33. Authentication is
NOT
Identity Management
Validation against
EXISTING identity sources!
33
Wednesday, March 9, 2011
34. We don’t need to know
user implementation details
We only need to know
User Identity
and possibly
some user attributes.
34
Wednesday, March 9, 2011
35. Integrate into existing process
Plugable Authentication
modules
Built on Standards - JAAS
Multiple Modules & Chains
35
Wednesday, March 9, 2011
36. Se
AP cu
LD reI
D
n ix
U
rti f i c ate S afeW
x5 0 9 Ce o rd
JD
BC
SAML2
O
EG
Custom ds
PN
ar
r tC
-S
a
Sm
AD
MSISDN
Extens ible
Me m
be rs
h ip
36
Wednesday, March 9, 2011
39. Browser ApplicaAon OpenAM
Request
applicaAon
content
Redirect
for
AuthenAcaAon
Request
AuthenAcaAon
from
AuthenAcaAon
server
NegoAate
AuthenAcaAon...
Redirect
back
to
ApplicaAon
with
Token
Request
applicaAon
content
Validate
Token
ValidaAon
Response
Provide
applicaAon
content
39
Wednesday, March 9, 2011
40. Authentication
SSO
Authorization
40
Wednesday, March 9, 2011
57. Access Control can be
Very Complex
Domain Specific
Dependent on Many
Conditions
57
Wednesday, March 9, 2011
58. Several Options
• Ad Hoc
• J2EE Policy
• URL Access
• Custom Developed
• External Policy Engine
58
Wednesday, March 9, 2011
59. Ad Hoc
•Localized if - then - else
•Cumbersome
•No Reuse
•Inconsistent enforcement
•Unverifiable
•Possible security holes
59
Wednesday, March 9, 2011
60. J2EE Policy
•Standards..
•Role Based
•Supported in the deployment
•Designed from the start
•Difficult to change
•Domino Effect
60
Wednesday, March 9, 2011
61. URL Access
•Course Grained
•Tree Level Access
•Often at Application or server Level
•Access Control NOT Entitlements
61
Wednesday, March 9, 2011
62. Custom Policy
•Expensive
•Hard to Maintain
•Proprietary
•Administration is Daunting!
•Difficult to change and adapt
62
Wednesday, March 9, 2011
63. External Policy Engine
•Policy Evaluation
•Extensible
•Flexible
•Centralized Administration
•What about domain specifics?
63
Wednesday, March 9, 2011
68. Resources
URLs
Accounts
Buttons
Projects
etc......
Hierarchical
Scalable
Plugable API
68
Wednesday, March 9, 2011
69. Actions
Performed on a resource
Fine Grained access
C re at
Withdraw e
G ET T Re ad
OS E Balance Upda
P ET te
EL
D Y Transfer De let
OP e
C
69
Wednesday, March 9, 2011
70. Subjects
Who does the rule apply to?
D at a
o up sto re
Gr Att r
DA P ib u te
b er L
M em
Se s
s io
o re Att r i b u te nA Custom Subject
D at a st tt r
i bu
te
Plugable API Combination Logic
70
Wednesday, March 9, 2011
71. Conditions
Simple or Complex
Dependencies
dr ess
ib u te Ba n k B
a la n c e IP Ad
Att r Ti
me
o ut of
im Da
T y
Au io n
the
nti S ess tt r i b u te
lev c atio Sess io n A
el n
Plugable API Combination Logic
71
Wednesday, March 9, 2011
72. Access control
can be:
Role based,
Attribute based,
or Dynamic.
72
Wednesday, March 9, 2011
73. Policy Enforcement Point
Policy Decision Point
Policy Administration Point
73
Wednesday, March 9, 2011
75. Policy Enforcement Point
Simplest case
Agent plugged into web
container.
ISapi
NSApi
Mod_auth
75
Wednesday, March 9, 2011
76. Zero changes to app.
Simple to install..
Easily protect “Closed” apps
76
Wednesday, March 9, 2011
77. Policy Enforcement Point
Fine for URL access control
when resource is a URL.
But how do we address
entitlements?
77
Wednesday, March 9, 2011
78. Policy Enforcement Point
Simple Web Service Call wrapper
Coded into Application
This
User This
Resource These
CondiAons
if (entitled(userToken, resource, env)) {
...
...
}
Language Agnostic!
78
Wednesday, March 9, 2011
91. OpenAM
OpenAM As A Service
gives
Flexibility,
Consistency &
Management
to
Authentication
and
Entitlements.
91
Wednesday, March 9, 2011
92. OpenAM
Started life as Sun Access
Manager
OpenSourced in 2007
Strong Community
92
Wednesday, March 9, 2011
93. OpenAM
OpenAM is
fully opensource,
100% Java,
scalable,
high performance,
AuthN and AuthZ
93
Wednesday, March 9, 2011
94. OpenAM
Full XACML3 Support
Simple policies and Complex
Entitlements
Extensible Plugins
Central Administration
Leverage existing SSO
94
Wednesday, March 9, 2011
95. OpenAM
OpenAM Community
ForgeRock
http:/
/www.forgerock.com
95
Wednesday, March 9, 2011
96. Download it.
Use it.
Get involved!
info@forgerock.com
96
Wednesday, March 9, 2011