CIS14: User-Managed Access
-
Upload
cloudidsummit -
Category
Technology
-
view
221 -
download
2
description
Transcript of CIS14: User-Managed Access
![Page 1: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/1.jpg)
Authorization What’s Next?
![Page 2: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/2.jpg)
2
User-Managed Access
FORGEROCK.COM
Allan Foster VP Technology & Standards guruallan
Eve Maler VP Innovation & Emerging Technology xmlgrrl
![Page 3: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/3.jpg)
Defining authorization and the authorization V.next landscape
![Page 4: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/4.jpg)
4
![Page 5: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/5.jpg)
5
XACML
OAUTH
OpenID Connect
ABAC
RBAC
SAML
![Page 6: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/6.jpg)
6
What is Authorization?
![Page 7: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/7.jpg)
7
Policy
![Page 8: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/8.jpg)
ACIs and ACLs
RBAC
ABAC
![Page 9: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/9.jpg)
ACIs and ACLs
RBAC
ABAC
Doesn’t scale, becomes unmanageable as users and resources grow
![Page 10: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/10.jpg)
ACIs and ACLs
RBAC
ABAC
Doesn’t scale, becomes unmanageable as users and resources grow
Doesn’t scale, leads to role proliferation and multiplexing
![Page 11: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/11.jpg)
11
![Page 12: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/12.jpg)
12
Attributes
![Page 13: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/13.jpg)
13
OAuth2
![Page 14: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/14.jpg)
14
Token
![Page 15: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/15.jpg)
15
![Page 16: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/16.jpg)
UMA 101
![Page 17: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/17.jpg)
17
The vicissitudes of personal data sharing
■ Back-channel
■ Typing
■ Connecting
■ Private URLs
![Page 18: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/18.jpg)
18
What is, and isn’t, UMA? ■ It’s a draft standard for authorization V.next
■ It’s a profile and application of OAuth
■ It’s not a new, disconnected technology
■ It’s a set of privacy-by-design and consent APIs
■ It’s not an “XACML killer”
![Page 19: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/19.jpg)
19
resource owner
reques+ng party
authoriza+on server
resource server
manage consent
control
negotiate protect
authorize
access
manage
client
*Thanks to UMAnitarian Domenico Catalano for the “marvelous spiral”
![Page 20: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/20.jpg)
20
The AS exposes an UMA-standardized protection API to the RS
20
Protection A
PI P
rote
ctio
n cl
ient
PAT
protection API token
includes resource registration API and token
introspection API
![Page 21: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/21.jpg)
21
The AS exposes an UMA-standardized authorization API to the client
21
Authorization API
Authorization client
AAT authorization API token
supports OpenID Connect-based claims-
gathering for authz
![Page 22: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/22.jpg)
22
The RS exposes whatever value-add API it wants, protected by an AS
22
App-specific API
UM
A-enabled
client
RPT requesting party token
![Page 23: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/23.jpg)
23
Collecting claims from the requesting party to assess policy
23
manage
control
protect
authorize
access
negotiate
consentmanage
resourceowner
resourceserver
authorizationserver
Authenticate OIDCServer
client
requestingparty
Client acting as claims conveyor
Client redirects the Requesting Party to AS
![Page 24: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/24.jpg)
Real-life UMA use cases
![Page 25: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/25.jpg)
25
Patient-centric health data sharing ■ UMA uniquely solves for
Consent Directives
■ Special requirements: – Impeccable security – “Context, control, choice, and
respect” – Wide ecosystem – Accounting of Disclosures – Meaningful Use – (Relationship Locator Service)
![Page 26: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/26.jpg)
26
pa+ent
AS fron+ng a consent direc+ve server
FHIR EHR API/ lab
results/FitBit…
manage consent
control
negotiate protect
authorize
access
manage
web or na+ve app
care provider/ family/Alice
herself
![Page 27: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/27.jpg)
27
Delegated authorization from SaaS to enterprise ■ Allow Enterprise business logic as policy
■ Easy to define Resources and actions
■ Allow Enterprise freedom in evaluation
■ Each Enterprise provides its own AS
■ Attributes stay in the enterprise
![Page 28: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/28.jpg)
28
enterprise
enterprise AS
third-‐party SaaS APIs
manage consent
control
negotiate protect
authorize
access
manage
web or na+ve app
enterprise employees
![Page 29: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/29.jpg)
Let us sum up
![Page 30: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/30.jpg)
30
Resource Server ■ Concerned with protecting Resources
■ Concerned with Clients
■ Supplies resource and scope Attributes to AS
■ Uses OAuth token for access to protection API
■ Redirects Client if its UMA token is insufficient
■ Could have multiple AS relationships
![Page 31: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/31.jpg)
31
Client ■ Accesses resources on RS
■ Uses OAuth token for access to authorization API
■ Receives UMA token from AS
■ Asks to add authorization to UMA token for access
■ Provides Subject Attributes via Claims or redirects Subject to AS for further claims-gathering
![Page 32: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/32.jpg)
32
Resource Owner ■ Provides Resource Owner attributes to AS
■ Can provide Authorization policy to AS
■ Manages access settings of protected resources
![Page 33: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/33.jpg)
33
Authorization Server ■ Consumes attributes from all parties
■ Evaluates Policy in context of attributes
■ Associates entitlements with UMA token so client can access RS
■ Leaves RS to judge entitlements against access attempt
![Page 34: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/34.jpg)
34
Summing up ■ OAuth-based framework
■ Facilitates Constrained Delegated Authorization
■ Policy evaluation agnostic
■ Enables humans to control their digital footprint
![Page 35: CIS14: User-Managed Access](https://reader033.fdocuments.in/reader033/viewer/2022051323/5478b189b4af9fb9158b460a/html5/thumbnails/35.jpg)
35 FORGEROCK.COM
Allan Foster [email protected] guruallan
Eve Maler [email protected] xmlgrrl
Thanks! Questions?