Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Published byFreddie Doll Modified over 9 years ago

Similar presentations

Presentation on theme: "Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,"— Presentation transcript:

1 Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML, OpenID Connect) they can authenticate users into those apps; and (at least in theory) apply coarse-grained access control (AC) at the point of token issuance –Additional AC can only be implemented and managed at the SP. Issues –no way to control policy centrally means increased risk; –managing policy per-app is expensive and fragile –implementing a full XACML PEP at each SP is not viable: SPs would have to (probably) significantly refactor apps for new auth'z model 1

2 2 resource owner requesting party authorization server resource server manage consent control negotiateprotect authorize access manage client Basic Enterprise Use-case

3 Additional Notes RO and AS are part of the same (logical) domain (AS could be externally hosted) RP, Client and RS can be intra- or extra- domain –Bob might be an employee or a customer –Client might be a company-owned device, or BYOD, or an internet café browser –RS could be SaaS/BPO, or internal 3

4 UMA Sequence (no PDP) 4 * Assumes Bob is already authenticated at the AS

5 Example 1 Current employees assigned to project ‘ConceptCar’ can download vehicle design mockups from external agency –Complex policy requires additional attributes from multiple sources Is employee current? (HR system) Is employee assigned to project (PLM system) Is employee requesting download access (request) 5

6 UMA Sequence (with PDP) 6 * Assumes Bob is already authenticated at the AS

7 Example 2 What if the AS needs to impose some (basic) obligations on the RS? Current employees assigned to project ‘ConceptCar’ can download low- resolution vehicle design mockups from external agency. If only high-res is available, no download is permitted. 7

8 Requirements Per the XACML model, the PDP would issue a ‘Permit with obligation’ (for low-res) If the RS (i.e. PEP) cannot enforce this (for whatever reason), it should not issue 8

9 UMA Sequence with PDP+ 9 * Assumes Bob is already authenticated at the AS

10 For Consideration There are consumer and IoT use-cases that have similar extended/complex auth’z requirements Is there value in adding options to the spec for: –The RPT to include scope of access and/or obligations –An UMA-valid RS to be able to at least process obligations … in that it could simply ‘not be able to’ and then deny anything that presents an obligation (Note: the RS can establish scopes and other capabilities during service registration) 10

Download ppt "Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,"

Similar presentations

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Eric Raff. Usergroup up

Eric Raff. Usergroup up
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
Introducing Windows Server 2012 R2 Work Folders:

Introducing Windows Server 2012 R2 Work Folders:
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Worksheet: Mapping your authorization and consent use cases to the UMA architecture 17 Aug 2014 Questions? Send mail to

Worksheet: Mapping your authorization and consent use cases to the UMA architecture 17 Aug 2014 Questions? Send mail to
OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)

OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

Similar presentations

Ads by Google