Presentation Opensource Authentication and Authorization

As web applications become the norm for application delivery mechanisms, there is more and more demand for managing access control at the application framework level. As is immediately obvious, managing this access control becomes an overwhelming overhead for the actual application, and should be handled by the underlying framework used for application delivery. Opensource projects such as ForgeRock OpenAM, (Formerly OpenSSO) can provide both Authentication services, as well as Authorization services to applications, utilising a simple REST or SOAP based web service interface. All the management of users, groups and other authentication attributes can be handled by the AuthN/AuthZ application, and delivered to the web application as a service. We can already see this behavior in use, in PAM, or pluggable authentication modules used in many linux environments in use today. However mere authentication is not sufficient in an enterprise environment. Often, group, Com...

Speakers


PDF: slides.pdf

Slides

Intro

Opensource Authentication & Authorization

Opensource Authentication & Authorization Allan Foster ForgeRock allan.foster@forgerock.com

“Build us a Web App”

“Build us a Web App” 2

Lots of examples....

Lots of examples.... 3

New Application Demands

New Application Demands Collaborative Workgroups Client - Server Multi user... In the cloud? 4

Its a WebApp!

Its a WebApp! 5

Business Logic

Business Logic Your Business... Your Logic... You know how to do this! 6

Lots of Help

Lots of Help Language... . Net Pe r l + J vy oo Gr PH P va a by Ru C& Py t C+ hon 7

Oh yes, LOTS of help!

Oh yes, LOTS of help! Frameworks... JSF AJA X Sp r Vel o cit y PEAR ing ib H rn e te a I es Fa c ce 8

And don’t forget...

And don’t forget... 9

Access Control Who are our users? Who can access what? What can they do? How do we manage this?

Access Control Who are our users? Who can access what? What can they do? How do we manage this? 10

Its not that complicated..

Its not that complicated.. Authentication SSO Authorization 11

Authentication?

Authentication? Corporate LDAP 12

But what about...

But what about... 13

or...

or... 14

or

or SecureID  RSA  Logo 15

Maybe all?

Maybe all? 16

Authentication isn’t enough...

Authentication isn’t enough... 17

Authentication isn’t enough...

Authentication isn’t enough... SSO is expected! I have one set of credentials, Why can’t I just use them ONCE? 18

Even between multiple Organizations Federation eGov

Even between multiple Organizations Federation eGov GoogleApps 19

SSO implies having a single Authentication service...

SSO implies having a single Authentication service... trusted 20

That can be used by MANY different applications!

That can be used by MANY different applications! 21

Without regard to HOW the authentication is being performed

Without regard to HOW the authentication is being performed 22

What About Authorization?

What About Authorization? 23

Is this user allowed to perform this action on this data?

Is this user allowed to perform this action on this data? 24

Group Membership? Roles? Some Complex Matrix?

Group Membership? Roles? Some Complex Matrix? 25

Access control logic can be embedded in our application...

Access control logic can be embedded in our application... BUT.. 26

New Specs New Rules Exceptions Changes... and more changes! ...And testing!

New Specs New Rules Exceptions Changes... and more changes! ...And testing! 27

Reprogram the door?

Reprogram the door? 28

Centrally managed service

Centrally managed service 29

AuthN and AuthZ as a service

AuthN and AuthZ as a service Iden>ty  services  (OpenAM) 30

Authentication

Authentication SSO Authorization 31

32

32

Authentication is NOT Identity Management Validation against EXISTING identity stores!

Authentication is NOT Identity Management Validation against EXISTING identity stores! 33

We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes.

We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes. 34

Integrate into existing process

Integrate into existing process Plugable Authentication modules Built on Standards - JAAS Multiple Modules & Chains 35

AP LD

AP LD 9 Ce 0 EG Se cu reI D U ix n x5 i c ate rti f S afeW o rd JD O BC SAML2 r tC a ds ar -S Custom MSISDN Me m Sm AD PN Extens ible be rs h ip 36

Authentication determines identity Identity is what matters.. NOT the method it is determined

Authentication determines identity Identity is what matters.. NOT the method it is determined 37

38

38

Authentication

Authentication SSO Authorization 39

40

40

41

41

42

42

Allan Foster Speaker Devoxx 2010

Allan Foster Speaker Devoxx 2010 45

44

44

Allan Foster Speaker Devoxx 2010

Allan Foster Speaker Devoxx 2010 45

46

46

One Pass Multiple Doors Single Sign On

One Pass Multiple Doors Single Sign On 47

Application validates credentials... Does NOT issue them!

Application validates credentials... Does NOT issue them! 48

We don’t “Login” We validate Identity. This is a hurdle for developers!

We don’t “Login” We validate Identity. This is a hurdle for developers! 49

Authentication service determines identity Authentication service issues credentials

Authentication service determines identity Authentication service issues credentials 50

New applications easily integrate into existing infrastructure

New applications easily integrate into existing infrastructure 51

And for many projects This is success!

And for many projects This is success! 52

Authentication SSO

Authentication SSO Authorization 53

Multi User Application Access Control Rights and Privileges

Multi User Application Access Control Rights and Privileges 54

Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility

Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility 55

Access Control can be

Access Control can be Very Complex Domain Specific Dependent on Many Conditions 56

Several Options

Several Options • Ad Hoc • J2EE Policy • URL Access • Custom Developed • External Policy Engine 57

Ad Hoc

Ad Hoc •Localized if - then - else •Cumbersome •No Reuse •Inconsistent enforcement •Unverifiable •Possible security holes 58

J2EE Policy

J2EE Policy •Standards.. •Role Based •Supported in the deployment •Designed from the start •Difficult to change •Domino Effect 59

URL Access

URL Access •Course Grained •Tree Level Access •Often at Application or server Level •Access Control NOT Entitlements 60

Custom Policy

Custom Policy •Expensive •Hard to Maintain •Proprietary •Administration is Daunting! •Difficult to change and adapt 61

External Policy Engine

External Policy Engine •Policy Evaluation •Extensible •Flexible •Centralized Administration •Can it handle our complexity? 62

Can This User access This Resource under These Conditions?

Can This User access This Resource under These Conditions? 64

Define Rules for Access Rules can be changed dynamically Standards based - XACML3

Define Rules for Access Rules can be changed dynamically Standards based - XACML3 65

Rules

Rules Resources Actions Subjects Conditions Response Attributes Advice 66

Resources

Resources URLs Accounts Buttons Projects Hierarchical Scalable Plugable API 67

Actions

Actions Performed on a resource Fine Grained access G ET T OS E P ET EL D Y OP C Withdraw Balance Transfer C re at e Re ad Upda te De let e 68

Subjects

Subjects Who does the rule apply to? o up Gr D at a em M D at a st er L b DA P sto re Att r ib u te tt r i b u te o re A Se s s io nA tt r Custom Subject i bu te Plugable API Combination Logic 69

Conditions

Conditions Simple or Complex Dependencies tt r A Au u te ib Ba n k B io n im T a la n c e Ad IP ess dr ut o Ti me of the ess S nti lev c atio el n Da tt r i b u te Sess io n A y Plugable API Combination Logic 70

Access control can be: Role based, Attribute based, or Dynamic.

Access control can be: Role based, Attribute based, or Dynamic. 71

Policy Enforcement Point Policy Decision Point Policy Administration Point

Policy Enforcement Point Policy Decision Point Policy Administration Point 72

Policy Enforcement Point

Policy Enforcement Point 73

Policy Enforcement Point

Policy Enforcement Point Simplest case Agent plugged into web container. ISapi NSApi Mod_auth 74

Zero changes to app. Simple to install.. Easily protect “Closed” apps

Zero changes to app. Simple to install.. Easily protect “Closed” apps 75

Policy Enforcement Point

Policy Enforcement Point Fine for URL access control when resource is a URL. But how do we address entitlements? 76

Policy Enforcement Point

Policy Enforcement Point Simple Web Service Call Coded into Application if (entitled(userToken,resource,env)) { ... ... } Language Agnostic! 77

Simple JSON responses

Simple JSON responses { "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http:/ /www.anotherexample.com:80/index.html" } } 78

Policy Decision Point

Policy Decision Point 79

Policy Decision Point

Policy Decision Point Policy Evaluation Separate the Rule evaluation from the enforcement 80

Scalable and extensible policy engine Scalable to millions of entitlements Standards based XACML3

Scalable and extensible policy engine Scalable to millions of entitlements Standards based XACML3 81

Separate Administration

Separate Administration Application Administration is separate from Entitlement Administration 82

83

83

Policy Administration

Policy Administration Administration UI Dynamic rule changes Auditability Consistency 84

Standards based XACML3 Any editor... Any workflow...

Standards based XACML3 Any editor... Any workflow... 85

Rule changes take immediate effect No impact on application development

Rule changes take immediate effect No impact on application development 86

Keep track of rules and changes Reuse rules for reusable resources

Keep track of rules and changes Reuse rules for reusable resources 87

ForgeRock

ForgeRock 88

OpenAM

OpenAM OpenAM As A Service gives Flexibility, Consistency & Management to Authentication and Entitlements. 89

OpenAM

OpenAM Started life as Sun Access Manager OpenSourced in 2007 Strong Community 90

OpenAM

OpenAM OpenAM is fully opensource, 100% Java, scalable, high performance, AuthN and AuthZ 91

OpenAM

OpenAM Full XACML3 Support Simple policies and Complex Entitlements Extensible Plugins Central Administration Leverage existing SSO 92

OpenAM

OpenAM OpenAM Community ForgeRock http:/ /www.forgerock.org 93

Download it. Use it. Get involved! info@forgerock.com

Download it. Use it. Get involved! info@forgerock.com 94

Demo

Demo 95