SlideShare une entreprise Scribd logo

Opensource Authentication and Authorization

ConFoo
ConFoo
1  sur  100
Télécharger pour lire hors ligne
Open Source Authentication & Authorization Allan Foster ForgeRock allan.foster@forgerock.com Wednesday, March 9, 2011
“Build us a Web App” 2 Wednesday, March 9, 2011
Lots of examples.... 3 Wednesday, March 9, 2011
New Application Demands Collaborative Workgroups Client - Server Multi user... In the cloud? 4 Wednesday, March 9, 2011
Its a WebApp! 5 Wednesday, March 9, 2011
Business Logic Your Business... Your Logic... You know how to do this! 6 Wednesday, March 9, 2011
Lots of Help Language... . Net PH P Ru by Pe r l a va J + Py t C+ hon vy C& Groo 7 Wednesday, March 9, 2011
Oh yes, LOTS of help! Frameworks... Vel JSF o cit y AJA PEAR X te Sp r rn a es ing e ce Fa c H ib I 8 Wednesday, March 9, 2011
And don’t forget... 9 Wednesday, March 9, 2011
Access Control Who are our users? Who can access what? What can they do? How do we manage this? 10 Wednesday, March 9, 2011
Its not that complicated.. Authentication SSO Authorization 11 Wednesday, March 9, 2011
Authentication? Corporate LDAP 12 Wednesday, March 9, 2011
But what about... 13 Wednesday, March 9, 2011
or... 14 Wednesday, March 9, 2011
or SecureID  RSA  Logo 15 Wednesday, March 9, 2011
Maybe all? 16 Wednesday, March 9, 2011
Authentication isn’t enough... 17 Wednesday, March 9, 2011
Authentication isn’t enough... SSO is expected! I have one set of credentials, Why can’t I just use them ONCE? 18 Wednesday, March 9, 2011
Even between multiple Organizations Federation eGov GoogleApps 19 Wednesday, March 9, 2011
SSO implies having a single trusted Authentication service... 20 Wednesday, March 9, 2011
That can be used by MANY different applications! 21 Wednesday, March 9, 2011
Without regard to HOW the authentication is being performed 22 Wednesday, March 9, 2011
What About Authorization? 23 Wednesday, March 9, 2011
Is this user allowed to perform this action on this resource? 24 Wednesday, March 9, 2011
Group Membership? Roles? Some Complex Matrix? Dynamic Conditions? 25 Wednesday, March 9, 2011
Access control logic can be embedded in our application... BUT.. 26 Wednesday, March 9, 2011
New Specs New Rules Exceptions Changes... and more changes! ...And testing! 27 Wednesday, March 9, 2011
Reprogram the door? 28 Wednesday, March 9, 2011
Centrally managed service Ca n  I ? 29 Wednesday, March 9, 2011
AuthN and AuthZ as a service IdenAty  services  (OpenAM) 30 Wednesday, March 9, 2011
Authentication SSO Authorization 31 Wednesday, March 9, 2011
32 Wednesday, March 9, 2011
Authentication is NOT Identity Management Validation against EXISTING identity sources! 33 Wednesday, March 9, 2011
We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes. 34 Wednesday, March 9, 2011
Integrate into existing process Plugable Authentication modules Built on Standards - JAAS Multiple Modules & Chains 35 Wednesday, March 9, 2011
Se AP cu LD reI D n ix U rti f i c ate S afeW x5 0 9 Ce o rd JD BC SAML2 O EG Custom ds PN ar r tC -S a Sm AD MSISDN Extens ible Me m be rs h ip 36 Wednesday, March 9, 2011
Authentication determines identity Identity is what matters.. NOT the method it is determined 37 Wednesday, March 9, 2011
38 Wednesday, March 9, 2011
Browser ApplicaAon OpenAM Request  applicaAon  content Redirect  for  AuthenAcaAon Request  AuthenAcaAon  from  AuthenAcaAon  server NegoAate  AuthenAcaAon... Redirect  back  to  ApplicaAon  with  Token Request  applicaAon  content Validate  Token ValidaAon  Response Provide  applicaAon  content 39 Wednesday, March 9, 2011
Authentication SSO Authorization 40 Wednesday, March 9, 2011
41 Wednesday, March 9, 2011
42 Wednesday, March 9, 2011
43 Wednesday, March 9, 2011
Allan Foster Speaker ConFoo 2011 44 Wednesday, March 9, 2011
45 Wednesday, March 9, 2011
Allan Foster Speaker ConFoo 2011 46 Wednesday, March 9, 2011
47 Wednesday, March 9, 2011
One Pass Multiple Doors Single Sign On 48 Wednesday, March 9, 2011
Application validates credentials... Does NOT issue them! 49 Wednesday, March 9, 2011
We don’t “Login” We validate Identity. This is a conceptual hurdle for developers! 50 Wednesday, March 9, 2011
Authentication service determines identity Authentication service issues tokens 51 Wednesday, March 9, 2011
Browser ApplicaAon OpenAM Request  applicaAon Validate  Token ValidaAon  Response Provide  applicaAon  content 52 Wednesday, March 9, 2011
New applications easily integrate into existing infrastructure 53 Wednesday, March 9, 2011
And for many projects This is success! Single Sign on! 54 Wednesday, March 9, 2011
Authentication SSO Authorization 55 Wednesday, March 9, 2011
Multi User Application Access Control Rights and Privileges 56 Wednesday, March 9, 2011
Access Control can be Very Complex Domain Specific Dependent on Many Conditions 57 Wednesday, March 9, 2011
Several Options • Ad Hoc • J2EE Policy • URL Access • Custom Developed • External Policy Engine 58 Wednesday, March 9, 2011
Ad Hoc •Localized if - then - else •Cumbersome •No Reuse •Inconsistent enforcement •Unverifiable •Possible security holes 59 Wednesday, March 9, 2011
J2EE Policy •Standards.. •Role Based •Supported in the deployment •Designed from the start •Difficult to change •Domino Effect 60 Wednesday, March 9, 2011
URL Access •Course Grained •Tree Level Access •Often at Application or server Level •Access Control NOT Entitlements 61 Wednesday, March 9, 2011
Custom Policy •Expensive •Hard to Maintain •Proprietary •Administration is Daunting! •Difficult to change and adapt 62 Wednesday, March 9, 2011
External Policy Engine •Policy Evaluation •Extensible •Flexible •Centralized Administration •What about domain specifics? 63 Wednesday, March 9, 2011
EnAtlement  services  (OpenAM) 27 64 Wednesday, March 9, 2011
Can This User access This Resource under These Conditions? 65 Wednesday, March 9, 2011
Define Rules for Access Rules can be changed dynamically Standards based - XACML3 66 Wednesday, March 9, 2011
Rules Resources Actions Subjects Conditions Response Attributes Advice 67 Wednesday, March 9, 2011
Resources URLs Accounts Buttons Projects etc...... Hierarchical Scalable Plugable API 68 Wednesday, March 9, 2011
Actions Performed on a resource Fine Grained access C re at Withdraw e G ET T Re ad OS E Balance Upda P ET te EL D Y Transfer De let OP e C 69 Wednesday, March 9, 2011
Subjects Who does the rule apply to? D at a o up sto re Gr Att r DA P ib u te b er L M em Se s s io o re Att r i b u te nA Custom Subject D at a st tt r i bu te Plugable API Combination Logic 70 Wednesday, March 9, 2011
Conditions Simple or Complex Dependencies dr ess ib u te Ba n k B a la n c e IP Ad Att r Ti me o ut of im Da T y Au io n the nti S ess tt r i b u te lev c atio Sess io n A el n Plugable API Combination Logic 71 Wednesday, March 9, 2011
Access control can be: Role based, Attribute based, or Dynamic. 72 Wednesday, March 9, 2011
Policy Enforcement Point Policy Decision Point Policy Administration Point 73 Wednesday, March 9, 2011
Policy Enforcement Point 74 Wednesday, March 9, 2011
Policy Enforcement Point Simplest case Agent plugged into web container. ISapi NSApi Mod_auth 75 Wednesday, March 9, 2011
Zero changes to app. Simple to install.. Easily protect “Closed” apps 76 Wednesday, March 9, 2011
Policy Enforcement Point Fine for URL access control when resource is a URL. But how do we address entitlements? 77 Wednesday, March 9, 2011
Policy Enforcement Point Simple Web Service Call wrapper Coded into Application This  User This  Resource These  CondiAons if (entitled(userToken, resource, env)) { ... ... } Language Agnostic! 78 Wednesday, March 9, 2011
Simple JSON responses { "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http:/ /www.anotherexample.com:80/index.html" } } 79 Wednesday, March 9, 2011
Policy Decision Point 80 Wednesday, March 9, 2011
Policy Decision Point Policy Evaluation Separate the Rule evaluation from the enforcement 81 Wednesday, March 9, 2011
Scalable and extensible policy engine Scalable to millions of entitlements Standards based - XACML3 82 Wednesday, March 9, 2011
83 Wednesday, March 9, 2011
Policy Administration Administration UI Dynamic rule changes Auditability Consistency 84 Wednesday, March 9, 2011
Standards based XACML3 Any editor... Any workflow... 85 Wednesday, March 9, 2011
Rule changes take immediate effect No impact on application development 86 Wednesday, March 9, 2011
Keep track of rules and changes Reuse rules for reusable resources 87 Wednesday, March 9, 2011
Separate Administration Application Administration is separate from Entitlement Administration 88 Wednesday, March 9, 2011
Simplify the app admin Consistent administration of permissions for all apps. 89 Wednesday, March 9, 2011
ForgeRock 90 Wednesday, March 9, 2011
OpenAM OpenAM As A Service gives Flexibility, Consistency & Management to Authentication and Entitlements. 91 Wednesday, March 9, 2011
OpenAM Started life as Sun Access Manager OpenSourced in 2007 Strong Community 92 Wednesday, March 9, 2011
OpenAM OpenAM is fully opensource, 100% Java, scalable, high performance, AuthN and AuthZ 93 Wednesday, March 9, 2011
OpenAM Full XACML3 Support Simple policies and Complex Entitlements Extensible Plugins Central Administration Leverage existing SSO 94 Wednesday, March 9, 2011
OpenAM OpenAM Community ForgeRock http:/ /www.forgerock.com 95 Wednesday, March 9, 2011
Download it. Use it. Get involved! info@forgerock.com 96 Wednesday, March 9, 2011
Questions? 97 Wednesday, March 9, 2011
Demo 98 Wednesday, March 9, 2011
Open Source Authentication & Authorization Allan Foster ForgeRock Wednesday, March 9, 2011
Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility 100 Wednesday, March 9, 2011

Recommandé

"The Reality of Digital Science"
"The Reality of Digital Science""The Reality of Digital Science"
"The Reality of Digital Science"Kaitlin Thaney
 
"Data in the Digital Age" - Hadoop Big Data Meetup
"Data in the Digital Age" - Hadoop Big Data Meetup"Data in the Digital Age" - Hadoop Big Data Meetup
"Data in the Digital Age" - Hadoop Big Data MeetupKaitlin Thaney
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 

Recommandé

"The Reality of Digital Science"
"The Reality of Digital Science""The Reality of Digital Science"
"The Reality of Digital Science"Kaitlin Thaney
 
"Data in the Digital Age" - Hadoop Big Data Meetup
"Data in the Digital Age" - Hadoop Big Data Meetup"Data in the Digital Age" - Hadoop Big Data Meetup
"Data in the Digital Age" - Hadoop Big Data MeetupKaitlin Thaney
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the EnterpriseAmazon Web Services
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformForgeRock
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsWSO2
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011Bachkoutou Toutou
 
MAHOUT classifier tour
MAHOUT classifier tourMAHOUT classifier tour
MAHOUT classifier tourTed Dunning
 
Spectrum of IT BPO Services in the Philippines
Spectrum of IT BPO Services in the PhilippinesSpectrum of IT BPO Services in the Philippines
Spectrum of IT BPO Services in the PhilippinesExist
 
State of Social & Informal Learning
State of Social & Informal LearningState of Social & Informal Learning
State of Social & Informal LearningTom Hood, CPA,CITP,CGMA
 
Communication in Today's World
Communication in Today's WorldCommunication in Today's World
Communication in Today's WorldAndrew Hoffman
 

Contenu connexe

En vedette

(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the EnterpriseAmazon Web Services
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformForgeRock
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsWSO2
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 

En vedette (17)

(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock Platform
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile Environments
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David Borsos
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 

Similaire à Opensource Authentication and Authorization

Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011Bachkoutou Toutou
 
MAHOUT classifier tour
MAHOUT classifier tourMAHOUT classifier tour
MAHOUT classifier tourTed Dunning
 
Spectrum of IT BPO Services in the Philippines
Spectrum of IT BPO Services in the PhilippinesSpectrum of IT BPO Services in the Philippines
Spectrum of IT BPO Services in the PhilippinesExist
 
Communication in Today's World
Communication in Today's WorldCommunication in Today's World
Communication in Today's WorldAndrew Hoffman
 
Project Management and the iPad
Project Management and the iPadProject Management and the iPad
Project Management and the iPadProjectWizards
 
The Next Wave in Customer Service Technology
The Next Wave in Customer Service TechnologyThe Next Wave in Customer Service Technology
The Next Wave in Customer Service TechnologySpoken Communications
 
CTF: Bringing back more than sexy!
CTF: Bringing back more than sexy!CTF: Bringing back more than sexy!
CTF: Bringing back more than sexy!Mark Hillick
 
HTML5 and jQuery for Flex Developers
HTML5 and jQuery for Flex DevelopersHTML5 and jQuery for Flex Developers
HTML5 and jQuery for Flex DevelopersRyan Stewart
 
Visual Communication That Works! (PDF)
Visual Communication That Works! (PDF)Visual Communication That Works! (PDF)
Visual Communication That Works! (PDF)Barry Casey
 
Mobile apps using drupal as base system SumitK DrupalCon Chicago
Mobile apps using drupal as base system SumitK DrupalCon ChicagoMobile apps using drupal as base system SumitK DrupalCon Chicago
Mobile apps using drupal as base system SumitK DrupalCon ChicagoSumit Kataria
 
From Apples to Augmented Cognition (Current and Future Trends in Mobile)
From Apples to Augmented Cognition (Current and Future Trends in Mobile)From Apples to Augmented Cognition (Current and Future Trends in Mobile)
From Apples to Augmented Cognition (Current and Future Trends in Mobile)Paul Golding
 
Node js techtalksto
Node js techtalkstoNode js techtalksto
Node js techtalkstoJason Diller
 
Linking: Making Data Open and Useful
Linking: Making Data Open and UsefulLinking: Making Data Open and Useful
Linking: Making Data Open and UsefulRichard Wallis
 
Linking: Making Data Open and Useful
Linking: Making Data Open and UsefulLinking: Making Data Open and Useful
Linking: Making Data Open and UsefulRichard Wallis
 
Made by Many Sweden
Made by Many SwedenMade by Many Sweden
Made by Many SwedenMade by Many
 
Visualizations of Spatial and Social Data
Visualizations of Spatial and Social DataVisualizations of Spatial and Social Data
Visualizations of Spatial and Social Datainterface2011
 
Innovation and Disruption in the Real Estate Industry by David Eaves
Innovation and Disruption in the Real Estate Industry by David EavesInnovation and Disruption in the Real Estate Industry by David Eaves
Innovation and Disruption in the Real Estate Industry by David EavesDavid Eaves
 
Minegems
MinegemsMinegems
Minegemsjodosha
 

Similaire à Opensource Authentication and Authorization (20)

Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
 
MAHOUT classifier tour
MAHOUT classifier tourMAHOUT classifier tour
MAHOUT classifier tour
 
Spectrum of IT BPO Services in the Philippines
Spectrum of IT BPO Services in the PhilippinesSpectrum of IT BPO Services in the Philippines
Spectrum of IT BPO Services in the Philippines
 
State of Social & Informal Learning
State of Social & Informal LearningState of Social & Informal Learning
State of Social & Informal Learning
 
Communication in Today's World
Communication in Today's WorldCommunication in Today's World
Communication in Today's World
 
Project Management and the iPad
Project Management and the iPadProject Management and the iPad
Project Management and the iPad
 
The Next Wave in Customer Service Technology
The Next Wave in Customer Service TechnologyThe Next Wave in Customer Service Technology
The Next Wave in Customer Service Technology
 
CTF: Bringing back more than sexy!
CTF: Bringing back more than sexy!CTF: Bringing back more than sexy!
CTF: Bringing back more than sexy!
 
HTML5 and jQuery for Flex Developers
HTML5 and jQuery for Flex DevelopersHTML5 and jQuery for Flex Developers
HTML5 and jQuery for Flex Developers
 
Visual Communication That Works! (PDF)
Visual Communication That Works! (PDF)Visual Communication That Works! (PDF)
Visual Communication That Works! (PDF)
 
Mobile apps using drupal as base system SumitK DrupalCon Chicago
Mobile apps using drupal as base system SumitK DrupalCon ChicagoMobile apps using drupal as base system SumitK DrupalCon Chicago
Mobile apps using drupal as base system SumitK DrupalCon Chicago
 
From Apples to Augmented Cognition (Current and Future Trends in Mobile)
From Apples to Augmented Cognition (Current and Future Trends in Mobile)From Apples to Augmented Cognition (Current and Future Trends in Mobile)
From Apples to Augmented Cognition (Current and Future Trends in Mobile)
 
Node js techtalksto
Node js techtalkstoNode js techtalksto
Node js techtalksto
 
Linking: Making Data Open and Useful
Linking: Making Data Open and UsefulLinking: Making Data Open and Useful
Linking: Making Data Open and Useful
 
Linking: Making Data Open and Useful
Linking: Making Data Open and UsefulLinking: Making Data Open and Useful
Linking: Making Data Open and Useful
 
Made by Many Sweden
Made by Many SwedenMade by Many Sweden
Made by Many Sweden
 
Visualizations of Spatial and Social Data
Visualizations of Spatial and Social DataVisualizations of Spatial and Social Data
Visualizations of Spatial and Social Data
 
Innovation and Disruption in the Real Estate Industry by David Eaves
Innovation and Disruption in the Real Estate Industry by David EavesInnovation and Disruption in the Real Estate Industry by David Eaves
Innovation and Disruption in the Real Estate Industry by David Eaves
 
Minegems
MinegemsMinegems
Minegems
 
CSS
CSSCSS
CSS
 

Plus de ConFoo

Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security toolsConFoo
 
The business behind open source
The business behind open sourceThe business behind open source
The business behind open sourceConFoo
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?ConFoo
 
OWASP Enterprise Security API
OWASP Enterprise Security APIOWASP Enterprise Security API
OWASP Enterprise Security APIConFoo
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesConFoo
 
Le bon, la brute et le truand dans les nuages
Le bon, la brute et le truand dans les nuagesLe bon, la brute et le truand dans les nuages
Le bon, la brute et le truand dans les nuagesConFoo
 
The Solar Framework for PHP
The Solar Framework for PHPThe Solar Framework for PHP
The Solar Framework for PHPConFoo
 
Décrire un projet PHP dans des rapports
Décrire un projet PHP dans des rapportsDécrire un projet PHP dans des rapports
Décrire un projet PHP dans des rapportsConFoo
 
Server Administration in Python with Fabric, Cuisine and Watchdog
Server Administration in Python with Fabric, Cuisine and WatchdogServer Administration in Python with Fabric, Cuisine and Watchdog
Server Administration in Python with Fabric, Cuisine and WatchdogConFoo
 
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+ConFoo
 
Think Mobile First, Then Enhance
Think Mobile First, Then EnhanceThink Mobile First, Then Enhance
Think Mobile First, Then EnhanceConFoo
 
Metaprogramming in Ruby
Metaprogramming in RubyMetaprogramming in Ruby
Metaprogramming in RubyConFoo
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101ConFoo
 
As-t-on encore besoin d'un framework web ?
As-t-on encore besoin d'un framework web ?As-t-on encore besoin d'un framework web ?
As-t-on encore besoin d'un framework web ?ConFoo
 
Pragmatic Guide to Git
Pragmatic Guide to GitPragmatic Guide to Git
Pragmatic Guide to GitConFoo
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
An Overview of Flash Storage for Databases
An Overview of Flash Storage for DatabasesAn Overview of Flash Storage for Databases
An Overview of Flash Storage for DatabasesConFoo
 
Android Jump Start
Android Jump StartAndroid Jump Start
Android Jump StartConFoo
 
Develop mobile applications with Flex
Develop mobile applications with FlexDevelop mobile applications with Flex
Develop mobile applications with FlexConFoo
 
WordPress pour le développement d'aplications web
WordPress pour le développement d'aplications webWordPress pour le développement d'aplications web
WordPress pour le développement d'aplications webConFoo
 

Plus de ConFoo (20)

Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security tools
 
The business behind open source
The business behind open sourceThe business behind open source
The business behind open source
 
Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?Security 202 - Are you sure your site is secure?
Security 202 - Are you sure your site is secure?
 
OWASP Enterprise Security API
OWASP Enterprise Security APIOWASP Enterprise Security API
OWASP Enterprise Security API
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
 
Le bon, la brute et le truand dans les nuages
Le bon, la brute et le truand dans les nuagesLe bon, la brute et le truand dans les nuages
Le bon, la brute et le truand dans les nuages
 
The Solar Framework for PHP
The Solar Framework for PHPThe Solar Framework for PHP
The Solar Framework for PHP
 
Décrire un projet PHP dans des rapports
Décrire un projet PHP dans des rapportsDécrire un projet PHP dans des rapports
Décrire un projet PHP dans des rapports
 
Server Administration in Python with Fabric, Cuisine and Watchdog
Server Administration in Python with Fabric, Cuisine and WatchdogServer Administration in Python with Fabric, Cuisine and Watchdog
Server Administration in Python with Fabric, Cuisine and Watchdog
 
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
 
Think Mobile First, Then Enhance
Think Mobile First, Then EnhanceThink Mobile First, Then Enhance
Think Mobile First, Then Enhance
 
Metaprogramming in Ruby
Metaprogramming in RubyMetaprogramming in Ruby
Metaprogramming in Ruby
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101
 
As-t-on encore besoin d'un framework web ?
As-t-on encore besoin d'un framework web ?As-t-on encore besoin d'un framework web ?
As-t-on encore besoin d'un framework web ?
 
Pragmatic Guide to Git
Pragmatic Guide to GitPragmatic Guide to Git
Pragmatic Guide to Git
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.js
 
An Overview of Flash Storage for Databases
An Overview of Flash Storage for DatabasesAn Overview of Flash Storage for Databases
An Overview of Flash Storage for Databases
 
Android Jump Start
Android Jump StartAndroid Jump Start
Android Jump Start
 
Develop mobile applications with Flex
Develop mobile applications with FlexDevelop mobile applications with Flex
Develop mobile applications with Flex
 
WordPress pour le développement d'aplications web
WordPress pour le développement d'aplications webWordPress pour le développement d'aplications web
WordPress pour le développement d'aplications web
 

Opensource Authentication and Authorization

  • 1. Open Source Authentication & Authorization Allan Foster ForgeRock allan.foster@forgerock.com Wednesday, March 9, 2011
  • 2. “Build us a Web App” 2 Wednesday, March 9, 2011
  • 3. Lots of examples.... 3 Wednesday, March 9, 2011
  • 4. New Application Demands Collaborative Workgroups Client - Server Multi user... In the cloud? 4 Wednesday, March 9, 2011
  • 5. Its a WebApp! 5 Wednesday, March 9, 2011
  • 6. Business Logic Your Business... Your Logic... You know how to do this! 6 Wednesday, March 9, 2011
  • 7. Lots of Help Language... . Net PH P Ru by Pe r l a va J + Py t C+ hon vy C& Groo 7 Wednesday, March 9, 2011
  • 8. Oh yes, LOTS of help! Frameworks... Vel JSF o cit y AJA PEAR X te Sp r rn a es ing e ce Fa c H ib I 8 Wednesday, March 9, 2011
  • 9. And don’t forget... 9 Wednesday, March 9, 2011
  • 10. Access Control Who are our users? Who can access what? What can they do? How do we manage this? 10 Wednesday, March 9, 2011
  • 11. Its not that complicated.. Authentication SSO Authorization 11 Wednesday, March 9, 2011
  • 12. Authentication? Corporate LDAP 12 Wednesday, March 9, 2011
  • 13. But what about... 13 Wednesday, March 9, 2011
  • 14. or... 14 Wednesday, March 9, 2011
  • 15. or SecureID  RSA  Logo 15 Wednesday, March 9, 2011
  • 16. Maybe all? 16 Wednesday, March 9, 2011
  • 17. Authentication isn’t enough... 17 Wednesday, March 9, 2011
  • 18. Authentication isn’t enough... SSO is expected! I have one set of credentials, Why can’t I just use them ONCE? 18 Wednesday, March 9, 2011
  • 19. Even between multiple Organizations Federation eGov GoogleApps 19 Wednesday, March 9, 2011
  • 20. SSO implies having a single trusted Authentication service... 20 Wednesday, March 9, 2011
  • 21. That can be used by MANY different applications! 21 Wednesday, March 9, 2011
  • 22. Without regard to HOW the authentication is being performed 22 Wednesday, March 9, 2011
  • 23. What About Authorization? 23 Wednesday, March 9, 2011
  • 24. Is this user allowed to perform this action on this resource? 24 Wednesday, March 9, 2011
  • 25. Group Membership? Roles? Some Complex Matrix? Dynamic Conditions? 25 Wednesday, March 9, 2011
  • 26. Access control logic can be embedded in our application... BUT.. 26 Wednesday, March 9, 2011
  • 27. New Specs New Rules Exceptions Changes... and more changes! ...And testing! 27 Wednesday, March 9, 2011
  • 28. Reprogram the door? 28 Wednesday, March 9, 2011
  • 29. Centrally managed service Ca n  I ? 29 Wednesday, March 9, 2011
  • 30. AuthN and AuthZ as a service IdenAty  services  (OpenAM) 30 Wednesday, March 9, 2011
  • 31. Authentication SSO Authorization 31 Wednesday, March 9, 2011
  • 33. Authentication is NOT Identity Management Validation against EXISTING identity sources! 33 Wednesday, March 9, 2011
  • 34. We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes. 34 Wednesday, March 9, 2011
  • 35. Integrate into existing process Plugable Authentication modules Built on Standards - JAAS Multiple Modules & Chains 35 Wednesday, March 9, 2011
  • 36. Se AP cu LD reI D n ix U rti f i c ate S afeW x5 0 9 Ce o rd JD BC SAML2 O EG Custom ds PN ar r tC -S a Sm AD MSISDN Extens ible Me m be rs h ip 36 Wednesday, March 9, 2011
  • 37. Authentication determines identity Identity is what matters.. NOT the method it is determined 37 Wednesday, March 9, 2011
  • 39. Browser ApplicaAon OpenAM Request  applicaAon  content Redirect  for  AuthenAcaAon Request  AuthenAcaAon  from  AuthenAcaAon  server NegoAate  AuthenAcaAon... Redirect  back  to  ApplicaAon  with  Token Request  applicaAon  content Validate  Token ValidaAon  Response Provide  applicaAon  content 39 Wednesday, March 9, 2011
  • 40. Authentication SSO Authorization 40 Wednesday, March 9, 2011
  • 44. Allan Foster Speaker ConFoo 2011 44 Wednesday, March 9, 2011
  • 46. Allan Foster Speaker ConFoo 2011 46 Wednesday, March 9, 2011
  • 48. One Pass Multiple Doors Single Sign On 48 Wednesday, March 9, 2011
  • 49. Application validates credentials... Does NOT issue them! 49 Wednesday, March 9, 2011
  • 50. We don’t “Login” We validate Identity. This is a conceptual hurdle for developers! 50 Wednesday, March 9, 2011
  • 51. Authentication service determines identity Authentication service issues tokens 51 Wednesday, March 9, 2011
  • 52. Browser ApplicaAon OpenAM Request  applicaAon Validate  Token ValidaAon  Response Provide  applicaAon  content 52 Wednesday, March 9, 2011
  • 53. New applications easily integrate into existing infrastructure 53 Wednesday, March 9, 2011
  • 54. And for many projects This is success! Single Sign on! 54 Wednesday, March 9, 2011
  • 55. Authentication SSO Authorization 55 Wednesday, March 9, 2011
  • 56. Multi User Application Access Control Rights and Privileges 56 Wednesday, March 9, 2011
  • 57. Access Control can be Very Complex Domain Specific Dependent on Many Conditions 57 Wednesday, March 9, 2011
  • 58. Several Options • Ad Hoc • J2EE Policy • URL Access • Custom Developed • External Policy Engine 58 Wednesday, March 9, 2011
  • 59. Ad Hoc •Localized if - then - else •Cumbersome •No Reuse •Inconsistent enforcement •Unverifiable •Possible security holes 59 Wednesday, March 9, 2011
  • 60. J2EE Policy •Standards.. •Role Based •Supported in the deployment •Designed from the start •Difficult to change •Domino Effect 60 Wednesday, March 9, 2011
  • 61. URL Access •Course Grained •Tree Level Access •Often at Application or server Level •Access Control NOT Entitlements 61 Wednesday, March 9, 2011
  • 62. Custom Policy •Expensive •Hard to Maintain •Proprietary •Administration is Daunting! •Difficult to change and adapt 62 Wednesday, March 9, 2011
  • 63. External Policy Engine •Policy Evaluation •Extensible •Flexible •Centralized Administration •What about domain specifics? 63 Wednesday, March 9, 2011
  • 64. EnAtlement  services  (OpenAM) 27 64 Wednesday, March 9, 2011
  • 65. Can This User access This Resource under These Conditions? 65 Wednesday, March 9, 2011
  • 66. Define Rules for Access Rules can be changed dynamically Standards based - XACML3 66 Wednesday, March 9, 2011
  • 67. Rules Resources Actions Subjects Conditions Response Attributes Advice 67 Wednesday, March 9, 2011
  • 68. Resources URLs Accounts Buttons Projects etc...... Hierarchical Scalable Plugable API 68 Wednesday, March 9, 2011
  • 69. Actions Performed on a resource Fine Grained access C re at Withdraw e G ET T Re ad OS E Balance Upda P ET te EL D Y Transfer De let OP e C 69 Wednesday, March 9, 2011
  • 70. Subjects Who does the rule apply to? D at a o up sto re Gr Att r DA P ib u te b er L M em Se s s io o re Att r i b u te nA Custom Subject D at a st tt r i bu te Plugable API Combination Logic 70 Wednesday, March 9, 2011
  • 71. Conditions Simple or Complex Dependencies dr ess ib u te Ba n k B a la n c e IP Ad Att r Ti me o ut of im Da T y Au io n the nti S ess tt r i b u te lev c atio Sess io n A el n Plugable API Combination Logic 71 Wednesday, March 9, 2011
  • 72. Access control can be: Role based, Attribute based, or Dynamic. 72 Wednesday, March 9, 2011
  • 73. Policy Enforcement Point Policy Decision Point Policy Administration Point 73 Wednesday, March 9, 2011
  • 74. Policy Enforcement Point 74 Wednesday, March 9, 2011
  • 75. Policy Enforcement Point Simplest case Agent plugged into web container. ISapi NSApi Mod_auth 75 Wednesday, March 9, 2011
  • 76. Zero changes to app. Simple to install.. Easily protect “Closed” apps 76 Wednesday, March 9, 2011
  • 77. Policy Enforcement Point Fine for URL access control when resource is a URL. But how do we address entitlements? 77 Wednesday, March 9, 2011
  • 78. Policy Enforcement Point Simple Web Service Call wrapper Coded into Application This  User This  Resource These  CondiAons if (entitled(userToken, resource, env)) { ... ... } Language Agnostic! 78 Wednesday, March 9, 2011
  • 79. Simple JSON responses { "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http:/ /www.anotherexample.com:80/index.html" } } 79 Wednesday, March 9, 2011
  • 80. Policy Decision Point 80 Wednesday, March 9, 2011
  • 81. Policy Decision Point Policy Evaluation Separate the Rule evaluation from the enforcement 81 Wednesday, March 9, 2011
  • 82. Scalable and extensible policy engine Scalable to millions of entitlements Standards based - XACML3 82 Wednesday, March 9, 2011
  • 84. Policy Administration Administration UI Dynamic rule changes Auditability Consistency 84 Wednesday, March 9, 2011
  • 85. Standards based XACML3 Any editor... Any workflow... 85 Wednesday, March 9, 2011
  • 86. Rule changes take immediate effect No impact on application development 86 Wednesday, March 9, 2011
  • 87. Keep track of rules and changes Reuse rules for reusable resources 87 Wednesday, March 9, 2011
  • 88. Separate Administration Application Administration is separate from Entitlement Administration 88 Wednesday, March 9, 2011
  • 89. Simplify the app admin Consistent administration of permissions for all apps. 89 Wednesday, March 9, 2011
  • 90. ForgeRock 90 Wednesday, March 9, 2011
  • 91. OpenAM OpenAM As A Service gives Flexibility, Consistency & Management to Authentication and Entitlements. 91 Wednesday, March 9, 2011
  • 92. OpenAM Started life as Sun Access Manager OpenSourced in 2007 Strong Community 92 Wednesday, March 9, 2011
  • 93. OpenAM OpenAM is fully opensource, 100% Java, scalable, high performance, AuthN and AuthZ 93 Wednesday, March 9, 2011
  • 94. OpenAM Full XACML3 Support Simple policies and Complex Entitlements Extensible Plugins Central Administration Leverage existing SSO 94 Wednesday, March 9, 2011
  • 95. OpenAM OpenAM Community ForgeRock http:/ /www.forgerock.com 95 Wednesday, March 9, 2011
  • 96. Download it. Use it. Get involved! info@forgerock.com 96 Wednesday, March 9, 2011
  • 97. Questions? 97 Wednesday, March 9, 2011
  • 98. Demo 98 Wednesday, March 9, 2011
  • 99. Open Source Authentication & Authorization Allan Foster ForgeRock Wednesday, March 9, 2011
  • 100. Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility 100 Wednesday, March 9, 2011