Identity and Entitlement Management Concepts
3 likes4,039 views
This document provides an overview of entitlement management and identity management concepts. It discusses different access control models like access control lists, role-based access control, attribute-based access control and policy-based access control using XACML. The presenter Chamath Gunawardana is a technical lead at WSO2 who works on their identity server. WSO2 provides open source identity and access management solutions.
Identity and Entitlement Management Concepts
- 1. Last Updated: Jan. 2014 Tech Lead Chamath Gunawardana Iden/ty and En/tlement Management – Concepts and Theories
- 2. 2 About the Presenter(s) ๏ Chamath Gunawardana Chamath Gunwardana is a technical lead at WSO2 working for the integra/on technology group. He's engaged in the developments of the WSO2 Iden/ty Server and also a commiKer of the WSO2 Iden/ty Server. Chamath is also a SUN cer/fied java programmer.
- 3. 3 About WSO2 ๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source ๏ Provides only open source plaVorm-‐as-‐a-‐service for private, public and hybrid cloud deployments ๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0. ๏ Is an Ac/ve Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Founda/on and W3C. ๏ Driven by Innova/on ๏ Launched first open source API Management solu/on in 2012 ๏ Launched App Factory in 2Q 2013 ๏ Launched Enterprise Store and first open source Mobile solu/on in 4Q 2013
- 4. 4 What WSO2 delivers
- 5. Agenda ๏ En/tlement management ๏ overview ๏ Access control concepts ๏ XACML ๏ En/tlement architecture in iden/ty server ๏ Iden/ty management ๏ overview ๏ Features of iden/ty management systems ๏ Couple of Iden/ty Management Capabili/es in iden/ty server ๏ Demo 5
- 6. What is En/tlement Mng.. ๏ En#tlement management is technology that grants, resolves, enforces, revokes and administers fine-‐ grained access en/tlements. ๏ Also referred to as authoriza/ons, privileges, access rights, permissions and/or rules -‐ Gartner Glossary 6
- 7. En/tlement Management ๏ It s a broader concept ๏ Types of access control includes, ๏ Access control lists ๏ Role based access control ๏ AKribute based access control ๏ Policy based access control 7
- 8. Access control lists ๏ Oldest and most basic form of access control ๏ Primarily Opera/ng systems adopted ๏ Maintains set of user and opera/ons can performed on a resource as a mapping ๏ Also easier to implement using maps ๏ Not scalable for large user bases ๏ Difficult to manage 8
- 9. Role based access control ๏ System having users that belongs to roles ๏ Role defines which resources will be allowed ๏ Reduces the management overhead ๏ Users and roles can be externalized using user stores ๏ Need to manage the roles ๏ User may belong to mul/ple roles 9
- 10. AKribute based access control ๏ Authoriza/on based on aKributes ๏ Addresses the limita/on of role based approach to define fine grain access control ๏ AKributes of user, environment as well as resource it self ๏ More flexible than role based approach ๏ No need for knowing the user prior to gran/ng access 10
- 11. Policy based access control ๏ Address the requirement to have more uniform access control mechanism ๏ Helps to large enterprises to have uniform access control amount org units ๏ Helps for security audits to be carried out ๏ Complex than any other access control system ๏ Specify policies unambiguously with XACML ๏ Use of authorized aKribute sources in the enterprise 11
- 12. Advantages ๏ Reduce the development /me on cri/cal business func/ons ๏ Easy management of en/tlements ๏ Based on industry standard specifica/ons ๏ Support for future development with minimum effort 12
- 13. XACML ๏ XACML is a policy based authoriza/on/en/tlement system ๏ De-‐facto standard for authoriza/on ๏ Evaluated of 1.0, 2.0 and 3.0 versions ๏ Externalized ๏ Policy based ๏ Fine grained ๏ Standardized 13
- 14. XACML ๏ Iden/ty Server supports XACML 2.0 and 3.0 versions ๏ Supports mul/ple PIPs ๏ Policy distribu/on ๏ UI wizards for defining policies ๏ Try it tool ๏ Decision / AKribute caching 14
- 15. XACML 15
- 16. Create policy op/ons 16
- 17. Simple policy editor 17
- 18. Basic policy editor 18
- 19. Try it tool 19
- 20. Try it tool request 20
- 21. Extensions 21
- 22. Iden/ty Management ๏ Managing Iden/ty of users in a system ๏ Control access to resources ๏ Important component in an enterprise ๏ Enterprises depends on the security provided by iden/ty management systems 22
- 23. Why Iden/ty Management ๏ Directly influences the security and produc/vity of an organiza/on ๏ To enforce consistency in security policies across organiza/on ๏ To comply with rules and regula/ons enforced in some cri/cal domains by governments ๏ Provide access to resources to outside par/es without compromising security 23
- 24. Why Iden/ty Management Cont. ๏ Controlled resource access increases organiza/onal security ๏ Increased audit-‐ability of the systems ๏ Automated password reset capabili/es 24
- 25. Features of IDM System ๏ User Stores / Directories ๏ Authen/ca/on ๏ Authoriza/on ๏ Single Sign On ๏ Provisioning ๏ Delega/on ๏ Password reset ๏ Self registra/on with locking 25
- 26. User stores / Directories ๏ Grouping of user and roles ๏ Easy management in authoriza/on decisions ๏ Different types of user stores support 26
- 27. Authen/ca/on ๏ Iden/fying which en/ty are we communica/ng with ๏ En/ty can be users or systems ๏ Most basic form is user name and password ๏ Authen/ca/on against user store ๏ Concept of mul/ factor authen/ca/on 27
- 28. Authoriza/on ๏ What an en/ty allowed to access in the system ๏ En/tlement management aspects ๏ Discussed 28
- 29. Single Sign On ๏ Having mul/ple applica/ons with login requirements ๏ Once login to the applica/on automa/c login to other applica/ons ๏ Token usage ๏ Iden/ty Federa/on ๏ Technologies used ๏ OpenID ๏ SAML ๏ Kerboros ๏ WS-‐Federa/on passive 29
- 30. Provisioning ๏ Concept of adding and removing iden//es from user store ๏ Provisioning to external systems ๏ Technologies ๏ SPML ๏ SCIM 30
- 31. Delega/on ๏ Giving responsibility to another en/ty to carry out tasks on behalf of you ๏ Creden/al sharing systems ๏ Technologies ๏ OAuth 31
- 32. Users and roles ๏ Enterprise user stores with users and roles ๏ Managing user stores ๏ Support for mul/ple user stores ๏ Easy configura/on of user stores in UI ๏ Types of user stores ๏ LDAP, Ac/ve Directory, JDBC ๏ Support for mul/-‐tenancy 32
- 33. Password reset ๏ Web apps needing end user password reset func/onality ๏ Supports, ๏ Reset with no/fica/on ๏ Reset with secret ques/ons ๏ Increased security with mul/ple keys in the reset flow ๏ UI based email templates configura/on 33
- 34. Self registra/on with locking ๏ Separate web service to self registra/on with account lock ๏ Upon registra/on sending confirma/on link to account unlock ๏ Only users with valid email address gain access to system ๏ Configurable email no/fica/on template 34
- 35. Demo 35
- 37. 37 More Informa/on ! ๏ The slides and webinar will be available soon. ๏ Please refer Iden/ty Server documenta/on -‐ hKps:// docs.wso2.org/display/IS500/WSO2+Iden/ty+Server +Documenta/on
- 38. Contact us !