Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Slides:



Advertisements
Similar presentations
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Advertisements

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Eric Raff. Usergroup up
Securing Insecure Prabath Siriwardena, WSO2 Twitter
Introducing Windows Server 2012 R2 Work Folders:
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Microsoft Ignite /16/2017 4:55 PM
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Worksheet: Mapping your authorization and consent use cases to the UMA architecture 17 Aug 2014 Questions? Send mail to
OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Identity Management Report By Jean Carreon and Marlon Gonzales.
OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.
SAM for Virtualizatio n Presenter Name. Virtualization: a key priority for business decision makers Technavio forecasts that the global virtualization.
Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: Agenda Item:
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
UMA’s relationship to distributed authorization concepts 19 October 2013
Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
Access resources in a federation partner organization.
3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
Attribute Release and Scalable Consent \. Part of the original vision for federated identity and necessary for it to succeed Federated identity is less.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Server to Server Group Requirements Simplifying key management between multiple vendor implementations.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Secure Mobile Development with NetIQ Access Manager
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
F5 APM & Security Assertion Markup Language ‘sam-el’
1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.
Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
SaaS apps.
Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD
WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.
UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.
Azure Active Directory - Business 2 Consumer
Transforming business
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Data and Applications Security Developments and Directions
Identity Management and Authorization
SaaS Application Deep Dive
XACML and the Cloud.
The power of common identity across any cloud
SAP Enterprise Digital Rights Management by NextLabs
Identity Management and Authorization
Azure AD Application Proxy
SharePoint Online Authentication Patterns
System Center Marketing
The Problem Microsoft Active Directory (AD) is used by almost every big company Microsoft AD uses Kerberos Authentication Android are forcing customers.
API Security: OAuth, OpenID Connect & ABAC
Microsoft Virtual Academy
Presentation transcript:

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML, OpenID Connect) they can authenticate users into those apps; and (at least in theory) apply coarse-grained access control (AC) at the point of token issuance –Additional AC can only be implemented and managed at the SP. Issues –no way to control policy centrally means increased risk; –managing policy per-app is expensive and fragile –implementing a full XACML PEP at each SP is not viable: SPs would have to (probably) significantly refactor apps for new auth'z model 1

2 resource owner requesting party authorization server resource server manage consent control negotiateprotect authorize access manage client Basic Enterprise Use-case

Additional Notes RO and AS are part of the same (logical) domain (AS could be externally hosted) RP, Client and RS can be intra- or extra- domain –Bob might be an employee or a customer –Client might be a company-owned device, or BYOD, or an internet café browser –RS could be SaaS/BPO, or internal 3

UMA Sequence (no PDP) 4 * Assumes Bob is already authenticated at the AS

Example 1 Current employees assigned to project ‘ConceptCar’ can download vehicle design mockups from external agency –Complex policy requires additional attributes from multiple sources Is employee current? (HR system) Is employee assigned to project (PLM system) Is employee requesting download access (request) 5

UMA Sequence (with PDP) 6 * Assumes Bob is already authenticated at the AS

Example 2 What if the AS needs to impose some (basic) obligations on the RS? Current employees assigned to project ‘ConceptCar’ can download low- resolution vehicle design mockups from external agency. If only high-res is available, no download is permitted. 7

Requirements Per the XACML model, the PDP would issue a ‘Permit with obligation’ (for low-res) If the RS (i.e. PEP) cannot enforce this (for whatever reason), it should not issue 8

UMA Sequence with PDP+ 9 * Assumes Bob is already authenticated at the AS

For Consideration There are consumer and IoT use-cases that have similar extended/complex auth’z requirements Is there value in adding options to the spec for: –The RPT to include scope of access and/or obligations –An UMA-valid RS to be able to at least process obligations … in that it could simply ‘not be able to’ and then deny anything that presents an obligation (Note: the RS can establish scopes and other capabilities during service registration) 10

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.