SlideShare ist ein Scribd-Unternehmen logo

UMA Trusted Claims

D
Domenico Catalano
TechnologieBusiness
1 von 28
Downloaden Sie, um offline zu lesen
Extending UMA Protocol to support Trusted Claims (tClaims) Newcastle University Domenico Catalano and the Smart Team 13th July, 2011 1 V.3 Wednesday, July 13, 2011
Who I am • Domenico Catalano • Senior Sales Consultant @Oracle Italy + Sun • Identity & Security Architect • Leadership team member (UX) @Kantara UMA WG 2 Wednesday, July 13, 2011
Agenda • UMA Conceptual model • tClaims Requirements Analysis • OpenID Connect • UMA/OpenID Connect Integration approach • User Interaction • Trust Model consideration • Q&A 3 Wednesday, July 13, 2011
UMA Conceptual Model UMA AM policy decision Control Point Protect Authorize Authorizing User Requesting Manage Party UMA External Domain Domain Protected HOST Resource Requester Access 4 Wednesday, July 13, 2011
UMA Trusted Claims • UMA Trusted Claims approach is designed to support Claims-based Access Control. • In a Claim-based Access Control, the decision to grant access to a protected resource is made based on Subject’s information, such as name, age, email address, role, location, or credit score, etc. Claims Trusted Claims Trusted usted C laims 5 Wednesday, July 13, 2011
tClaims example scenarios • Enterprise class scenario ‣ Accessing Personal Loan Special Program • Social/web class scenario ‣ Sharing photo with “bob@gmail.com” 6 Wednesday, July 13, 2011
Accessing Personal Loan special program Enterprise Class Scenario • Bank online service provides an User- Managed Claims access control to restrict and personalize access to special program/ service (i.e. personal loan with low interest rate) to users which have determinate employment (i.e. government employee), and have an high credit score. 7 Wednesday, July 13, 2011
Alice at Bank site Bank of Future for requesting 10.0 online Banking access to a Welcome aalice restricted service. Access to Loyalty Program You have selected a protected resource to access special loyalty An UMA program for US Government Employee: Personal Loan with low interest rate (2%) protected Select your UMA Authorization Manager to provide trusted Claims to grant access to this resource. resource. CopMonkey AM © copyright 2009 CMInc. All rights reserved. 8 Wednesday, July 13, 2011
Sharing Photo with “bob@gmail.com Social/web Class Scenario • Alice wants share a photo gallery with bob if Bob has an account email “bob@gmail.com” and he is 18 years old. 9 Wednesday, July 13, 2011
Alice defines claims-based authorization policy, using In- App widget 10 Wednesday, July 13, 2011
Requirements Analysis • Authorizing User (Resource Owner) needs a claims- based access control to restrict access to own resources based on Requesting Party’s Identity attributes. • Identity attributes must issued by a Trusted Third Party (TTP) and verifiable by a Claims Requester. • Claims may be logically aggregated to provide a collection of attributes from different Attribute Providers (Claims Host). 11 Wednesday, July 13, 2011
OpenID Connect • OpenID Connect provides authentication, authorization, and attribute transmission capability. It allows third party attested claims from distributed sources. • This specification is largely compliant with OAuth 2.0 draft 15. OpenID Connect Core 1.0 - draft 04 12 Wednesday, July 13, 2011
OpenID Connect protocol overview • OpenID Connect protocol in abstract follows the following steps: 1. The Client sends a request to the Server’s End-User Authorization Endpoint. 2. The Server authenticates the user and obtains appropriate authorization. 3. The Server responds with access_token and a few other variables. 4. The Client sends a request with access_token to the Userinfo Endpoint. 5. Userinfo Endpoint returns the additional user supported by the Server. 13 Wednesday, July 13, 2011
UMA Conceptual Model UMA AM policy decision Control Point Protect Authorize Authorizing User Requesting Manage Party UMA External Domain Domain Protected HOST Resource Requester Access 14 Wednesday, July 13, 2011
UMA Conceptual Model with tClaims OpenID UMA Claims 1. Request Client 3. Access_token Connect AM AS policy decision Control Point 5. Userinfo 2. AuthN AuthZ 4. Request Userinfo Protect Protect Authorize UserInfo Authorizing User EndPoint Requesting Manage Party SSO UMA OpenID Domain Domain Protected HOST Resource Requester Access 15 Wednesday, July 13, 2011
UMA/OpenID Connect Integration approach UserInfo EndPoint Claims Claims Provider Protected Resource UMA Claims AuthZ OpenID Authorization Client Server Identity Provider Manager OpenID RP OpenID Connect SSO AuthN AuthZ Requesting Party 16 Wednesday, July 13, 2011
User eXperience 17 Wednesday, July 13, 2011
Scenario • Sharing Photo with “bob@gmail.com” ‣ Host In-App Fast Sharing settings. ‣ Requesting Party requests direct access to Protected Resource. ‣ OpenID Connect interaction. 18 Wednesday, July 13, 2011
Alice at Host Site Protected Resource by CopMonkey AM in-App Fast AuthZ Settings for sharing 19 Wednesday, July 13, 2011
Alice defines claims-based authorization policy, using In- App widget 20 Wednesday, July 13, 2011
Protected Resource is ready for sharing under authZ policy 21 Wednesday, July 13, 2011
Alice shares the Protected Photo4Sharing resource 10.0 online photo Service through twitter Home Photo Gallery Places Share Settings Hello Alice Alice twitter Photo View Resource Sharing Photo4Sharing: Places:Venice:Bridge at Places> Venice> Bridge Edit CopMonkey Protected http://photo4sharing.com/AB112FFD Resource 22 hours ago reply CopMonkey In-App Claim- based authorization Tweet text goes here. URL keep it under 140 characters photo4sharing.com/AB112FFD http://bit.ly/ds5c6z 22 hours ago reply Share Never thought I'd say this, but sign out of twitter.com, now! There's a nice new homepage to check out. http://bit.ly/ds5c6z 22 hours ago reply homepage to check out. http://bit.ly/ds5c6z 22 hours ago reply © copyright 2009 CMInc. All rights reserved. 22 Wednesday, July 13, 2011
Bob attempts to access to protected resource. Bob is redirect to AM to convey claims 23 Wednesday, July 13, 2011
CopMonkey authenticates Bob through OpenID, in order to initialize OpenID Connect protocol 24 Wednesday, July 13, 2011
Bob is redirect to IdP’s authorization service to grant claims. 25 Wednesday, July 13, 2011
Bob gets access to the protected resource 26 Wednesday, July 13, 2011
Trust Model Consideration Bootstrapping Trust Claims Provider AuthN IdP AuthN IdP Subject Subject Subject Self Registration Affiliate Registration Affiliate Registration LoA Certification UMA UMA UMA AM AM AM Trusted Self Registration Affiliate Registration Affiliate Registration Framework Host Introduction Host Introduction Host Introduction Host Host Host TFP A B C Self-Registration Affiliate or SSO Affiliate or SSO with Trusted Framework 27 Wednesday, July 13, 2011
Thanks 28 Wednesday, July 13, 2011

Empfohlen

Orientation.Key
Orientation.KeyOrientation.Key
Orientation.Keyallisoncatlin
 
Identity Insights: Social, Local and Mobile Identity
Identity Insights: Social, Local and Mobile IdentityIdentity Insights: Social, Local and Mobile Identity
Identity Insights: Social, Local and Mobile IdentityJon Bultmeyer
 
Uma sec council_june_22_v4
Uma sec council_june_22_v4Uma sec council_june_22_v4
Uma sec council_june_22_v4Domenico Catalano
 
How To Make Mobile Apps Secure - Mobile login multifactor authentication.
How To Make Mobile Apps Secure - Mobile login multifactor authentication.How To Make Mobile Apps Secure - Mobile login multifactor authentication.
How To Make Mobile Apps Secure - Mobile login multifactor authentication.CCS Global Tech
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
Identity systems
Identity systemsIdentity systems
Identity systemsJim Fenton
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Team Sistemi
 
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12OOW 2009 EBS Security R12
OOW 2009 EBS Security R12jucaab
 

Empfohlen

Orientation.Key
Orientation.KeyOrientation.Key
Orientation.Keyallisoncatlin
 
Identity Insights: Social, Local and Mobile Identity
Identity Insights: Social, Local and Mobile IdentityIdentity Insights: Social, Local and Mobile Identity
Identity Insights: Social, Local and Mobile IdentityJon Bultmeyer
 
Uma sec council_june_22_v4
Uma sec council_june_22_v4Uma sec council_june_22_v4
Uma sec council_june_22_v4Domenico Catalano
 
How To Make Mobile Apps Secure - Mobile login multifactor authentication.
How To Make Mobile Apps Secure - Mobile login multifactor authentication.How To Make Mobile Apps Secure - Mobile login multifactor authentication.
How To Make Mobile Apps Secure - Mobile login multifactor authentication.CCS Global Tech
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
Identity systems
Identity systemsIdentity systems
Identity systemsJim Fenton
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Team Sistemi
 
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12OOW 2009 EBS Security R12
OOW 2009 EBS Security R12jucaab
 
Protecting Personal Data in a IoT Network with UMA
Protecting Personal Data in a IoT Network with UMAProtecting Personal Data in a IoT Network with UMA
Protecting Personal Data in a IoT Network with UMADomenico Catalano
 
UMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenarioUMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenarioDomenico Catalano
 
Enterprise Mobility: Secure Containerization
Enterprise Mobility: Secure ContainerizationEnterprise Mobility: Secure Containerization
Enterprise Mobility: Secure ContainerizationDomenico Catalano
 
User-Access Manager: Key to Life Management Platform
User-Access Manager: Key to Life Management PlatformUser-Access Manager: Key to Life Management Platform
User-Access Manager: Key to Life Management PlatformDomenico Catalano
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment SystemsDomenico Catalano
 
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...Domenico Catalano
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Weitere ähnliche Inhalte

Mehr von Domenico Catalano

Protecting Personal Data in a IoT Network with UMA
Protecting Personal Data in a IoT Network with UMAProtecting Personal Data in a IoT Network with UMA
Protecting Personal Data in a IoT Network with UMADomenico Catalano
 
UMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenarioUMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenarioDomenico Catalano
 
Enterprise Mobility: Secure Containerization
Enterprise Mobility: Secure ContainerizationEnterprise Mobility: Secure Containerization
Enterprise Mobility: Secure ContainerizationDomenico Catalano
 
User-Access Manager: Key to Life Management Platform
User-Access Manager: Key to Life Management PlatformUser-Access Manager: Key to Life Management Platform
User-Access Manager: Key to Life Management PlatformDomenico Catalano
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment SystemsDomenico Catalano
 
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...Domenico Catalano
 

Mehr von Domenico Catalano (6)

Protecting Personal Data in a IoT Network with UMA
Protecting Personal Data in a IoT Network with UMAProtecting Personal Data in a IoT Network with UMA
Protecting Personal Data in a IoT Network with UMA
 
UMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenarioUMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenario
 
Enterprise Mobility: Secure Containerization
Enterprise Mobility: Secure ContainerizationEnterprise Mobility: Secure Containerization
Enterprise Mobility: Secure Containerization
 
User-Access Manager: Key to Life Management Platform
User-Access Manager: Key to Life Management PlatformUser-Access Manager: Key to Life Management Platform
User-Access Manager: Key to Life Management Platform
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment Systems
 
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...
Exploring Visualization Techniques to Enhance Privacy Control UX for User-Man...
 

Kürzlich hochgeladen

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

UMA Trusted Claims

  • 1. Extending UMA Protocol to support Trusted Claims (tClaims) Newcastle University Domenico Catalano and the Smart Team 13th July, 2011 1 V.3 Wednesday, July 13, 2011
  • 2. Who I am • Domenico Catalano • Senior Sales Consultant @Oracle Italy + Sun • Identity & Security Architect • Leadership team member (UX) @Kantara UMA WG 2 Wednesday, July 13, 2011
  • 3. Agenda • UMA Conceptual model • tClaims Requirements Analysis • OpenID Connect • UMA/OpenID Connect Integration approach • User Interaction • Trust Model consideration • Q&A 3 Wednesday, July 13, 2011
  • 4. UMA Conceptual Model UMA AM policy decision Control Point Protect Authorize Authorizing User Requesting Manage Party UMA External Domain Domain Protected HOST Resource Requester Access 4 Wednesday, July 13, 2011
  • 5. UMA Trusted Claims • UMA Trusted Claims approach is designed to support Claims-based Access Control. • In a Claim-based Access Control, the decision to grant access to a protected resource is made based on Subject’s information, such as name, age, email address, role, location, or credit score, etc. Claims Trusted Claims Trusted usted C laims 5 Wednesday, July 13, 2011
  • 6. tClaims example scenarios • Enterprise class scenario ‣ Accessing Personal Loan Special Program • Social/web class scenario ‣ Sharing photo with “bob@gmail.com” 6 Wednesday, July 13, 2011
  • 7. Accessing Personal Loan special program Enterprise Class Scenario • Bank online service provides an User- Managed Claims access control to restrict and personalize access to special program/ service (i.e. personal loan with low interest rate) to users which have determinate employment (i.e. government employee), and have an high credit score. 7 Wednesday, July 13, 2011
  • 8. Alice at Bank site Bank of Future for requesting 10.0 online Banking access to a Welcome aalice restricted service. Access to Loyalty Program You have selected a protected resource to access special loyalty An UMA program for US Government Employee: Personal Loan with low interest rate (2%) protected Select your UMA Authorization Manager to provide trusted Claims to grant access to this resource. resource. CopMonkey AM © copyright 2009 CMInc. All rights reserved. 8 Wednesday, July 13, 2011
  • 9. Sharing Photo with “bob@gmail.com Social/web Class Scenario • Alice wants share a photo gallery with bob if Bob has an account email “bob@gmail.com” and he is 18 years old. 9 Wednesday, July 13, 2011
  • 10. Alice defines claims-based authorization policy, using In- App widget 10 Wednesday, July 13, 2011
  • 11. Requirements Analysis • Authorizing User (Resource Owner) needs a claims- based access control to restrict access to own resources based on Requesting Party’s Identity attributes. • Identity attributes must issued by a Trusted Third Party (TTP) and verifiable by a Claims Requester. • Claims may be logically aggregated to provide a collection of attributes from different Attribute Providers (Claims Host). 11 Wednesday, July 13, 2011
  • 12. OpenID Connect • OpenID Connect provides authentication, authorization, and attribute transmission capability. It allows third party attested claims from distributed sources. • This specification is largely compliant with OAuth 2.0 draft 15. OpenID Connect Core 1.0 - draft 04 12 Wednesday, July 13, 2011
  • 13. OpenID Connect protocol overview • OpenID Connect protocol in abstract follows the following steps: 1. The Client sends a request to the Server’s End-User Authorization Endpoint. 2. The Server authenticates the user and obtains appropriate authorization. 3. The Server responds with access_token and a few other variables. 4. The Client sends a request with access_token to the Userinfo Endpoint. 5. Userinfo Endpoint returns the additional user supported by the Server. 13 Wednesday, July 13, 2011
  • 14. UMA Conceptual Model UMA AM policy decision Control Point Protect Authorize Authorizing User Requesting Manage Party UMA External Domain Domain Protected HOST Resource Requester Access 14 Wednesday, July 13, 2011
  • 15. UMA Conceptual Model with tClaims OpenID UMA Claims 1. Request Client 3. Access_token Connect AM AS policy decision Control Point 5. Userinfo 2. AuthN AuthZ 4. Request Userinfo Protect Protect Authorize UserInfo Authorizing User EndPoint Requesting Manage Party SSO UMA OpenID Domain Domain Protected HOST Resource Requester Access 15 Wednesday, July 13, 2011
  • 16. UMA/OpenID Connect Integration approach UserInfo EndPoint Claims Claims Provider Protected Resource UMA Claims AuthZ OpenID Authorization Client Server Identity Provider Manager OpenID RP OpenID Connect SSO AuthN AuthZ Requesting Party 16 Wednesday, July 13, 2011
  • 17. User eXperience 17 Wednesday, July 13, 2011
  • 18. Scenario • Sharing Photo with “bob@gmail.com” ‣ Host In-App Fast Sharing settings. ‣ Requesting Party requests direct access to Protected Resource. ‣ OpenID Connect interaction. 18 Wednesday, July 13, 2011
  • 19. Alice at Host Site Protected Resource by CopMonkey AM in-App Fast AuthZ Settings for sharing 19 Wednesday, July 13, 2011
  • 20. Alice defines claims-based authorization policy, using In- App widget 20 Wednesday, July 13, 2011
  • 21. Protected Resource is ready for sharing under authZ policy 21 Wednesday, July 13, 2011
  • 22. Alice shares the Protected Photo4Sharing resource 10.0 online photo Service through twitter Home Photo Gallery Places Share Settings Hello Alice Alice twitter Photo View Resource Sharing Photo4Sharing: Places:Venice:Bridge at Places> Venice> Bridge Edit CopMonkey Protected http://photo4sharing.com/AB112FFD Resource 22 hours ago reply CopMonkey In-App Claim- based authorization Tweet text goes here. URL keep it under 140 characters photo4sharing.com/AB112FFD http://bit.ly/ds5c6z 22 hours ago reply Share Never thought I'd say this, but sign out of twitter.com, now! There's a nice new homepage to check out. http://bit.ly/ds5c6z 22 hours ago reply homepage to check out. http://bit.ly/ds5c6z 22 hours ago reply © copyright 2009 CMInc. All rights reserved. 22 Wednesday, July 13, 2011
  • 23. Bob attempts to access to protected resource. Bob is redirect to AM to convey claims 23 Wednesday, July 13, 2011
  • 24. CopMonkey authenticates Bob through OpenID, in order to initialize OpenID Connect protocol 24 Wednesday, July 13, 2011
  • 25. Bob is redirect to IdP’s authorization service to grant claims. 25 Wednesday, July 13, 2011
  • 26. Bob gets access to the protected resource 26 Wednesday, July 13, 2011
  • 27. Trust Model Consideration Bootstrapping Trust Claims Provider AuthN IdP AuthN IdP Subject Subject Subject Self Registration Affiliate Registration Affiliate Registration LoA Certification UMA UMA UMA AM AM AM Trusted Self Registration Affiliate Registration Affiliate Registration Framework Host Introduction Host Introduction Host Introduction Host Host Host TFP A B C Self-Registration Affiliate or SSO Affiliate or SSO with Trusted Framework 27 Wednesday, July 13, 2011
  • 28. Thanks 28 Wednesday, July 13, 2011