This document provides an overview of entitlement management and identity management concepts. It discusses different access control models like access control lists, role-based access control, attribute-based access control and policy-based access control using XACML. The presenter Chamath Gunawardana is a technical lead at WSO2 who works on their identity server. WSO2 provides open source identity and access management solutions.
Why Teams call analytics are critical to your entire business
Identity and Entitlement Management Concepts
1. Last Updated: Jan. 2014
Tech
Lead
Chamath
Gunawardana
Iden/ty
and
En/tlement
Management
–
Concepts
and
Theories
2. 2
About
the
Presenter(s)
๏ Chamath
Gunawardana
Chamath
Gunwardana
is
a
technical
lead
at
WSO2
working
for
the
integra/on
technology
group.
He's
engaged
in
the
developments
of
the
WSO2
Iden/ty
Server
and
also
a
commiKer
of
the
WSO2
Iden/ty
Server.
Chamath
is
also
a
SUN
cer/fied
java
programmer.
3. 3
About
WSO2
๏ Global
enterprise,
founded
in
2005
by
acknowledged
leaders
in
XML,
web
services
technologies,
standards
and
open
source
๏ Provides
only
open
source
plaVorm-‐as-‐a-‐service
for
private,
public
and
hybrid
cloud
deployments
๏ All
WSO2
products
are
100%
open
source
and
released
under
the
Apache
License
Version
2.0.
๏ Is
an
Ac/ve
Member
of
OASIS,
Cloud
Security
Alliance,
OSGi
Alliance,
AMQP
Working
Group,
OpenID
Founda/on
and
W3C.
๏ Driven
by
Innova/on
๏ Launched
first
open
source
API
Management
solu/on
in
2012
๏ Launched
App
Factory
in
2Q
2013
๏ Launched
Enterprise
Store
and
first
open
source
Mobile
solu/on
in
4Q
2013
5. Agenda
๏ En/tlement
management
๏ overview
๏ Access
control
concepts
๏ XACML
๏ En/tlement
architecture
in
iden/ty
server
๏ Iden/ty
management
๏ overview
๏ Features
of
iden/ty
management
systems
๏ Couple
of
Iden/ty
Management
Capabili/es
in
iden/ty
server
๏ Demo
5
6. What
is
En/tlement
Mng..
๏ En#tlement
management
is
technology
that
grants,
resolves,
enforces,
revokes
and
administers
fine-‐
grained
access
en/tlements.
๏ Also
referred
to
as
authoriza/ons, privileges,
access
rights, permissions
and/or
rules
-‐
Gartner
Glossary
6
7. En/tlement
Management
๏ It s
a
broader
concept
๏ Types
of
access
control
includes,
๏ Access
control
lists
๏ Role
based
access
control
๏ AKribute
based
access
control
๏ Policy
based
access
control
7
8. Access
control
lists
๏ Oldest
and
most
basic
form
of
access
control
๏ Primarily
Opera/ng
systems
adopted
๏ Maintains
set
of
user
and
opera/ons
can
performed
on
a
resource
as
a
mapping
๏ Also
easier
to
implement
using
maps
๏ Not
scalable
for
large
user
bases
๏ Difficult
to
manage
8
9. Role
based
access
control
๏ System
having
users
that
belongs
to
roles
๏ Role
defines
which
resources
will
be
allowed
๏ Reduces
the
management
overhead
๏ Users
and
roles
can
be
externalized
using
user
stores
๏ Need
to
manage
the
roles
๏ User
may
belong
to
mul/ple
roles
9
10. AKribute
based
access
control
๏ Authoriza/on
based
on
aKributes
๏ Addresses
the
limita/on
of
role
based
approach
to
define
fine
grain
access
control
๏ AKributes
of
user,
environment
as
well
as
resource
it
self
๏ More
flexible
than
role
based
approach
๏ No
need
for
knowing
the
user
prior
to
gran/ng
access
10
11. Policy
based
access
control
๏ Address
the
requirement
to
have
more
uniform
access
control
mechanism
๏ Helps
to
large
enterprises
to
have
uniform
access
control
amount
org
units
๏ Helps
for
security
audits
to
be
carried
out
๏ Complex
than
any
other
access
control
system
๏ Specify
policies
unambiguously
with
XACML
๏ Use
of
authorized
aKribute
sources
in
the
enterprise
11
12. Advantages
๏ Reduce
the
development
/me
on
cri/cal
business
func/ons
๏ Easy
management
of
en/tlements
๏ Based
on
industry
standard
specifica/ons
๏ Support
for
future
development
with
minimum
effort
12
13. XACML
๏ XACML
is
a
policy
based
authoriza/on/en/tlement
system
๏ De-‐facto
standard
for
authoriza/on
๏ Evaluated
of
1.0,
2.0
and
3.0
versions
๏ Externalized
๏ Policy
based
๏ Fine
grained
๏ Standardized
13
14. XACML
๏ Iden/ty
Server
supports
XACML
2.0
and
3.0
versions
๏ Supports
mul/ple
PIPs
๏ Policy
distribu/on
๏ UI
wizards
for
defining
policies
๏ Try
it
tool
๏ Decision
/
AKribute
caching
14
22. Iden/ty
Management
๏ Managing
Iden/ty
of
users
in
a
system
๏ Control
access
to
resources
๏ Important
component
in
an
enterprise
๏ Enterprises
depends
on
the
security
provided
by
iden/ty
management
systems
22
23. Why
Iden/ty
Management
๏ Directly
influences
the
security
and
produc/vity
of
an
organiza/on
๏ To
enforce
consistency
in
security
policies
across
organiza/on
๏ To
comply
with
rules
and
regula/ons
enforced
in
some
cri/cal
domains
by
governments
๏ Provide
access
to
resources
to
outside
par/es
without
compromising
security
23
24. Why
Iden/ty
Management
Cont.
๏ Controlled
resource
access
increases
organiza/onal
security
๏ Increased
audit-‐ability
of
the
systems
๏ Automated
password
reset
capabili/es
24
25. Features
of
IDM
System
๏ User
Stores
/
Directories
๏ Authen/ca/on
๏ Authoriza/on
๏ Single
Sign
On
๏ Provisioning
๏ Delega/on
๏ Password
reset
๏ Self
registra/on
with
locking
25
26. User
stores
/
Directories
๏ Grouping
of
user
and
roles
๏ Easy
management
in
authoriza/on
decisions
๏ Different
types
of
user
stores
support
26
27. Authen/ca/on
๏ Iden/fying
which
en/ty
are
we
communica/ng
with
๏ En/ty
can
be
users
or
systems
๏ Most
basic
form
is
user
name
and
password
๏ Authen/ca/on
against
user
store
๏ Concept
of
mul/
factor
authen/ca/on
27
28. Authoriza/on
๏ What
an
en/ty
allowed
to
access
in
the
system
๏ En/tlement
management
aspects
๏ Discussed
28
29. Single
Sign
On
๏ Having
mul/ple
applica/ons
with
login
requirements
๏ Once
login
to
the
applica/on
automa/c
login
to
other
applica/ons
๏ Token
usage
๏ Iden/ty
Federa/on
๏ Technologies
used
๏ OpenID
๏ SAML
๏ Kerboros
๏ WS-‐Federa/on
passive
29
30. Provisioning
๏ Concept
of
adding
and
removing
iden//es
from
user
store
๏ Provisioning
to
external
systems
๏ Technologies
๏ SPML
๏ SCIM
30
31. Delega/on
๏ Giving
responsibility
to
another
en/ty
to
carry
out
tasks
on
behalf
of
you
๏ Creden/al
sharing
systems
๏ Technologies
๏ OAuth
31
32. Users
and
roles
๏ Enterprise
user
stores
with
users
and
roles
๏ Managing
user
stores
๏ Support
for
mul/ple
user
stores
๏ Easy
configura/on
of
user
stores
in
UI
๏ Types
of
user
stores
๏ LDAP,
Ac/ve
Directory,
JDBC
๏ Support
for
mul/-‐tenancy
32
33. Password
reset
๏ Web
apps
needing
end
user
password
reset
func/onality
๏ Supports,
๏ Reset
with
no/fica/on
๏ Reset
with
secret
ques/ons
๏ Increased
security
with
mul/ple
keys
in
the
reset
flow
๏ UI
based
email
templates
configura/on
33
34. Self
registra/on
with
locking
๏ Separate
web
service
to
self
registra/on
with
account
lock
๏ Upon
registra/on
sending
confirma/on
link
to
account
unlock
๏ Only
users
with
valid
email
address
gain
access
to
system
๏ Configurable
email
no/fica/on
template
34
37. 37
More
Informa/on
!
๏ The
slides
and
webinar
will
be
available
soon.
๏ Please
refer
Iden/ty
Server
documenta/on
-‐
hKps://
docs.wso2.org/display/IS500/WSO2+Iden/ty+Server
+Documenta/on