Presentation is loading. Please wait.

Presentation is loading. Please wait.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

Published byBarbara Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation."— Presentation transcript:

1 UMA Could I Manage My Own Data. Please?

2 Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation Why UMA? Use-cases UMA overview Current status & more information No tokens were harmed during the making of these slides!

3 ORG BORG AORG Trend 1: Decentralisation

4 Examples & Challenges Examples Extended organisations Supply Chain Distribution Channel Outsourcing Partners SaaS Challenges Identity not resident with apps Secure identity transport Trust

5 Solution : SAML Org A (IdP) Org B (SP) ✓ Identity Federation (Cross-domain SSO) ✗ Non-browser clients Ease of implementation ✓ Identity Federation (Cross-domain SSO) ✗ Non-browser clients Ease of implementation Honourable mentions ID-FF Shibboleth WS-Federation Authenticate Assert

6 ORG BORG A Trend 2: Mobility & Automation

7 Examples & Challenges Examples Mobile (devices, “Things”) Data monetization Challenges Authorization of ‘Client’ Persistance Trust

8 Solution - OAuth Org A (AS) Org A (AS) Org B (RS) Org B (RS) Honourable mentions SAML ECP WS-Trust Get Token (AT +/ RT) Request Access Validate Token ✓ Client security & identity (Client != User) ✗ Identity Transport ✓ Client security & identity (Client != User) ✗ Identity Transport

9 Evolution – OIDC Org A (OP) Org A (OP) Org B (RP) Org B (RP) Token & Claims AuthN/Z Validation +/ Userinfo

10 OAuth OIDC

11 Deployments : Side Note SAML OIDC

12 ORG CORG AORG B Trend 3: Delegation

13 Solution – XACML? ✓ Attributed-based & App-External ✗ Cross-domain? Service Registration? ✓ Attributed-based & App-External ✗ Cross-domain? Service Registration? Res. PDP PEP Res. PEP Res. PEP Res. PEP New Profiles ALFA JSON/REST Res. PE P Res. PE P Res. PE P Res. PEP

14 Meet Alice Control Access

15 So What? Electronic Healthcare Records Alice grants selective access to GP, Insurance Company, Relatives Financial Services Grant limited access to financial records to accountant; loan providers etc. Enterprise Applications Centralised control across multiple applications; individuals can control their own data IoT Alice grants Bob access to the Garden; Jim access to the House Facilities Management; Industrial & Engineering Applications See more examplesmore examples

16 Issues Summary User control / ownership Third party access Centralised control for multiple services Persistence (Security) Cross-domain Access Control

17 Status Summary OpenID Connect (practically) Secure identity transport Trust XACML (notionally) ABAC Externalised access control

18 What is UMA User Managed Access A profile of OAuth “UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy.”

19 UMA

20 UMA : Privacy by Design I want to share this stuff selectively Among my own apps With family and friends With organizations I want to protect this stuff from being seen by everyone in the world I want to control access proactively, not just feel forced to consent over and over

21 UMA Summary Standardized APIs for privacy and “selective sharing” Outsources protection to a centralized “digital footprint control console”

22 UMA Flow 1.RS registers resource sets and scopes (ongoing) 2.C requests resource 3.RS registers permission 4.AS returns permission ticket 5.RS error with ticket 6.C requests authz data and RPT with ticket 7.AS gives RPT and authz data (after optional claim flows) 8.C requests resource with RPT 9.RS returns resource representation Resource owner Resource server Authorization server Client Authorization API UI Requesting party Protection API AuthZ client Protection client RS-specific API RS-specific client 2 2 1 1 5 5 RPT 6 6 7 7 8 8 3 3 4 4 PAT 9 9 AAT PAT RPT choose resources to protect – out of band set policies – out of band AAT Resource server Authorization server PAT RO Client Authorization server AAT RqP Resource server Client Authorization server RPT RqP

23 UMA Status UMA v0.9 public review Core, Resource Set Registration & Claim Profiles Completed: 06 September 2014 Interop in progress Next steps Core & Resource Reg: H1/15 Claim Profiles & Binding Obligations(?): H2/15 IETF

24 Implementations & More Info Known implementations Gluu CloudIdentity OpenUMA (ForgeRock) Implementations List (Kantara) Implementations List More info UMA WG Home (Kantara) New Venn of Access Control (Maler)

25 Thoughts to Leave With Standards OAuth, OpenID Connect: start now Infrastructure Avoid vendor lock-in – ensure vendors can support upcoming standards quickly Avoid rip & replace – it’s unnecessary. There are good solutions that will overlay what you have to add what you need Do not trust to home-grown implementations; this is too easy to get wrong (and way too important) Participate in the WG Security is not all about security Security drives improved user experience drives better business

26 THANK YOU Questions? @andrewhindle linkedin.com/in/ahindle

Download ppt "UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug 2013 1.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq 28 Aug
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Www.incommon.org A View into the Mi$t 1 RL Bob Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.

A View into the Mi$t 1 RL "Bob" Morgan University of Washington Co-chair, InCommon Technical Advisory Committee.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)

TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Protecting “Personal Clouds” with UMA and OpenID #UMApcloud for questions 19 June 2014 tinyurl.com/umawg for slides, recording, and more.

Protecting “Personal Clouds” with UMA and OpenID #UMApcloud for questions 19 June 2014 tinyurl.com/umawg for slides, recording, and more.

Similar presentations

Ads by Google