At HIMSS 2015 Kantara Initiative will focus on the User Managed Access (UMA) initiative with a networking breakfast held on April 15th sponsored by ForgeRock and MedAllies. More information about HIMSS15 and registration. Existing notice-and-consent paradigms of privacy have begun to fail dramatically — and as recent Pew surveys have demonstrated, people have begun to (ahem) notice. The discipline of privacy engineering aspires to “craft”, but finds it hard to break out the “compliance” rut. The User-Managed Access (UMA) standard and the OpenUMA open-source project are stepping into the breach with two essential elements that change the game: asynchronous consent and centralized consent management.

1. Extending the Power of Consent
with User-Managed Access &
OpenUMA
FORGEROCK.COM
Eve Maler
VP Innovation & Emerging Technology
eve.maler@forgerock.com
@xmlgrrl
April 15, 2015
Warren Strange
Director, Sales Engineering
warren.strange@forgerock.com

2. 2
■ Provides strategic vision and real-world innovation
for digital identity transformation
■ Connects business, governments, research, and
education
■ Non-profit founded 2009
■ Open and transparent
■ @KantaraNews to get involved

3. 3
■ Offers the expertise and resources to help
physicians with application and meaningful use of
health information tech collection, secure
transmission and reporting of critical clinical
information

4. 4
Personal data sharing
challenges

5. 5
Some apps are still in the
Web 1.0 dark ages
■ Provisioning
user data by
hand
■ Provisioning it
by value
■ Oversharing
■ Lying!

6. 6
Some other apps are still in
the Web 2.0 dark ages
■ The “password
anti-pattern” – a
third party
impersonates the
user
■ It’s a honeypot for
shared secrets
■ B2B partners are in
the “gray market”

7. 7
Apps using OAuth and OpenID
Connect hint at a better (if not
perfect) way

8. 8
What about selective
party-to-party sharing?

9. 9
Our choices: send a private
URL…
■ Handy but
insecure
■ Unsuitable for
really sensitive
data

10. 10
…or require impersonation…

11. 11
…or
implement a
proprietary
access
management
system

12. 12
Killing – or even wounding – the
password kills impersonation

13. 13
We have tough requirements
for delegated authorization
■ Lightweight for developers
■ Robustly secure
■ Privacy-enhancing
■ Internet-scalable
■ Multi-party
■ Enables end-user convenience

14. 14
The solution space

15. 15
The new “Venn” of access control

16. 16
UMA in a nutshell
■ It’s a protocol for lightweight access control
■ It’s a profile and application of OAuth2
■ It’s a set of authorization, privacy, and consent APIs
■ It’s a Kantara Initiative Work Group
■ It’s two V1.0 Recommendations (standards)
■ It’s not an “XACML killer”
■ Founder, chair, and “chief UMAnitarian”:

17. 17
JWT
UMA standardization in context
Protect
Serve
UMA
Core,
OAuth
Resource
Set
Registra:on
OAuth
1.0,
1.0a
WRAP
OpenID
AB/Connect
Open
ID
OAuth
2.0
08
09
10
11
13
12
14
15
Dynamic
Client
Reg
(from
UMA/OIDC
contribu5ons)
OpenID
Connect
V1.0
completed;
interop
tes:ng
under
way;
trust
framework
efforts
beginning

18. 18
UMA-enabled systems can
respect policies such as…
Only let my tax preparer with ID
TP1234@gmail.com and using client
app TaxThis access my bank account
data if they have authenticated
strongly, and not after tax season is
over.
Let my health aggregation app, my
doctor’s office client app, and the
client for my husband’s employer’s
insurance plan get access to my
wifi-enabled scale API and my
fitness wearable API to read the
results they generate.
When a person driving a vehicle with an
unknown ID comes into contact with
my Solar Freakin’ Driveway, alert me
and require my access approval.

19. 19
UMA brings Privacy by Design to
loosely coupled services
I want to share this stuff
selectively
• Among my own apps
• With family and friends
• With organizations
I want to protect this stuff
from being seen by everyone
in the world
I want to control access
proactively, not just feel forced
to consent over and over

20. 20
Subject
or
UMA Binding Obligations
■ Distributed authorization across domains? Scary!
■ This spec contains legalese so parties operating and using
software entities (and devices) can distribute rights and
obligations fairly
■ Trust frameworks = Access federations
Individual!
Non-
person
entity
Authorizing Party
Requesting Party
Resource Server Operator
Client Operator
Requesting Party Agent
Authorization Server
Operator
New obligations
(and rights) tend to
appear at important
protocol “state
changes”

21. 21
HEART in a nutshell
■ It’s for patient-centric RESTful health data sharing
■ It’s international, but spurred by HHS ONC and VA
■ It’s primarily about “profiling the Venn”
■ It’s an OpenID Foundation Working Group
■ Its security profiles are interesting outside health
■ Its semantic profiles will be FHIR-specific
■ Co-chairs:

22. 22
Plan and “decision tree” for HEART
profiles
■ Health project or not, A is probably valuable!
■ Using FHIR API? Then X (and, if C, then Y).
■ Need single sign-on? Then B.
■ Need strong client app authentication? Then probably B.
■ Users absent at resource access time? Then C.
■ Valuable to centralize API scope management? Then probably C.
Security and interop
Semantics

23. 23
What is OpenUMA?

24. 24
What about the user
experience?
Introducing the world-premiere demonstration of
ForgeRock’s OpenUMA for RESTful patient-centric
health data sharing use cases

25. 25
Dramatis personae
■ Individual
■ Graduate of Unseen University
■ (Nurse in real life)
■ New patient of Dr. Bob’s BlueHealth
practice, with heart troubles
■ Doctor
Alice
Dr. Bob

26. 26
The identity and attribute
perspective
“The” user
Unseen University’s identity
and attribute provider
BlueHealth’s portal that
accepts UProtect logins and
attributes as a relying party
Alice
Register, log in
(federated), consent to
sharing attributes
HappyHeart’s app for viewing
and managing ICD data that
accepts UProtect logins as a
relying party

27. 27
The data sharing perspective
Alice
Dr. Bob
Alice
These outsource
protection to the
UProtect AS
These consume data/
access on behalf of
requesting parties, as
allowed by Aliceother clients

28. 28
About ForgeRock

29. 29
Identity as an enabler of
business critical value
and top-line revenue.
Seamless experience
across users, devices
and “things.”
Enables customer-focused
services that extend reach to
new, untapped populations.
Your IRM foundation is what gives you an edge
over competitors and enables rapid time to market.
Identity Relationship Management

30. 30
COMMON API FOR ALL IDENTITY SERVICES
Line of business 1 Line of business 2 Line of business 3
SINGLE CUSTOMER VIEW
SINGLE CUSTOMER VIEW
Identity Relationship Management Platform

31. 31
Products
surrounding
the “CREST
API”

32. 32
ForgeRock IRM success…

33. Thank you!
FORGEROCK.COM
Eve Maler
VP Innovation & Emerging Technology
eve.maler@forgerock.com
@xmlgrrl

34. 34
Appendix:
Gory UMA details

35. 35
Authorization services
architecture for low-scale
environments
Application
(Requesting client)
PEP
(Policy Enforcement Point)
PDP
(Policy Decision Point)
PAP
(Policy Administration Point)
Authorization
Policies
Request authorization
Permit, Deny
NotApplicable
Indeterminate
Centralized
Policy Enforcement
Receives Decision
Monolithic
resource
owner
Enforcement
points
mediate
all
interac:ons
Decisions
are
fine-­‐grained
but
“cooked
down”
No
automated
mechanism
for
onboarding
partners
PIP
(Policy Information Point)

36. 36
Why an OAuth-based
architecture instead?

37. 37
“User-centric, constrained,
delegated, RESTful WS-
Security” J
It’s about more than “eliminating the password anti-pattern”
■ Gets client apps out of the business of storing passwords
■ “Teaches” clients to rotate secrets
■ Friendly to authentication methods and user devices
■ Allows per-client tracking and revocation
■ Allows for scoped access
■ Captures user consent
■ Lowers development cost
■ Generative for a wider variety of design patterns

38. 38
Some interesting properties of this
authorization services architecture
that contribute to higher scale
Application
(Requesting client)
Cloud/On-prem
Authorization Server
Policy
Administration
(Scope/Consent
Administration Point)
Resource Server
Scopes
Consents
Authorization
Server
“Consent” to release
Protect requested Scope
Entitlements returned
Tokens
Consent
Local entitlement
enforcement
Requesting party Resource Owner
Attributes
Entitlements
Resource
Server
Resource
Administration
Registration
Manage
Consent
Manage
Resource
owner
is
prepared
to
be
an
individual
Decision
point
hands
out
en:tlements…
…directly
to
client
apps

39. 39
UMA is about interoperable,
RESTful authorization-as-a-service
Has standardized APIs
for privacy and
“selective sharing”
Outsources protection to
a centralizable
authorization server
“authz
provider”
(AzP)
“authz
relying
party”
(AzRP)
identity
provider
(IdP)
SSO
relying
party
(RP)

40. 40
Under the hood, it’s “OAuth++”
Loosely coupled to enable
an AS to onboard multiple
RS’s, residing in any security
domains
This concept is new, to enable
party-to-party sharing driven by
RO policy vs. run-time consent

41. 41
The RS exposes whatever value-add
API it wants, protected by an AS
The RPT is the main
“access token” and (by
default – it’s profilable) is
associated with time-limited,
scoped permissions
The RPT is a tuple of these
four entities; it may
potentially span ROs
because it’s centered on the
RqP’s extent of
authorization

42. 42
Comparing plain OAuth
access tokens to UMA RPTs
■ OAuth access tokens:
– Profilable; no standardized form on
the wire, though a signed JWT is
sometimes used
– Token introspection at runtime is
getting standardized; a JWT gets
returned
■ UMA RPTs:
– Profilable; default form on the wire
(“bearer”) is opaque and required
to be introspected at runtime using
the draft standard
– What’s returned is an enhanced
JWT with a new “permissions”
claim that binds scopes to named
resource sets
– These are machine-readable,
scope-grained, dynamic consent
directives – entitlements – that an
RS must act on

43. 43
The AS exposes an UMA-standardized
protection API to the RS
• Resource registration endpoint
• Permission registration endpoint
• Token introspection endpoint
The PAT (OAuth token)
protects the API and binds
the RO, RS, and AS

44. 44
The AS exposes an UMA-standardized
authorization API to the client
• RPT endpoint
The AAT (OAuth token)
protects the API and binds
the RqP, client, and AS
The client may be told:
“need_info”, necessitating
trust elevation for
authentication or CBAC (or,
through extension, ABAC)

45. 45
These are embedded OAuth flows to
protect UMA-standard security APIs
■ The “PAT” and “AAT” are our names for plain old
OAuth tokens – representing important UMA
concepts!
– Alice’s consent to federate authorization
– Bob’s consent to share claims to win access
■ Many “binding obligations” will hinge on their
issuance

46. 46
The significance of resource
set registration
■ The AS is authoritative for Alice’s policy
■ But the RS is authoritative for what its API can do –
its “verbs” and “objects”, and what Alice has created
there
■ Resource set registration allows the RS to remain
authoritative in this fashion, and allows RS:AS to be
an n:m relationship

47. 47
The AS can elevate requesting party
trust to assess policy
A “claims-aware” client can
proactively push an OpenID
Connect ID token, a SAML
assertion, a SCIM record, or
other available user data to the
AS per the access federation’s
trust framework
A “claims-unaware” client can, at
minimum, redirect the
requesting party to the AS to log
in, press an “I Agree” button, fill
in a form, follow a NASCAR for
federated login, etc.
If the AAT was minted with too-
weak authentication, the AS can
request step-up for it as well

48. 48
The significance of trust
elevation and claims gathering
■ Informing a requesting party that a resource is
available for them to attempt to access (e.g.
through email) is not a “magic entitlement”
■ This area of the UMA protocol has variability and
requires profiling and ecosystem agreement
■ True “upstream” step-up authentication is possible,
ensuring the entire chain is high-assurance

49. 49
Authorization services
architecture for high-scale
environments
Application
(Requesting client)
Cloud/On-prem
Authorization Server
Policy
Administration
(Scope/Consent
Administration Point)
Resource Server
Scopes
Consents
Authorization
Server
“Consent” to release
Protect requested Scope
Entitlements returned
Tokens
Consent
Local entitlement
enforcement
Requesting party Resource Owner
Attributes
Entitlements
Resource
Server
Resource
Administration
Registration
Manage
Consent
Manage
“Virtualized”
resource
owner
op:ons
Decision
point
hands
out
en:tlements…
…directly
to
client
apps
RS
is
authorita:ve
for
protected
objects
and
scopes
(verbs);
AS
maps
to
subjects

51. 51
UMA enables business logic
centralization, even for “classic”
access management
■ Company X contracts with
SaaS1.com
■ Employees SSO in from web or
native app, passing in role/group
attributes
■ Company X’s policies at SaaS1
govern what features users can
access
■ Company Y does the same at
SaaS1, etc.
■ Company X does the same at
SaaS2, etc.
■ Company X runs an UMA AS
■ SaaS1’s UMA RS onboards to that
AS and respects UMA tokens issued
by it, containing entitlements based
on Company X’s policies
■ Company X’s keeps central policies
for SaaS1, SaaS2, etc.
(authoritative “AzP” respected by
each “AzRP”)
■ Company Y keeps central policies
for SaaS1, SaaS2, etc. (a different
authoritative “AzP” respected by
each “AzRP”)
Business SaaS SSO today: Central authz tomorrow:

52. 52
Appendix:
IoT implications of UMA

53. 53
Analysis against ACE use
cases: many strong matches
þ Owner grants different resource access
rights to different parties
• U1.1, U2.3, U.3.2
þ Owner grants different access rights for
different resources on a device (including
read, write, admin)
• U1.3, U4.4, U5.2
þ Owner not always present at time of access
• U1.6, U5.5
þ Owner grants temporary access
permissions to a party
• U1.7
þ Owner applies verifiable context-based
conditions to authorizations
• U2.4, U4.5, U6.3
þ Owner grants temporary access
permissions to a party
• U1.7
þ Owner preconfigures access rights to
specific data
• U3.1, U6.3
þ Owner adds a new device under protection
• U4.1
þ Owner puts a previously owned device
under protection
• U4.2
þ Owner removes a device from protection
• U4.3
þ Owner preconfigures access rights to
specific data
• U3.1
þ Owner revokes permissions
• U4.6
þ Owner grants access only to authentic,
authorized clients
• U7.1, U7.2

54. 54
Profiling and extensibility
enable efficiencies and non-
HTTP bindings
■ Protection API extensibility profile for AS-RS interactions
■ Authorization API extensibility profile: for AS-client interactions
■ Resource interface extensibility profile for RS-client interactions
– E.g., to replace HTTP/TLS with CoAP/DTLS
■ RPT profiling
– E.g., to enable disconnected token introspection
■ JSON extensibility all over the place
– E.g., to enable experimentation and escape hatches
■ Claim token format profiling
– E.g., to enable a variety of deployment-specific trust frameworks