open standards in identity management
TRANSCRIPT
![Page 1: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/1.jpg)
Open Standards in
Identity Management
Prabath [email protected] | [email protected]
GSoC Mentor Summit 2016
![Page 2: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/2.jpg)
Pillars of Identity and Access Management
● Identity Federation and Single Sign on● User Administration and Provisioning● Identity and Access Governance
![Page 3: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/3.jpg)
GSoC and WSO2
● WSO2 produces a set of open source software to address different aspects in the connected business.
● All WSO2 products are released under the most business friendly open source license, Apache 2.0.
● GSoC mentor organization since 2014● 11 GSoC projects successfully completed in 2016● Identity standards implemented under GSoC (mentored by WSO2)
○ UMA (User Managed Access)○ XACML JSON profile○ XACML REST profile○ SAML 2.0 Assertion Query/Request Profile
![Page 4: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/4.jpg)
Identity and Access Management (IAM) is the security discipline that enables the right individuals
to access the right resources at the right times for the right reasons.
![Page 5: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/5.jpg)
Standard Bodies for Identity and Access Management
● OASIS● IETF● OpenID Foundation● W3C● Kantara Initiative● FIDO Alliance
![Page 6: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/6.jpg)
OAuth 2.0
● An authorization framework developed by IETF and documented under RFC 5849.
● Enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.
● Access delegation● OAuth 1.0 vs. OAuth 2.0
![Page 7: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/7.jpg)
OAuth 2.0
![Page 8: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/8.jpg)
OAuth 2.0 (Authorization Code Grant Type)
![Page 9: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/9.jpg)
OAuth 2.0 (Implicit Grant Type)
![Page 10: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/10.jpg)
OAuth 2.0 (Client Credentials Grant Type)
![Page 11: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/11.jpg)
OAuth 2.0 (Password Grant Type)
![Page 12: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/12.jpg)
OpenID Connect
● A standard developed by the OpenID Foundation.● Built on top of OAuth 2.0● Uses JWT standard developed by the IETF JOSE working group● Uses JWT to transport user identity from the identity provider to the
service provider
![Page 13: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/13.jpg)
OpenID Connect
![Page 14: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/14.jpg)
OpenID Connect
![Page 15: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/15.jpg)
SAML 2.0
● An XML-based standard for exchanging authentication and authorization data between entities which is a product of the OASIS Security Services Technical Committee.
● History○ SAML 1.0 was adopted as an OASIS standard in Nov 2002 ○ SAML 1.1 was ratified as an OASIS standard in Sept 2003 ○ SAML 2.0 became an OASIS standard in Mar 2005
● Components○ Assertions: Authentication, Attribute and Authorization information ○ Protocol: Request and Response elements for packaging assertions ○ Bindings: How SAML Protocols map onto standard messaging or
communication protocols ○ Profiles: How SAML protocols, bindings and assertions combine to
support a defined use case● SAML Assertion Query/Request Profile (GSoC 2016 open source
implementation)
![Page 16: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/16.jpg)
SAML 2.0 Web SSO (HTTP Redirect Binding)
![Page 17: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/17.jpg)
SAML 2.0 Web SSO vs. OpenID Connect
● Both can be used to facilitate Identity Federation and SSO● SAML 2.0 Web SSO is based on XML while OIDC is based on JSON● SAML 2.0 Web SSO is based on SAML while OIDC is based on JWT● SAML 2.0 is has many bindings (SOAP, HTTP) while the only binding
OIDC has is the HTTP.● OpenID Connect is preferred standard for Mobile Apps and SPAs.
![Page 18: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/18.jpg)
SPML (Service Provisioning Markup Language)
● OASIS Technical Committee for Service Provisioning was formed in 2001 to define an XML-based framework for exchanging user, resource, and service provisioning information.
● XML based● Two bindings
○ SOAP○ File
● SPML v2.0 is the latest version.● Too bulky - like the UDDI specification in the SOAP world.
![Page 19: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/19.jpg)
SCIM (System for Cross-domain Identity Management)
● SCIM is purely RESTful. ● The initial version supported both JSON and XML - now JSON only. ● Introduced a REST API for provisioning and also a core schema (which
also can be extended) for provisioning objects. ● SCIM 1.1 was finalized in 2012 - and then it was donated to the IETF. ● Once in IETF, it has to change the definition of SCIM to System for
Cross-domain Identity Management and it's no more supporting XML - only JSON.
● SCIM 2.0 was released as the RFC 7644 in Sept 2015 under IETF
![Page 20: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/20.jpg)
The Evolution of Provisioning Standards
![Page 21: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/21.jpg)
● An OASIS standard for fine-grained access control.● Components
○ Architecture (PAP, PDP, PEP, PIP)○ Request-Response protocol○ Policy language (XML-based)
● JSON profile XACML 3.0 (GSoC 2016 - open source implementation)● REST API for XACML (GSoC 2016 - open source implementation)
XACML (eXtensible Access Control Markup Language)
![Page 22: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/22.jpg)
XACML (eXtensible Access Control Markup Language)
![Page 23: Open Standards in Identity Management](https://reader034.vdocuments.mx/reader034/viewer/2022052606/589be06a1a28aba5108b5771/html5/thumbnails/23.jpg)
Contact us !