Uma webinar 2014 03-20
-
Upload
kantarainitiative -
Category
Technology
-
view
426 -
download
4
description
Transcript of Uma webinar 2014 03-20
![Page 1: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/1.jpg)
Access Management 2.0: UMA for the Enterprise
@UMAWG #UMAam20 for questions
20 March 2014 tinyurl.com/umawg for slides, recording, and more
1
![Page 2: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/2.jpg)
Agenda • The realities and
challenges of modern access control (CA)
• “UMA for the Enterprise 101”
• Enterprise UMA case study and demo (Gluu)
• What vendors are saying and doing about UMA
• Q&A
2
Thanks to CA Technologies for sponsoring this webinar!
Thanks to Kantara for supporting the UMA work!
Thanks to our additional webinar participants!
![Page 3: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/3.jpg)
The realities and challenges of modern access control
3
Further reading: tinyurl.com/umaam20
![Page 4: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/4.jpg)
4 Copyright © 2014 CA. All rights reserved.
UMA Con(nues The Shi0 In Iden(ty Management That Began With OAuth
The Traditional Enterprise The 21st Century Enterprise
This is the secret to achieving scale and agile federation
![Page 5: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/5.jpg)
“UMA for the Enterprise 101”
5
Further reading: tinyurl.com/umafaq
![Page 6: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/6.jpg)
OAuth is a three-entity protocol for securing API calls in a user context
6 Source: The OAuth 2.0 Authoriza4on Framework, h;p://[email protected]/html/rfc6749
End-user resource owner gets redirected to AS to log in and consent to access token issuance
AS and RS are typically in the same domain and communicate in a proprietary way
![Page 7: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/7.jpg)
UMA’s original goal: apply privacy-by-design to OAuth data sharing
7
Standardized APIs for privacy and “selective sharing”
Outsources protection to a centralized “digital footprint control console”
The “user” in User-Managed Access (UMA)
Some guy not accounted for in OAuth…
Further reading: tinyurl.com/umapbd
![Page 8: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/8.jpg)
Emergent UMA properties: flexible, modern, claims-based authorization
8 Source: XACMLinfo.org, h;p://xacmlinfo.org/2011/10/30/xacml-‐reference-‐architecture/
consumes authz data associated with token
native or a client of offboard source(s), in any language(s)
claims gathered through user interaction and/or consuming ID tokens
UMA and XACML can coexist nicely
![Page 9: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/9.jpg)
The RS exposes whatever value-add API it wants, protected by an AS
9
App-specific API
UM
A-enabled
client
RPT requesting party token
![Page 10: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/10.jpg)
The AS exposes an UMA-standardized protection API to the RS
10
Protection A
PI P
rote
ctio
n cl
ient
PAT
protection API token
includes resource registration API and token
introspection API
![Page 11: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/11.jpg)
The AS exposes an UMA-standardized authorization API to the client
11
Authorization API
Authorization client
AAT authorization API token
supports OpenID Connect-based claims-
gathering for authz
UMA, SAML, and OpenID Connect can coexist nicely
![Page 12: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/12.jpg)
Key use cases
• Managing personal data store access
• E-transcript sharing
• Patient-centric health data access
• …and enterprise access management 2.0
12 Source: MIT Consor4um for Kerberos and Internet Trust, h;ps://kit.mit.edu
![Page 13: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/13.jpg)
AM1.0 vs AM2.0 • Complex and feature-rich • Usually proprietary • Mobile/API-unfriendly • Brittle deployment
architecture • Not agnostic to authn
method • Hard to source distributed
policies • Usually coarse-grained
• RESTful and simpler • Standard interop baseline • Mobile/API-friendly • Just call authz endpoints
vs. deploying an agent • Agnostic to authn method
and federation usage • Flexible in policy
expression and sourcing • Leverages API’s “scope-
grained authorization”
13
![Page 14: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/14.jpg)
Enterprise UMA case study
14
![Page 15: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/15.jpg)
What vendors are saying and doing about UMA
15
Further reading: 4nyurl.com/uma1iop
![Page 16: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/16.jpg)
NuveAM by Cloud Identity • UMA-compliant AS:
– Access control to Web data – API security and management – Real-time monitoring and audit
• Use cases: Securing Personal Data Services (PDS) and access management 2.0 (API security)
• Uses open standards, including UMA, OAuth 2.0, OpenID Connect, and SAML 2.0
• Open source frameworks: Java and Python • Support for mobile (Android) • Integrates with Identity Management and Identity Federation http://www.cloudidentity.co.uk/products/nuveam
16
![Page 17: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/17.jpg)
NuveAM by Cloud Identity
17
![Page 18: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/18.jpg)
NuveAM for the enterprises
18
• Management of resources, APIs, permissions, and access control policies
• Access control on demand • Detailed audit information • Application management: resource servers
and clients (with NuveLogin) • Integration with identity management • Integration with identity federation and SSO
![Page 19: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/19.jpg)
NuveAM for the enterprises
19
![Page 20: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/20.jpg)
NuveAM for the enterprises
20
![Page 21: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/21.jpg)
Next steps
21
![Page 22: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/22.jpg)
Next steps for the WG…and you • Get involved!
– Become an “UMAnitarian” (it’s free) – Participate in the interop and
our implementation discussions – Follow and engage with @UMAWG on Twitter
• Current work: – Technical: claim profiling to allow claim-gathering
using SAML, OpenID Connect, LDAP… – Business: Binding Obligations spec to tie “terms of
authorization” to multi-party state changes • Stay tuned for another webinar in Q2
22
Join at: 4nyurl.com/umawg
![Page 23: Uma webinar 2014 03-20](https://reader034.fdocuments.in/reader034/viewer/2022042713/547e1288b37959442b8b5479/html5/thumbnails/23.jpg)
Questions? Thank you!
@UMAWG #UMAam20 for questions
20 March 2014 tinyurl.com/umawg for slides, recording, and more
23