SlideShare ist ein Scribd-Unternehmen logo

i4Trust IAM Components

FIWARE
FIWARE

This training camp teaches you how FIWARE technologies and iSHARE, brought together under the umbrella of the i4Trust initiative, can be combined to provide the means for creation of data spaces in which multiple organizations can exchange digital twin data in a trusted and efficient manner, collaborating in the development of innovative services based on data sharing and creating value out of the data they share. SMEs and Digital Innovation Hubs (DIHs) will be equipped with the necessary know-how to use the i4Trust framework for creating data spaces!

Technologie
1 von 95
Downloaden Sie, um offline zu lesen
i4Trust Website i4Trust Community i4Trust components for Identity Management and Access Control Speakers: Rajiv Rajani - CTO iSHARE Foundation Álvaro Arranz - CEO FICODES Francisco de la Vega - CTO FICODES
i4Trust Identity and Access Management (IAM) ■ About: ■ This part of the session will introduce you to i4Trust IAM components in detail. ■ This session will: ■ Explain iSHARE Identity and Access Management concepts in detail ■ Explain the FIWARE components which comply with iSHARE specifications in detail ■ How to deploy them ■ How to use them ■ Goals: ■ After this session you will be able to implement a service using i4Trust IAM components ■ Target Audience: ■ LEBDs
Technical Deepdive on IAM in iSHARE
Data Space Recap: Roles in a Data Space Data Consumer Data Provider Data Owner Identity Provider Authorisations Provider Marketplace Trust Provider 4
Recap: iSHARE role model 5 Data Space or Domain International Legal Framework governed by iSHARE Foundation
What is iSHARE Satellite? ■ iSHARE satellite is a federated certified role ■ It essentially does: ■ Onboard and maintain list of participants and its statues ■ Enables multilateral trust when participants signup ■ Provide APIs for participants to get detailed information along with statues of other participants with whom they want to interact or are interacting ■ Plays the facilitator role for common agreements like, but not limited to business agreements, operational agreements, etc. ■ Is federated part of the governing body of data spaces that interoperate
Identity Provider role is designed for users to reuse their existing identity provider at various service/data providers Identity Provider • The Identity Provider role deals with the human identities with varying level of assurances, as defined in eIDAS framework, to support various use cases • It is based on OpenID Connect as standard, however, with slight adjustment to make it better suitable for B2B, B2G, G2G and of course B2C and G2C • Depending on the criticality of the data, appropriate level of assurance for an identity can be requested • iSHARE specifications are designed such that service/data provider does not necessarily need to pre-register an identity provider as it can verify if it is an iSHARE certified provider from iSHARE satellite 7
Authorisations Registry (provider) role
Example response of a fine-grained authorisation
Example of a coarse-grained authorisation
Interaction Machine-to-Machine (M2M) Communication between machines, without interference by a human Human-to-Machine (H2M) Communication between a human and (a) machine(s). Requires a user interface Facilitate Flexible authorizations • Coarse-grained: broad authorization • Fine-grained: specific authorization • Flexibility on where to store authorizations Portable identities Identities can be spread out and recognised, i.e. portable, across multiple, independent systems Enable Delegations Functions as evidence that a party is directly or indirectly operating on behalf of a known party Customer in control parties are allowed to modify or withdraw access rights to their data or services, whenever they wish Trustworthy Identification, Authentication and Authorisations 11
Basics of every IAM transaction
A certificate is a digital file used for integrity and authenticity
A certificate consists of a public and a private part
iSHARE relies on PKI-certificates to verify organisational identities
A private keys signs data A public keys verifies this signature
JSON Web Tokens (JWTs) are base64- encoded JSON objects
JSON Web Tokens (JWTs) are base64- encoded JSON objects
JSON Web Tokens (JWTs) are base64- encoded JSON objects
In iSHARE, client assertions are JWTs with iSHARE specific Header and Payload
In iSHARE, client assertions are JWTs with iSHARE specific Header and Payload
An iSHARE party uses the client_assertion to get an access token from another iSHARE Party
An iSHARE party uses the client_assertion to get an access token from another iSHARE Party
An iSHARE party uses the client_assertion to get an access token from another iSHARE Party
Fictional use case Case: ■ ABC Trucking wants to access container data at the terminal on behalf of Banana & Co. ■ Banana & Co needs to register at AskMeAnything Authorization Registry that they delegate access rights to ABC Trucking ■ When ABC Trucking requests the data at the Service Provider, Warehouse 13, it checks with AskMeAnything for delegation evidence ■ If AskMeAnything returns valid delegation evidence, Warehouse 13 can exchange data with ABC Trucking All calls are iSHARE calls, except if noted otherwise. These exceptions are marked with a RED arrow.
Participants of the fictional use case Case: ■ ABC Trucking wants to access container data at the terminal on behalf of Banana & Co.
Beforehand: Getting the trusted list iSHARE Satellite iSHARE Satellite
Participants of the fictional use case
Further reading and useful links ■ iSHARE framework covering all aspects - https://scheme.ishareworks.org ■ iSHARE developer portal - https://dev.ishareworks.org ■ Postman collections for fictional use case - https://dev.ishareworks.org/demo-and- testing/postman.html#postman-collections ■ Dummy participants in various roles for testing purposes - https://dev.ishareworks.org/demo-and- testing/test-participants.html ■ JSON Web Tokens (JWT) reference and libraries - https://jwt.io ■ OAuth specifications and other materials - https://oauth.net/2/ ■ OpenID Connect specifications and other materials - https://openid.net/connect/ ■ eIDAS regulation ■ PKI wikipedia - https://en.wikipedia.org/wiki/Public_key_infrastructure
i4Trust IAM components
iSHARE Architecture using FIWARE ● Keyrock is the FIWARE component responsible for identity management. ○ It supports, among others, the OAuth2 and Open ID Connect standards ○ It is being extended to support the iSHARE specifications ○ Plays the role of the identity provider ○ In a near future, it will also provide the authorization registry features. ● API Umbrella is an open source API management platform for exposing and securing web service APIs. ○ It acts as a proxy that provides access control, rate limiting, analytics, … to API services. We will use it to protect our context broker instances. ○ It is being extended to comply with iSHARE specifications. ● Until officially released, release candidate docker images should be used. At the moment: ○ fiware/idm:i4trust-rc2 for Keyrock ○ And fiware/api-umbrella:i4trust-rc3 for API Umbrella
iSHARE Architecture using FIWARE
Requirements to deploy ● To be registered as a iSHARE party. This means to have a certificate signed by a test CA with the associated private key. Also means to have access credentials to the iSHARE Satellite and Authorization Registry instance to be used. ● Please, contact Rajiv for requesting testing credentials and access to those services.
Setting up Keyrock: i4Trust related environment variables ■ IDM_PR_URL: ■ URL of the iSHARE Satellite instance to use (e.g. https://scheme.isharetest.net) ■ This setting also is the one that enables i4Trust support on Keyrock ■ IDM_PR_CLIENT_ID: ■ party identifier (EORI) associated with this Keyrock instance ■ IDM_PR_CLIENT_KEY_FILE: ■ path to the private key file (PEM format) ■ IDM_PR_CLIENT_CRT_FILE: ■ path to the certificate chain (PEM format) ■ IDM_AR_URL: ■ URL of Authorization Registry instance to use (e.g. https://ar.isharetest.net) ■ IDM_AR_IDENTIFIER: ■ Party identifier (EORI) associated with the Authorization Registry instance
Setting up API umbrella: i4Trust related configuration … jws: identifier: EU.EORI.NLHAPPYPETS root_ca: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- private_key: | -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC8yeRuxDI2/vyJ … -----END PRIVATE KEY----- x5c: - MIIE...Uw== - MIIF...vic= - MIIF...AQ== authorisation_registry: host: https://ar.isharetest.net identifier: EU.EORI.NL000000004 token_endpoint: https://ar.isharetest.net/token delegation_endpoint: https://ar.isharetest.net/delegation In this case, configuration is provided through the api-umbrella.yml file.
API Management with API Umbrella ■ It support two types of entries: ■ API Backends (this is the one we are interested in) ■ And Website Backends ■ Changes are not automatically applied. Once you have created/updated/deleted the API Backend configuration, you have to publish them.
Basic API Backend configuration You can configure a list of backend services. In this case there is only one backend server (http://orion.local:1026). “Frontend Host” is the DNS that will be associated with this API backend (Umbrella can be associated with multiple DNS names). The “Backend Host” setting allows you to pass a different “Host” header to the backend server (usually not required). Also, it is possible to transform path prefixes.
Enabling i4Trust support API Umbrella is able to automatically analyse the incoming NGSI-LD request and to determine the necessary policy required for each request. This is achieved by setting the “Authorization Mode” to “Context Broker attribute based - iSHARE compliant (automatically)” in the Global Request Settings section.
Context Broker policy example This policy is telling that EU.EORI.NLPACKETDEL is allowing EU.EORI.NLNOCHEAPER to issue GET requests to read DELIVERYORDER entities, including any of their attributes. { "delegationEvidence": { "notBefore": 1541058939, "notOnOrAfter": 2147483647, "policyIssuer": "EU.EORI.NLPACKETDEL", "target": { "accessSubject": "EU.EORI.NLNOCHEAPER" }, "policySets": [ { "maxDelegationDepth": 1, "target": { "environment": { "licenses": ["ISHARE.0001"] } }, "policies": [ { "target": { "resource": { "type": "DELIVERYORDER", "identifiers": ["*"], "attributes": ["*"] }, "actions": ["GET"] }, "rules": [ { "effect": "Permit" } ] } ] } ] } } }
Login (step 1) First, generate an iSHARE JWT signed using the JSON Web Signature standard (JWS) > Headers { "alg": "RS256", "typ": "JWT", "x5c": [ // Complete certificate chain of the party "MIIEhjCC….Zy9w==", ... ] } > Payload { "jti": "99ab5bca41bb45b78d242a46f0157b7d", // Unique JWT ID "iss": "EU.EORI.NLMARKETPLA", "sub": "EU.EORI.NLMARKETPLA", "aud": "EU.EORI.NLHAPPYPETS", // ID (EORI) of the IDP to be accessed "iat": "1540827435", "nbf": "1540827435", "exp": "1540827435", // 30 seconds after iat "response_type": "code", "client_id": "EU.EORI.NLMARKETPLA", "scope": "openid iSHARE profile email", "redirect_uri": "https://www.marketplace.com/openid_connect1.0/return", "state": "af0ifjsldkj", "nonce": "c428224ca5a", "acr_values": "urn:http://eidas.europa.eu/LoA/NotNotified/high", "language": "en" }
Login (step 2) Make a POST request to the /authorize endpoint, so the target Identity Provider (in this case a Keyrock instance) can validate we are a trusted iSHARE party. The JWT generated in step 1 has to be provided in the request parameter. If everything goes well, a 204 status code will be returned along with a Location header. > Content-Type: application/x-www-form-urlencoded POST https://idp-pdc.i4trust.fiware.io/authorize response_type=code& client_id=EU.EORI.NLMARKETPLA& scope=iSHARE openid& request=eyJ0eXA…YkNKOQ
Redirect user’s browser to the URL provided on the Location headers. This way, the user can provide his credentials and consent through the login page of Keyrock. If everything goes well, Keyrock will return an authorization code using the provided redirect URI. Login (step 3) < Location: https://marketplace.i4trust.fiware.io/openid_connect1.0/return? code=Dmn-TbSj7OcKl5ym1j5xZsgkabzVP8dMugC81nzmeW4& state=ZqVQm4zHaEDyBhzpm1ZRH7fsxy703lq2
A new request to the /token endpoint of the Identity Provider has to be made to retrieve the final access token. The signed JWT created in step 1 has to be provided in the client_assertion parameter of the request. The authorization code obtained in step 3 is provided within the code parameter. Login (step 4) > Content-Type: application/x-www-form-urlencoded POST https://idp-pdc.i4trust.fiware.io/token grant_type=authorization_code& client_id=EU.EORI.NLMARKETPLA& client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer& client_assertion=eyJ0eXA…YkNKOQ& redirect_uri=https://marketplace.i4trust.fiware.io/openid_connect1.0/return& code=Dmn-TbSj7OcKl5ym1j5xZsgkabzVP8dMugC81nzmeW4
Finally, Keyrock will provide an access token that can be used to access services. In addition, an iSHARE JWT compliant id_token is also returned which is associated with the authenticated session. Login (step 5) < Content-Type: application/json < Cache-Control: no-store < Pragma: no-cache { "id_token": "eyJhb...V2jA", "access_token": "aW2ys...LIOw", "expires_in": 3600, "token_type": "Bearer" } Decoded id_token parameter { "iss": "EU.EORI.NLPACKETDEL", "sub": "419404e1-07ce-4d80-9e8a-eca94vde0003de", "aud": "EU.EORI.NLMARKETPLA", "jti": "378a47c4-2822-4ca5-a49a-7e5a1cc7ea59", "iat": 1504683445, "exp": 1504683475, "auth_time": 1504683435, "nonce": "c428224ca5a", "acr": "urn:http://eidas.europa.eu/LoA/NotNotified/low", "azp": "EU.EORI.NLMARKETPLA", }
Managing Keyrock accounts
Further reading and useful links ■ Official Keyrock Documentation - https://fiware-idm.readthedocs.io/ ■ Tutorials and descriptions on how to setup the components within an i4Trust data space ■ https://github.com/i4Trust/tutorials/tree/main/Data-Service-Provider ■ Example Keyrock Theme - https://github.com/i4Trust/keyrock-theme-pdc ■ Helm Charts (kubernetes) to deploy i4Trust IAM components: ■ https://github.com/FIWARE/helm-charts/tree/i4trust ■ Passport strategy for authentication with FIWARE Keyrock using iShare JWT: ■ https://github.com/Ficodes/passport-i4trust ■ iSHARE framework covering all aspects - https://scheme.ishareworks.org ■ iSHARE developer portal - https://dev.ishareworks.org
Thank you! i4Trust has received funding from the European Union’s Horizon 2020 research and innovation programme under the Grant Agreement no 951975.

Empfohlen

Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramSession 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramFIWARE
 
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramSession 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramFIWARE
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
 
Session 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramSession 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramFIWARE
 
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...FIWARE
 
Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装Haniyama Wataru
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15OpenID Foundation Japan
 

Empfohlen

Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramSession 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramFIWARE
 
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramSession 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramFIWARE
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
 
Session 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramSession 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramFIWARE
 
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...FIWARE
 
Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装Haniyama Wataru
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15OpenID Foundation Japan
 
Azure ADとIdentity管理
Azure ADとIdentity管理Azure ADとIdentity管理
Azure ADとIdentity管理Naohiro Fujie
 
FIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust MarketplaceFIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust MarketplaceFIWARE
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
 
OPC UAをオープンソースやフリーのソフトで遊んでみた
OPC UAをオープンソースやフリーのソフトで遊んでみたOPC UAをオープンソースやフリーのソフトで遊んでみた
OPC UAをオープンソースやフリーのソフトで遊んでみたミソジ
 
パスワードのいらない世界へ  FIDO認証の最新状況
パスワードのいらない世界へ  FIDO認証の最新状況パスワードのいらない世界へ  FIDO認証の最新状況
パスワードのいらない世界へ  FIDO認証の最新状況FIDO Alliance
 
i4Trust - Overview
i4Trust - Overviewi4Trust - Overview
i4Trust - OverviewFIWARE
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Jun Kurihara
 
FIWARE Wednesday Webinars - How to Design DataModels
FIWARE Wednesday Webinars - How to Design DataModelsFIWARE Wednesday Webinars - How to Design DataModels
FIWARE Wednesday Webinars - How to Design DataModelsFIWARE
 
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題Hyperleger Tokyo Meetup
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証についてHitachi, Ltd. OSS Solution Center.
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE
 
Keycloak開発入門
Keycloak開発入門Keycloak開発入門
Keycloak開発入門Yuichi Nakamura
 
FIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE
 
FIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみたFIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみたFIDO Alliance
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明FIDO Alliance
 
Keycloak入門
Keycloak入門Keycloak入門
Keycloak入門Hiroyuki Wada
 
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用Naohiro Fujie
 
5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-ReadyEDB
 
PythonによるOPC-UAの利用
PythonによるOPC-UAの利用PythonによるOPC-UAの利用
PythonによるOPC-UAの利用Kioto Hirahara
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptxAkashThorat25
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 

Weitere ähnliche Inhalte

Was ist angesagt?

Azure ADとIdentity管理
Azure ADとIdentity管理Azure ADとIdentity管理
Azure ADとIdentity管理Naohiro Fujie
 
FIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust MarketplaceFIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust MarketplaceFIWARE
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
 
OPC UAをオープンソースやフリーのソフトで遊んでみた
OPC UAをオープンソースやフリーのソフトで遊んでみたOPC UAをオープンソースやフリーのソフトで遊んでみた
OPC UAをオープンソースやフリーのソフトで遊んでみたミソジ
 
パスワードのいらない世界へ  FIDO認証の最新状況
パスワードのいらない世界へ  FIDO認証の最新状況パスワードのいらない世界へ  FIDO認証の最新状況
パスワードのいらない世界へ  FIDO認証の最新状況FIDO Alliance
 
i4Trust - Overview
i4Trust - Overviewi4Trust - Overview
i4Trust - OverviewFIWARE
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Jun Kurihara
 
FIWARE Wednesday Webinars - How to Design DataModels
FIWARE Wednesday Webinars - How to Design DataModelsFIWARE Wednesday Webinars - How to Design DataModels
FIWARE Wednesday Webinars - How to Design DataModelsFIWARE
 
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題Hyperleger Tokyo Meetup
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE
 
FIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE
 
FIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみたFIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみたFIDO Alliance
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明FIDO Alliance
 
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用Naohiro Fujie
 
5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-ReadyEDB
 
PythonによるOPC-UAの利用
PythonによるOPC-UAの利用PythonによるOPC-UAの利用
PythonによるOPC-UAの利用Kioto Hirahara
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 

Was ist angesagt? (20)

Azure ADとIdentity管理
Azure ADとIdentity管理Azure ADとIdentity管理
Azure ADとIdentity管理
 
FIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust MarketplaceFIWARE Training: FIWARE Training: i4Trust Marketplace
FIWARE Training: FIWARE Training: i4Trust Marketplace
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
 
OPC UAをオープンソースやフリーのソフトで遊んでみた
OPC UAをオープンソースやフリーのソフトで遊んでみたOPC UAをオープンソースやフリーのソフトで遊んでみた
OPC UAをオープンソースやフリーのソフトで遊んでみた
 
パスワードのいらない世界へ  FIDO認証の最新状況
パスワードのいらない世界へ  FIDO認証の最新状況パスワードのいらない世界へ  FIDO認証の最新状況
パスワードのいらない世界へ  FIDO認証の最新状況
 
i4Trust - Overview
i4Trust - Overviewi4Trust - Overview
i4Trust - Overview
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
 
FIWARE Wednesday Webinars - How to Design DataModels
FIWARE Wednesday Webinars - How to Design DataModelsFIWARE Wednesday Webinars - How to Design DataModels
FIWARE Wednesday Webinars - How to Design DataModels
 
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題
エンタープライズブロックチェーン基盤のひとつとしてのHyperledger Fabricの強みと課題
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API Umbrella
 
Keycloak開発入門
Keycloak開発入門Keycloak開発入門
Keycloak開発入門
 
FIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LD
 
FIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみたFIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみた
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
 
Keycloak入門
Keycloak入門Keycloak入門
Keycloak入門
 
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用
Azure ADにみるエンタープライズ領域におけるフェデレーションとIDaaSの活用
 
5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready
 
PythonによるOPC-UAの利用
PythonによるOPC-UAの利用PythonによるOPC-UAの利用
PythonによるOPC-UAの利用
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
 

Ähnlich wie i4Trust IAM Components

APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptxAkashThorat25
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Federation Services
Federation ServicesFederation Services
Federation ServicesEmpowerID
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2NGINX, Inc.
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fimArchiver
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Brkarc 2034 smart-licensing
Brkarc 2034 smart-licensingBrkarc 2034 smart-licensing
Brkarc 2034 smart-licensingMichael Ganschuk
 
PCI 3.0 Compliance and Security for Retailers
PCI 3.0 Compliance and Security for RetailersPCI 3.0 Compliance and Security for Retailers
PCI 3.0 Compliance and Security for RetailersAerohive Networks
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinFIDO Alliance
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAAKarri Huhtanen
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain PlatformJuarez Junior
 

Ähnlich wie i4Trust IAM Components (20)

APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptx
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best Practices
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
SSO Manager
SSO ManagerSSO Manager
SSO Manager
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fim
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Brkarc 2034 smart-licensing
Brkarc 2034 smart-licensingBrkarc 2034 smart-licensing
Brkarc 2034 smart-licensing
 
PCI 3.0 Compliance and Security for Retailers
PCI 3.0 Compliance and Security for RetailersPCI 3.0 Compliance and Security for Retailers
PCI 3.0 Compliance and Security for Retailers
 
Defining Advanced AAA Policies for Access Networks
Defining Advanced AAA Policies for Access NetworksDefining Advanced AAA Policies for Access Networks
Defining Advanced AAA Policies for Access Networks
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain Platform
 

Mehr von FIWARE

Behm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptxBehm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptxFIWARE
 
Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdfFIWARE
 
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
Christoph Mertens_IDSA_Introduction to Data Spaces.pptxChristoph Mertens_IDSA_Introduction to Data Spaces.pptx
Christoph Mertens_IDSA_Introduction to Data Spaces.pptxFIWARE
 
Behm_Herne_NeMo.pptx
Behm_Herne_NeMo.pptxBehm_Herne_NeMo.pptx
Behm_Herne_NeMo.pptxFIWARE
 
Evangelists + iHubs Promo Slides.pptx
Evangelists + iHubs Promo Slides.pptxEvangelists + iHubs Promo Slides.pptx
Evangelists + iHubs Promo Slides.pptxFIWARE
 
Lukas Künzel Smart City Operating System.pptx
Lukas Künzel Smart City Operating System.pptxLukas Künzel Smart City Operating System.pptx
Lukas Künzel Smart City Operating System.pptxFIWARE
 
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptxPierre Golz Der Transformationsprozess im Konzern Stadt.pptx
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptxFIWARE
 
Dennis Wendland_The i4Trust Collaboration Programme.pptx
Dennis Wendland_The i4Trust Collaboration Programme.pptxDennis Wendland_The i4Trust Collaboration Programme.pptx
Dennis Wendland_The i4Trust Collaboration Programme.pptxFIWARE
 
Ulrich Ahle_FIWARE.pptx
Ulrich Ahle_FIWARE.pptxUlrich Ahle_FIWARE.pptx
Ulrich Ahle_FIWARE.pptxFIWARE
 
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptxAleksandar Vrglevski _FIWARE DACH_OSIH.pptx
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptxFIWARE
 
Water Quality - Lukas Kuenzel.pdf
Water Quality - Lukas Kuenzel.pdfWater Quality - Lukas Kuenzel.pdf
Water Quality - Lukas Kuenzel.pdfFIWARE
 
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptxCameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptxFIWARE
 
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptxFiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptxFIWARE
 
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptxBoris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptxFIWARE
 
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....FIWARE
 
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdfAbdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdfFIWARE
 
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdfFGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdfFIWARE
 
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
HTAG_Skalierung_Plattform_lokal_final_versand.pptxHTAG_Skalierung_Plattform_lokal_final_versand.pptx
HTAG_Skalierung_Plattform_lokal_final_versand.pptxFIWARE
 
WE_LoRaWAN _ IoT.pptx
WE_LoRaWAN _ IoT.pptxWE_LoRaWAN _ IoT.pptx
WE_LoRaWAN _ IoT.pptxFIWARE
 
EU Opp_Clara Pezuela - German chapter.pptx
EU Opp_Clara Pezuela - German chapter.pptxEU Opp_Clara Pezuela - German chapter.pptx
EU Opp_Clara Pezuela - German chapter.pptxFIWARE
 

Mehr von FIWARE (20)

Behm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptxBehm_Herne_NeMo_akt.pptx
Behm_Herne_NeMo_akt.pptx
 
Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf Katharina Hogrebe Herne Digital Days.pdf
Katharina Hogrebe Herne Digital Days.pdf
 
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
Christoph Mertens_IDSA_Introduction to Data Spaces.pptxChristoph Mertens_IDSA_Introduction to Data Spaces.pptx
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
 
Behm_Herne_NeMo.pptx
Behm_Herne_NeMo.pptxBehm_Herne_NeMo.pptx
Behm_Herne_NeMo.pptx
 
Evangelists + iHubs Promo Slides.pptx
Evangelists + iHubs Promo Slides.pptxEvangelists + iHubs Promo Slides.pptx
Evangelists + iHubs Promo Slides.pptx
 
Lukas Künzel Smart City Operating System.pptx
Lukas Künzel Smart City Operating System.pptxLukas Künzel Smart City Operating System.pptx
Lukas Künzel Smart City Operating System.pptx
 
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptxPierre Golz Der Transformationsprozess im Konzern Stadt.pptx
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
 
Dennis Wendland_The i4Trust Collaboration Programme.pptx
Dennis Wendland_The i4Trust Collaboration Programme.pptxDennis Wendland_The i4Trust Collaboration Programme.pptx
Dennis Wendland_The i4Trust Collaboration Programme.pptx
 
Ulrich Ahle_FIWARE.pptx
Ulrich Ahle_FIWARE.pptxUlrich Ahle_FIWARE.pptx
Ulrich Ahle_FIWARE.pptx
 
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptxAleksandar Vrglevski _FIWARE DACH_OSIH.pptx
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
 
Water Quality - Lukas Kuenzel.pdf
Water Quality - Lukas Kuenzel.pdfWater Quality - Lukas Kuenzel.pdf
Water Quality - Lukas Kuenzel.pdf
 
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptxCameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
 
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptxFiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
 
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptxBoris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
 
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
 
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdfAbdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
 
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdfFGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
 
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
HTAG_Skalierung_Plattform_lokal_final_versand.pptxHTAG_Skalierung_Plattform_lokal_final_versand.pptx
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
 
WE_LoRaWAN _ IoT.pptx
WE_LoRaWAN _ IoT.pptxWE_LoRaWAN _ IoT.pptx
WE_LoRaWAN _ IoT.pptx
 
EU Opp_Clara Pezuela - German chapter.pptx
EU Opp_Clara Pezuela - German chapter.pptxEU Opp_Clara Pezuela - German chapter.pptx
EU Opp_Clara Pezuela - German chapter.pptx
 

Kürzlich hochgeladen

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Kürzlich hochgeladen (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

i4Trust IAM Components

  • 1. i4Trust Website i4Trust Community i4Trust components for Identity Management and Access Control Speakers: Rajiv Rajani - CTO iSHARE Foundation Álvaro Arranz - CEO FICODES Francisco de la Vega - CTO FICODES
  • 2. i4Trust Identity and Access Management (IAM) ■ About: ■ This part of the session will introduce you to i4Trust IAM components in detail. ■ This session will: ■ Explain iSHARE Identity and Access Management concepts in detail ■ Explain the FIWARE components which comply with iSHARE specifications in detail ■ How to deploy them ■ How to use them ■ Goals: ■ After this session you will be able to implement a service using i4Trust IAM components ■ Target Audience: ■ LEBDs
  • 3. Technical Deepdive on IAM in iSHARE
  • 4. Data Space Recap: Roles in a Data Space Data Consumer Data Provider Data Owner Identity Provider Authorisations Provider Marketplace Trust Provider 4
  • 5. Recap: iSHARE role model 5 Data Space or Domain International Legal Framework governed by iSHARE Foundation
  • 6. What is iSHARE Satellite? ■ iSHARE satellite is a federated certified role ■ It essentially does: ■ Onboard and maintain list of participants and its statues ■ Enables multilateral trust when participants signup ■ Provide APIs for participants to get detailed information along with statues of other participants with whom they want to interact or are interacting ■ Plays the facilitator role for common agreements like, but not limited to business agreements, operational agreements, etc. ■ Is federated part of the governing body of data spaces that interoperate
  • 7. Identity Provider role is designed for users to reuse their existing identity provider at various service/data providers Identity Provider • The Identity Provider role deals with the human identities with varying level of assurances, as defined in eIDAS framework, to support various use cases • It is based on OpenID Connect as standard, however, with slight adjustment to make it better suitable for B2B, B2G, G2G and of course B2C and G2C • Depending on the criticality of the data, appropriate level of assurance for an identity can be requested • iSHARE specifications are designed such that service/data provider does not necessarily need to pre-register an identity provider as it can verify if it is an iSHARE certified provider from iSHARE satellite 7
  • 9. Example response of a fine-grained authorisation
  • 10. Example of a coarse-grained authorisation
  • 11. Interaction Machine-to-Machine (M2M) Communication between machines, without interference by a human Human-to-Machine (H2M) Communication between a human and (a) machine(s). Requires a user interface Facilitate Flexible authorizations • Coarse-grained: broad authorization • Fine-grained: specific authorization • Flexibility on where to store authorizations Portable identities Identities can be spread out and recognised, i.e. portable, across multiple, independent systems Enable Delegations Functions as evidence that a party is directly or indirectly operating on behalf of a known party Customer in control parties are allowed to modify or withdraw access rights to their data or services, whenever they wish Trustworthy Identification, Authentication and Authorisations 11
  • 12. Basics of every IAM transaction
  • 13. A certificate is a digital file used for integrity and authenticity
  • 14. A certificate consists of a public and a private part
  • 15. iSHARE relies on PKI-certificates to verify organisational identities
  • 16. A private keys signs data A public keys verifies this signature
  • 17. JSON Web Tokens (JWTs) are base64- encoded JSON objects
  • 18. JSON Web Tokens (JWTs) are base64- encoded JSON objects
  • 19. JSON Web Tokens (JWTs) are base64- encoded JSON objects
  • 20. In iSHARE, client assertions are JWTs with iSHARE specific Header and Payload
  • 21. In iSHARE, client assertions are JWTs with iSHARE specific Header and Payload
  • 22. An iSHARE party uses the client_assertion to get an access token from another iSHARE Party
  • 23. An iSHARE party uses the client_assertion to get an access token from another iSHARE Party
  • 24. An iSHARE party uses the client_assertion to get an access token from another iSHARE Party
  • 25. Fictional use case Case: ■ ABC Trucking wants to access container data at the terminal on behalf of Banana & Co. ■ Banana & Co needs to register at AskMeAnything Authorization Registry that they delegate access rights to ABC Trucking ■ When ABC Trucking requests the data at the Service Provider, Warehouse 13, it checks with AskMeAnything for delegation evidence ■ If AskMeAnything returns valid delegation evidence, Warehouse 13 can exchange data with ABC Trucking All calls are iSHARE calls, except if noted otherwise. These exceptions are marked with a RED arrow.
  • 26. Participants of the fictional use case Case: ■ ABC Trucking wants to access container data at the terminal on behalf of Banana & Co.
  • 27. Beforehand: Getting the trusted list iSHARE Satellite iSHARE Satellite
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48. Participants of the fictional use case
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
  • 75.
  • 76.
  • 77. Further reading and useful links ■ iSHARE framework covering all aspects - https://scheme.ishareworks.org ■ iSHARE developer portal - https://dev.ishareworks.org ■ Postman collections for fictional use case - https://dev.ishareworks.org/demo-and- testing/postman.html#postman-collections ■ Dummy participants in various roles for testing purposes - https://dev.ishareworks.org/demo-and- testing/test-participants.html ■ JSON Web Tokens (JWT) reference and libraries - https://jwt.io ■ OAuth specifications and other materials - https://oauth.net/2/ ■ OpenID Connect specifications and other materials - https://openid.net/connect/ ■ eIDAS regulation ■ PKI wikipedia - https://en.wikipedia.org/wiki/Public_key_infrastructure
  • 79. iSHARE Architecture using FIWARE ● Keyrock is the FIWARE component responsible for identity management. ○ It supports, among others, the OAuth2 and Open ID Connect standards ○ It is being extended to support the iSHARE specifications ○ Plays the role of the identity provider ○ In a near future, it will also provide the authorization registry features. ● API Umbrella is an open source API management platform for exposing and securing web service APIs. ○ It acts as a proxy that provides access control, rate limiting, analytics, … to API services. We will use it to protect our context broker instances. ○ It is being extended to comply with iSHARE specifications. ● Until officially released, release candidate docker images should be used. At the moment: ○ fiware/idm:i4trust-rc2 for Keyrock ○ And fiware/api-umbrella:i4trust-rc3 for API Umbrella
  • 81. Requirements to deploy ● To be registered as a iSHARE party. This means to have a certificate signed by a test CA with the associated private key. Also means to have access credentials to the iSHARE Satellite and Authorization Registry instance to be used. ● Please, contact Rajiv for requesting testing credentials and access to those services.
  • 82. Setting up Keyrock: i4Trust related environment variables ■ IDM_PR_URL: ■ URL of the iSHARE Satellite instance to use (e.g. https://scheme.isharetest.net) ■ This setting also is the one that enables i4Trust support on Keyrock ■ IDM_PR_CLIENT_ID: ■ party identifier (EORI) associated with this Keyrock instance ■ IDM_PR_CLIENT_KEY_FILE: ■ path to the private key file (PEM format) ■ IDM_PR_CLIENT_CRT_FILE: ■ path to the certificate chain (PEM format) ■ IDM_AR_URL: ■ URL of Authorization Registry instance to use (e.g. https://ar.isharetest.net) ■ IDM_AR_IDENTIFIER: ■ Party identifier (EORI) associated with the Authorization Registry instance
  • 83. Setting up API umbrella: i4Trust related configuration … jws: identifier: EU.EORI.NLHAPPYPETS root_ca: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- private_key: | -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC8yeRuxDI2/vyJ … -----END PRIVATE KEY----- x5c: - MIIE...Uw== - MIIF...vic= - MIIF...AQ== authorisation_registry: host: https://ar.isharetest.net identifier: EU.EORI.NL000000004 token_endpoint: https://ar.isharetest.net/token delegation_endpoint: https://ar.isharetest.net/delegation In this case, configuration is provided through the api-umbrella.yml file.
  • 84. API Management with API Umbrella ■ It support two types of entries: ■ API Backends (this is the one we are interested in) ■ And Website Backends ■ Changes are not automatically applied. Once you have created/updated/deleted the API Backend configuration, you have to publish them.
  • 85. Basic API Backend configuration You can configure a list of backend services. In this case there is only one backend server (http://orion.local:1026). “Frontend Host” is the DNS that will be associated with this API backend (Umbrella can be associated with multiple DNS names). The “Backend Host” setting allows you to pass a different “Host” header to the backend server (usually not required). Also, it is possible to transform path prefixes.
  • 86. Enabling i4Trust support API Umbrella is able to automatically analyse the incoming NGSI-LD request and to determine the necessary policy required for each request. This is achieved by setting the “Authorization Mode” to “Context Broker attribute based - iSHARE compliant (automatically)” in the Global Request Settings section.
  • 87. Context Broker policy example This policy is telling that EU.EORI.NLPACKETDEL is allowing EU.EORI.NLNOCHEAPER to issue GET requests to read DELIVERYORDER entities, including any of their attributes. { "delegationEvidence": { "notBefore": 1541058939, "notOnOrAfter": 2147483647, "policyIssuer": "EU.EORI.NLPACKETDEL", "target": { "accessSubject": "EU.EORI.NLNOCHEAPER" }, "policySets": [ { "maxDelegationDepth": 1, "target": { "environment": { "licenses": ["ISHARE.0001"] } }, "policies": [ { "target": { "resource": { "type": "DELIVERYORDER", "identifiers": ["*"], "attributes": ["*"] }, "actions": ["GET"] }, "rules": [ { "effect": "Permit" } ] } ] } ] } } }
  • 88. Login (step 1) First, generate an iSHARE JWT signed using the JSON Web Signature standard (JWS) > Headers { "alg": "RS256", "typ": "JWT", "x5c": [ // Complete certificate chain of the party "MIIEhjCC….Zy9w==", ... ] } > Payload { "jti": "99ab5bca41bb45b78d242a46f0157b7d", // Unique JWT ID "iss": "EU.EORI.NLMARKETPLA", "sub": "EU.EORI.NLMARKETPLA", "aud": "EU.EORI.NLHAPPYPETS", // ID (EORI) of the IDP to be accessed "iat": "1540827435", "nbf": "1540827435", "exp": "1540827435", // 30 seconds after iat "response_type": "code", "client_id": "EU.EORI.NLMARKETPLA", "scope": "openid iSHARE profile email", "redirect_uri": "https://www.marketplace.com/openid_connect1.0/return", "state": "af0ifjsldkj", "nonce": "c428224ca5a", "acr_values": "urn:http://eidas.europa.eu/LoA/NotNotified/high", "language": "en" }
  • 89. Login (step 2) Make a POST request to the /authorize endpoint, so the target Identity Provider (in this case a Keyrock instance) can validate we are a trusted iSHARE party. The JWT generated in step 1 has to be provided in the request parameter. If everything goes well, a 204 status code will be returned along with a Location header. > Content-Type: application/x-www-form-urlencoded POST https://idp-pdc.i4trust.fiware.io/authorize response_type=code& client_id=EU.EORI.NLMARKETPLA& scope=iSHARE openid& request=eyJ0eXA…YkNKOQ
  • 90. Redirect user’s browser to the URL provided on the Location headers. This way, the user can provide his credentials and consent through the login page of Keyrock. If everything goes well, Keyrock will return an authorization code using the provided redirect URI. Login (step 3) < Location: https://marketplace.i4trust.fiware.io/openid_connect1.0/return? code=Dmn-TbSj7OcKl5ym1j5xZsgkabzVP8dMugC81nzmeW4& state=ZqVQm4zHaEDyBhzpm1ZRH7fsxy703lq2
  • 91. A new request to the /token endpoint of the Identity Provider has to be made to retrieve the final access token. The signed JWT created in step 1 has to be provided in the client_assertion parameter of the request. The authorization code obtained in step 3 is provided within the code parameter. Login (step 4) > Content-Type: application/x-www-form-urlencoded POST https://idp-pdc.i4trust.fiware.io/token grant_type=authorization_code& client_id=EU.EORI.NLMARKETPLA& client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer& client_assertion=eyJ0eXA…YkNKOQ& redirect_uri=https://marketplace.i4trust.fiware.io/openid_connect1.0/return& code=Dmn-TbSj7OcKl5ym1j5xZsgkabzVP8dMugC81nzmeW4
  • 92. Finally, Keyrock will provide an access token that can be used to access services. In addition, an iSHARE JWT compliant id_token is also returned which is associated with the authenticated session. Login (step 5) < Content-Type: application/json < Cache-Control: no-store < Pragma: no-cache { "id_token": "eyJhb...V2jA", "access_token": "aW2ys...LIOw", "expires_in": 3600, "token_type": "Bearer" } Decoded id_token parameter { "iss": "EU.EORI.NLPACKETDEL", "sub": "419404e1-07ce-4d80-9e8a-eca94vde0003de", "aud": "EU.EORI.NLMARKETPLA", "jti": "378a47c4-2822-4ca5-a49a-7e5a1cc7ea59", "iat": 1504683445, "exp": 1504683475, "auth_time": 1504683435, "nonce": "c428224ca5a", "acr": "urn:http://eidas.europa.eu/LoA/NotNotified/low", "azp": "EU.EORI.NLMARKETPLA", }
  • 94. Further reading and useful links ■ Official Keyrock Documentation - https://fiware-idm.readthedocs.io/ ■ Tutorials and descriptions on how to setup the components within an i4Trust data space ■ https://github.com/i4Trust/tutorials/tree/main/Data-Service-Provider ■ Example Keyrock Theme - https://github.com/i4Trust/keyrock-theme-pdc ■ Helm Charts (kubernetes) to deploy i4Trust IAM components: ■ https://github.com/FIWARE/helm-charts/tree/i4trust ■ Passport strategy for authentication with FIWARE Keyrock using iShare JWT: ■ https://github.com/Ficodes/passport-i4trust ■ iSHARE framework covering all aspects - https://scheme.ishareworks.org ■ iSHARE developer portal - https://dev.ishareworks.org
  • 95. Thank you! i4Trust has received funding from the European Union’s Horizon 2020 research and innovation programme under the Grant Agreement no 951975.