource can be accessed by the Users who  are from etag.com domain and whose age is not  less than 18 y...
Fine-grainedNeed to achieve the fine grain without defining a large number of static combinations in the source code or da...
Real Time   “Can user, Bob transfer X     amount from current     account Y between     9.00am to 4.00pm”
  Externalized  Policy based  Standardized  Attribute based  Fine-grained  DynamicAuthorization Solution
XACMLXACML is standard for eXtensible Access Control              Markup Language
Standard which is ratified by OASIS      standards organizationThe first meeting 21st March 2001XACML 1.0 - OASIS Standard...
Policy language implemented using               XML
Externalization is provided byXACML Reference architecture
Attribute Based Access Control            (ABAC)
Fine-grained authorizationFine-grained authorization with higher level of  abstraction by means of policy sets policies an...
Real time evaluation
XACML Implementation for ECAS         Denis was really happy as he          found the solution for all          requiremen...
Meeting    “Denis, It is hard to implement a XACML      solution from the scratch”“It is better to find an existing implem...
Meeting“We need a closer look on XACML... Let have areview on it”
Disadvantages    Performances of XACML based authorization system    would be less than the existing system    Complexit...
XACML Implementations
An Open source XACML              Implementation"Open source XACML solution, WSO2 identity Server, Just  download and can ...
WSO2 Identity Server
WSO2 Identity Server
Performance bottleneck     There would be less performance than the    traditional authorization systems.    It is a tra...
Caching
Load Test Figures    EnvironmentIntel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS -   Debian 6.0 (64bit) - wit...
Load Test Result - Caching
Load Test Result - Thrift
Complexity of defining and    managing XACML policiesWeb based UI as PAP for defining and managing XACML policies.
XACML Policy EditorsTwo policy editors, Basic and Advance.
Integrating current authorization             logics
Standard interface for PDP and PAPAll PDP and PAP functionality has been exposed  as Web services
Handling large number of policies  Policy distribution  On demand Policy Loading
Reliability and High Availability           PDP clustering
Listing entitled resources for user
What we discussed Today     Identified XACML as a standard way of    implementing authorization     How XACML answers th...
Referenceswww.oasis-open.org/committees/xacmlhttp://xacmlinfo.com/http://blog.facilelogin.com
Q and A
Customers
WSO2 Engagement ModelQuickStartDevelopment  SupportDevelopment  ServicesProduction  SupportTurnkey SolutionsWSO2 Mobile Se...
Thank You...!!!Contact Us…bizdev@wso2.com
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
Upcoming SlideShare
Loading in …5
×

The WSO2 Identity Server - An answer to your common XACML dilemmas

1,751 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,751
On SlideShare
0
From Embeds
0
Number of Embeds
694
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The WSO2 Identity Server - An answer to your common XACML dilemmas

  1. 1. An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer
  2. 2. WSO2 Founded in 2005 by acknowledged leaders in XML, Web Services Technologies & Standards and Open Source Producing entire middleware platform 100% open source under Apache license Business model is to sell comprehensive support & maintenance for our products Venture funded by Intel Capital and Quest Software. Global corporation with offices in USA, UK & Sri Lanka 150+ employees and growing
  3. 3. What are we going to cover What is XACML? Why is XACML important for your organization? What are the disadvantages of XACML? How can WSO2 Identity Server help you to overcome those disadvantages?
  4. 4. ETag GroupETag group is a trading company, which is established in 2001.
  5. 5. Application SystemETag group deployed their 1st Application System in 2005.
  6. 6. AuthenticationApplication System included an authentication mechanism
  7. 7. AuthenticationSome functions and data in the Application System must not be accessed by all employees in the company.Therefore authentication is not enough..!!!
  8. 8. AuthorizationETag group wanted to build an authorization logic for their Application System.
  9. 9. Role Based Access Control (RBAC)Set of people who has same set of privileges, putin to a role and assign permission for that role.
  10. 10. Role Based Access Control (RBAC)
  11. 11. Growth of ETag GroupEffect of company growth No. of Application Systems were increased. For each application system, authorization logics were needed to implemented. Authorization logics became more complex Authorization logics were needed to be updated frequently Maintaining of authorization logics became a tricky task
  12. 12. MeetingDecided implement a new authorization system
  13. 13. ETag Common Authorization System (ECAS) Denis was asked to lead “ECAS” project “ECAS” project must fulfill following six requirements as decided in the board meeting.
  14. 14. ExternalizedAuthorization system is not bound to an application. Eachapplication must be able to query a single authorizationsystem for all authorization queries
  15. 15. Policy basedAuthorization logics can be modified frequently without any source code changes.
  16. 16. StandardizedEven business managers and external people must be aware of the technology which is used to design this.
  17. 17. Attribute Based"X resource can be accessed by the Users who are from etag.com domain and whose age is not less than 18 years old”
  18. 18. Fine-grainedNeed to achieve the fine grain without defining a large number of static combinations in the source code or database
  19. 19. Real Time “Can user, Bob transfer X amount from current account Y between 9.00am to 4.00pm”
  20. 20.  Externalized Policy based Standardized Attribute based Fine-grained DynamicAuthorization Solution
  21. 21. XACMLXACML is standard for eXtensible Access Control Markup Language
  22. 22. Standard which is ratified by OASIS standards organizationThe first meeting 21st March 2001XACML 1.0 - OASIS Standard – 6 February 2003XACML 1.1 – Committee Specification – 7th August 2003XACML 2.0 – OASIS Standard – 1 February 2005XACML 3.0 – OASIS Standard – 10th Aug 2010
  23. 23. Policy language implemented using XML
  24. 24. Externalization is provided byXACML Reference architecture
  25. 25. Attribute Based Access Control (ABAC)
  26. 26. Fine-grained authorizationFine-grained authorization with higher level of abstraction by means of policy sets policies and rules.
  27. 27. Real time evaluation
  28. 28. XACML Implementation for ECAS Denis was really happy as he found the solution for all requirements Denis thought to start to implement XACML based authorization system for ECAS project
  29. 29. Meeting “Denis, It is hard to implement a XACML solution from the scratch”“It is better to find an existing implementation and plug it in to ECAS project “
  30. 30. Meeting“We need a closer look on XACML... Let have areview on it”
  31. 31. Disadvantages Performances of XACML based authorization system would be less than the existing system Complexity of defining and managing XACML policies How to integrate current authorization logics in to new system as XACML policies. How to provide a standard interface to communicate with with PDP. PDP would be able to handle lager number of (10000 -100000) policies How to achieve reliability and High availability. Can XACML solutions support "What are the resources that Bob can access?"
  32. 32. XACML Implementations
  33. 33. An Open source XACML Implementation"Open source XACML solution, WSO2 identity Server, Just download and can run the PDP with out any configuration. how fast is that..? I do not want to write mail asking for evaluation copies" "I can just write simple XACML policy and try this out... Nice web based UI. "
  34. 34. WSO2 Identity Server
  35. 35. WSO2 Identity Server
  36. 36. Performance bottleneck There would be less performance than the traditional authorization systems. It is a trade-off for the advantages, offered But WSO2 Identity Server team has identify this performance bottleneck and has provided a solution to overcome this to a greater extent. Caching technologies Thrift protocol for PDP – PEP communication
  37. 37. Caching
  38. 38. Load Test Figures EnvironmentIntel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS - Debian 6.0 (64bit) - with a single instance of Identity Server [-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m] Policy ComplexityL1: 10 rules per policy while one rule dealing with 1 attributeL2: 100 rules per policy while one rule dealing with more than 10 attributes Requestsone million XACML requests.XACML requests are randomly retrieved from a pool where 10 000 different requests are available Resourceshttp://people.wso2.com/~asela/xacml_load_test/
  39. 39. Load Test Result - Caching
  40. 40. Load Test Result - Thrift
  41. 41. Complexity of defining and managing XACML policiesWeb based UI as PAP for defining and managing XACML policies.
  42. 42. XACML Policy EditorsTwo policy editors, Basic and Advance.
  43. 43. Integrating current authorization logics
  44. 44. Standard interface for PDP and PAPAll PDP and PAP functionality has been exposed as Web services
  45. 45. Handling large number of policies Policy distribution On demand Policy Loading
  46. 46. Reliability and High Availability PDP clustering
  47. 47. Listing entitled resources for user
  48. 48. What we discussed Today Identified XACML as a standard way of implementing authorization How XACML answers the authorization requirements of your organization What are the negative points of XACML How WSO2 Identity Server has provided an answer for them
  49. 49. Referenceswww.oasis-open.org/committees/xacmlhttp://xacmlinfo.com/http://blog.facilelogin.com
  50. 50. Q and A
  51. 51. Customers
  52. 52. WSO2 Engagement ModelQuickStartDevelopment SupportDevelopment ServicesProduction SupportTurnkey SolutionsWSO2 Mobile Services SolutionWSO2 FIX Gateway SolutionWSO2 SAP Gateway Solution
  53. 53. Thank You...!!!Contact Us…bizdev@wso2.com

×