Presentation Opensource Authentication and Authorization
As web applications become the norm for application delivery mechanisms, there is more and more demand for managing access control at the application framework level. As is immediately obvious, managing this access control becomes an overwhelming overhead for the actual application, and should be handled by the underlying framework used for application delivery.
Opensource projects such as ForgeRock OpenAM, (Formerly OpenSSO) can provide both Authentication services, as well as Authorization services to applications, utilising a simple REST or SOAP based web service interface. All the management of users, groups and other authentication attributes can be handled by the AuthN/AuthZ application, and delivered to the web application as a service. We can already see this behavior in use, in PAM, or pluggable authentication modules used in many linux environments in use today. However mere authentication is not sufficient in an enterprise environment. Often, group, Com...
Published on: 2010-11-29T09:34:16.000Z
Channel: Devoxx'10 (all)
Tags: authorization OpenAM authentication AuthZ
Speakers:
Allan Foster
Allan Foster is a founding member of ForgeRock, bringing skills in the entire Identity management space. He has proven skills in Access Management, Federation, and Portal Architectures. Allan is based in Portland, Oregon in the USA, and has worked with the ForgeRock products, as well as prior version of the products for several years. Allan brings 25 years of experience in the development, internet, and Identity management spaces to ForgeRock. Allan's career has reached from Apple Computer inc, to Netscape, AOL, Guru Associates, and Sun Microsystems before joining the team at ForgeRock.
PDF: slides.pdf
Slides:
Intro
Opensource Authentication & Authorization
Opensource Authentication & Authorization
Allan Foster ForgeRock allan.foster@forgerock.com
“Build us a Web App”
“Build us a Web App”
2
Lots of examples....
Lots of examples....
3
New Application Demands
New Application Demands
Collaborative Workgroups Client - Server Multi user... In the cloud?
4
Its a WebApp!
Its a WebApp!
5
Business Logic
Business Logic
Your Business... Your Logic... You know how to do this!
6
Lots of Help
Lots of Help
Language...
. Net
Pe r l
+
J
vy oo Gr
PH P
va a
by Ru
C&
Py t
C+
hon
7
Oh yes, LOTS of help!
Oh yes, LOTS of help!
Frameworks...
JSF
AJA X
Sp r
Vel o cit y
PEAR
ing
ib H
rn e
te a
I
es Fa c ce
8
And don’t forget...
And don’t forget...
9
Access Control Who are our users? Who can access what? What can they do? How do we manage this?
Access Control Who are our users? Who can access what? What can they do? How do we manage this?
10
Its not that complicated..
Its not that complicated..
Authentication SSO Authorization
11
Authentication?
Authentication?
Corporate LDAP
12
But what about...
But what about...
13
or...
or...
14
or
or
SecureID
RSA
Logo
15
Maybe all?
Maybe all?
16
Authentication isn’t enough...
Authentication isn’t enough...
17
Authentication isn’t enough...
Authentication isn’t enough...
SSO is expected! I have one set of credentials, Why can’t I just use them ONCE?
18
Even between multiple Organizations Federation eGov
Even between multiple Organizations Federation eGov
GoogleApps
19
SSO implies having a single Authentication service...
SSO implies having a single Authentication service...
trusted
20
That can be used by MANY different applications!
That can be used by MANY different applications!
21
Without regard to HOW the authentication is being performed
Without regard to HOW the authentication is being performed
22
What About Authorization?
What About Authorization?
23
Is this user allowed to perform this action on this data?
Is this user allowed to perform this action on this data?
24
Group Membership? Roles? Some Complex Matrix?
Group Membership? Roles? Some Complex Matrix?
25
Access control logic can be embedded in our application...
Access control logic can be embedded in our application...
BUT..
26
New Specs New Rules Exceptions Changes... and more changes! ...And testing!
New Specs New Rules Exceptions Changes... and more changes! ...And testing!
27
Reprogram the door?
Reprogram the door?
28
Centrally managed service
Centrally managed service
29
AuthN and AuthZ as a service
AuthN and AuthZ as a service
Iden>ty
services
(OpenAM)
30
Authentication
Authentication
SSO Authorization
31
32
32
Authentication is NOT Identity Management Validation against EXISTING identity stores!
Authentication is NOT Identity Management Validation against EXISTING identity stores!
33
We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes.
We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes.
34
Integrate into existing process
Integrate into existing process
Plugable Authentication modules Built on Standards - JAAS Multiple Modules & Chains
35
AP LD
AP LD
9 Ce 0
EG
Se
cu
reI
D
U
ix n
x5
i c ate rti f
S afeW o rd
JD
O
BC
SAML2
r tC a ds ar
-S
Custom
MSISDN
Me m
Sm
AD
PN
Extens ible
be rs h ip
36
Authentication determines identity Identity is what matters.. NOT the method it is determined
Authentication determines identity Identity is what matters.. NOT the method it is determined
37
38
38
Authentication
Authentication
SSO
Authorization
39
40
40
41
41
42
42
Allan Foster Speaker Devoxx 2010
Allan Foster Speaker Devoxx 2010
45
44
44
Allan Foster Speaker Devoxx 2010
Allan Foster Speaker Devoxx 2010
45
46
46
One Pass Multiple Doors Single Sign On
One Pass Multiple Doors Single Sign On
47
Application validates credentials... Does NOT issue them!
Application validates credentials... Does NOT issue them!
48
We don’t “Login” We validate Identity. This is a hurdle for developers!
We don’t “Login” We validate Identity. This is a hurdle for developers!
49
Authentication service determines identity Authentication service issues credentials
Authentication service determines identity Authentication service issues credentials
50
New applications easily integrate into existing infrastructure
New applications easily integrate into existing infrastructure
51
And for many projects This is success!
And for many projects This is success!
52
Authentication SSO
Authentication SSO
Authorization
53
Multi User Application Access Control Rights and Privileges
Multi User Application Access Control Rights and Privileges
54
Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility
Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility
55
Access Control can be
Access Control can be
Very Complex Domain Specific Dependent on Many Conditions
56
Several Options
Several Options
• Ad Hoc • J2EE Policy • URL Access • Custom Developed • External Policy Engine
57
Ad Hoc
Ad Hoc
•Localized if - then - else •Cumbersome •No Reuse •Inconsistent enforcement •Unverifiable •Possible security holes
58
J2EE Policy
J2EE Policy
•Standards.. •Role Based •Supported in the deployment •Designed from the start •Difficult to change •Domino Effect
59
URL Access
URL Access
•Course Grained •Tree Level Access •Often at Application or server Level •Access Control NOT Entitlements
60
Custom Policy
Custom Policy
•Expensive •Hard to Maintain •Proprietary •Administration is Daunting! •Difficult to change and adapt
61
External Policy Engine
External Policy Engine
•Policy Evaluation •Extensible •Flexible •Centralized Administration •Can it handle our complexity?
62
Can This User access This Resource under These Conditions?
Can This User access This Resource under These Conditions?
64
Define Rules for Access Rules can be changed dynamically Standards based - XACML3
Define Rules for Access Rules can be changed dynamically Standards based - XACML3
65
Rules
Rules
Resources Actions Subjects Conditions Response Attributes Advice
66
Resources
Resources
URLs Accounts Buttons Projects Hierarchical Scalable Plugable API
67
Actions
Actions
Performed on a resource Fine Grained access
G ET T OS E P ET EL D Y OP C
Withdraw Balance Transfer
C re at e Re ad Upda te De let e
68
Subjects
Subjects
Who does the rule apply to?
o up Gr
D at a
em M
D at a st
er L b
DA P
sto re
Att r ib
u te
tt r i b u te o re A
Se s
s io
nA tt r
Custom Subject
i bu te
Plugable API
Combination Logic
69
Conditions
Conditions
Simple or Complex Dependencies
tt r A
Au
u te ib
Ba n k B
io n im T
a la n c e
Ad IP
ess dr
ut o
Ti
me
of
the ess S nti lev c atio el n
Da
tt r i b u te Sess io n A
y
Plugable API
Combination Logic
70
Access control can be: Role based, Attribute based, or Dynamic.
Access control can be: Role based, Attribute based, or Dynamic.
71
Policy Enforcement Point Policy Decision Point Policy Administration Point
Policy Enforcement Point Policy Decision Point Policy Administration Point
72
Policy Enforcement Point
Policy Enforcement Point
73
Policy Enforcement Point
Policy Enforcement Point
Simplest case Agent plugged into web container.
ISapi NSApi Mod_auth
74
Zero changes to app. Simple to install.. Easily protect “Closed” apps
Zero changes to app. Simple to install.. Easily protect “Closed” apps
75
Policy Enforcement Point
Policy Enforcement Point
Fine for URL access control when resource is a URL. But how do we address entitlements?
76
Policy Enforcement Point
Policy Enforcement Point
Simple Web Service Call Coded into Application
if (entitled(userToken,resource,env)) { ... ... }
Language Agnostic!
77
Simple JSON responses
Simple JSON responses
{ "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http:/ /www.anotherexample.com:80/index.html" } }
78
Policy Decision Point
Policy Decision Point
79
Policy Decision Point
Policy Decision Point
Policy Evaluation Separate the Rule evaluation from the enforcement
80
Scalable and extensible policy engine Scalable to millions of entitlements Standards based XACML3
Scalable and extensible policy engine Scalable to millions of entitlements Standards based XACML3
81
Separate Administration
Separate Administration
Application Administration is separate from Entitlement Administration
82
83
83
Policy Administration
Policy Administration
Administration UI Dynamic rule changes Auditability Consistency
84
Standards based XACML3 Any editor... Any workflow...
Standards based XACML3 Any editor... Any workflow...
85
Rule changes take immediate effect No impact on application development
Rule changes take immediate effect No impact on application development
86
Keep track of rules and changes Reuse rules for reusable resources
Keep track of rules and changes Reuse rules for reusable resources
87
ForgeRock
ForgeRock
88
OpenAM
OpenAM
OpenAM As A Service gives Flexibility, Consistency & Management to Authentication and Entitlements.
89
OpenAM
OpenAM
Started life as Sun Access Manager OpenSourced in 2007 Strong Community
90
OpenAM
OpenAM
OpenAM is fully opensource, 100% Java, scalable, high performance, AuthN and AuthZ
91
OpenAM
OpenAM
Full XACML3 Support Simple policies and Complex Entitlements Extensible Plugins Central Administration Leverage existing SSO
92
OpenAM
OpenAM
OpenAM Community ForgeRock http:/ /www.forgerock.org
93
Download it. Use it. Get involved! info@forgerock.com
Download it. Use it. Get involved! info@forgerock.com
94
Demo
Demo
95