This document provides an overview of entitlement management and identity management concepts. It discusses different access control models like access control lists, role-based access control, attribute-based access control and policy-based access control using XACML. The presenter Chamath Gunawardana is a technical lead at WSO2 who works on their identity server. WSO2 provides open source identity and access management solutions.
Scaling API-first – The story of a global engineering organization
Identity and Entitlement Management Concepts
1. Last Updated: Jan. 2014
Tech
Lead
Chamath
Gunawardana
Iden/ty
and
En/tlement
Management
–
Concepts
and
Theories
2. 2
About
the
Presenter(s)
๏ Chamath
Gunawardana
Chamath
Gunwardana
is
a
technical
lead
at
WSO2
working
for
the
integra/on
technology
group.
He's
engaged
in
the
developments
of
the
WSO2
Iden/ty
Server
and
also
a
commiKer
of
the
WSO2
Iden/ty
Server.
Chamath
is
also
a
SUN
cer/fied
java
programmer.
3. 3
About
WSO2
๏ Global
enterprise,
founded
in
2005
by
acknowledged
leaders
in
XML,
web
services
technologies,
standards
and
open
source
๏ Provides
only
open
source
plaVorm-‐as-‐a-‐service
for
private,
public
and
hybrid
cloud
deployments
๏ All
WSO2
products
are
100%
open
source
and
released
under
the
Apache
License
Version
2.0.
๏ Is
an
Ac/ve
Member
of
OASIS,
Cloud
Security
Alliance,
OSGi
Alliance,
AMQP
Working
Group,
OpenID
Founda/on
and
W3C.
๏ Driven
by
Innova/on
๏ Launched
first
open
source
API
Management
solu/on
in
2012
๏ Launched
App
Factory
in
2Q
2013
๏ Launched
Enterprise
Store
and
first
open
source
Mobile
solu/on
in
4Q
2013
5. Agenda
๏ En/tlement
management
๏ overview
๏ Access
control
concepts
๏ XACML
๏ En/tlement
architecture
in
iden/ty
server
๏ Iden/ty
management
๏ overview
๏ Features
of
iden/ty
management
systems
๏ Couple
of
Iden/ty
Management
Capabili/es
in
iden/ty
server
๏ Demo
5
6. What
is
En/tlement
Mng..
๏ En#tlement
management
is
technology
that
grants,
resolves,
enforces,
revokes
and
administers
fine-‐
grained
access
en/tlements.
๏ Also
referred
to
as
authoriza/ons, privileges,
access
rights, permissions
and/or
rules
-‐
Gartner
Glossary
6
7. En/tlement
Management
๏ It s
a
broader
concept
๏ Types
of
access
control
includes,
๏ Access
control
lists
๏ Role
based
access
control
๏ AKribute
based
access
control
๏ Policy
based
access
control
7
8. Access
control
lists
๏ Oldest
and
most
basic
form
of
access
control
๏ Primarily
Opera/ng
systems
adopted
๏ Maintains
set
of
user
and
opera/ons
can
performed
on
a
resource
as
a
mapping
๏ Also
easier
to
implement
using
maps
๏ Not
scalable
for
large
user
bases
๏ Difficult
to
manage
8
9. Role
based
access
control
๏ System
having
users
that
belongs
to
roles
๏ Role
defines
which
resources
will
be
allowed
๏ Reduces
the
management
overhead
๏ Users
and
roles
can
be
externalized
using
user
stores
๏ Need
to
manage
the
roles
๏ User
may
belong
to
mul/ple
roles
9
10. AKribute
based
access
control
๏ Authoriza/on
based
on
aKributes
๏ Addresses
the
limita/on
of
role
based
approach
to
define
fine
grain
access
control
๏ AKributes
of
user,
environment
as
well
as
resource
it
self
๏ More
flexible
than
role
based
approach
๏ No
need
for
knowing
the
user
prior
to
gran/ng
access
10
11. Policy
based
access
control
๏ Address
the
requirement
to
have
more
uniform
access
control
mechanism
๏ Helps
to
large
enterprises
to
have
uniform
access
control
amount
org
units
๏ Helps
for
security
audits
to
be
carried
out
๏ Complex
than
any
other
access
control
system
๏ Specify
policies
unambiguously
with
XACML
๏ Use
of
authorized
aKribute
sources
in
the
enterprise
11
12. Advantages
๏ Reduce
the
development
/me
on
cri/cal
business
func/ons
๏ Easy
management
of
en/tlements
๏ Based
on
industry
standard
specifica/ons
๏ Support
for
future
development
with
minimum
effort
12
13. XACML
๏ XACML
is
a
policy
based
authoriza/on/en/tlement
system
๏ De-‐facto
standard
for
authoriza/on
๏ Evaluated
of
1.0,
2.0
and
3.0
versions
๏ Externalized
๏ Policy
based
๏ Fine
grained
๏ Standardized
13
14. XACML
๏ Iden/ty
Server
supports
XACML
2.0
and
3.0
versions
๏ Supports
mul/ple
PIPs
๏ Policy
distribu/on
๏ UI
wizards
for
defining
policies
๏ Try
it
tool
๏ Decision
/
AKribute
caching
14
22. Iden/ty
Management
๏ Managing
Iden/ty
of
users
in
a
system
๏ Control
access
to
resources
๏ Important
component
in
an
enterprise
๏ Enterprises
depends
on
the
security
provided
by
iden/ty
management
systems
22
23. Why
Iden/ty
Management
๏ Directly
influences
the
security
and
produc/vity
of
an
organiza/on
๏ To
enforce
consistency
in
security
policies
across
organiza/on
๏ To
comply
with
rules
and
regula/ons
enforced
in
some
cri/cal
domains
by
governments
๏ Provide
access
to
resources
to
outside
par/es
without
compromising
security
23
24. Why
Iden/ty
Management
Cont.
๏ Controlled
resource
access
increases
organiza/onal
security
๏ Increased
audit-‐ability
of
the
systems
๏ Automated
password
reset
capabili/es
24
25. Features
of
IDM
System
๏ User
Stores
/
Directories
๏ Authen/ca/on
๏ Authoriza/on
๏ Single
Sign
On
๏ Provisioning
๏ Delega/on
๏ Password
reset
๏ Self
registra/on
with
locking
25
26. User
stores
/
Directories
๏ Grouping
of
user
and
roles
๏ Easy
management
in
authoriza/on
decisions
๏ Different
types
of
user
stores
support
26
27. Authen/ca/on
๏ Iden/fying
which
en/ty
are
we
communica/ng
with
๏ En/ty
can
be
users
or
systems
๏ Most
basic
form
is
user
name
and
password
๏ Authen/ca/on
against
user
store
๏ Concept
of
mul/
factor
authen/ca/on
27
28. Authoriza/on
๏ What
an
en/ty
allowed
to
access
in
the
system
๏ En/tlement
management
aspects
๏ Discussed
28
29. Single
Sign
On
๏ Having
mul/ple
applica/ons
with
login
requirements
๏ Once
login
to
the
applica/on
automa/c
login
to
other
applica/ons
๏ Token
usage
๏ Iden/ty
Federa/on
๏ Technologies
used
๏ OpenID
๏ SAML
๏ Kerboros
๏ WS-‐Federa/on
passive
29
30. Provisioning
๏ Concept
of
adding
and
removing
iden//es
from
user
store
๏ Provisioning
to
external
systems
๏ Technologies
๏ SPML
๏ SCIM
30
31. Delega/on
๏ Giving
responsibility
to
another
en/ty
to
carry
out
tasks
on
behalf
of
you
๏ Creden/al
sharing
systems
๏ Technologies
๏ OAuth
31
32. Users
and
roles
๏ Enterprise
user
stores
with
users
and
roles
๏ Managing
user
stores
๏ Support
for
mul/ple
user
stores
๏ Easy
configura/on
of
user
stores
in
UI
๏ Types
of
user
stores
๏ LDAP,
Ac/ve
Directory,
JDBC
๏ Support
for
mul/-‐tenancy
32
33. Password
reset
๏ Web
apps
needing
end
user
password
reset
func/onality
๏ Supports,
๏ Reset
with
no/fica/on
๏ Reset
with
secret
ques/ons
๏ Increased
security
with
mul/ple
keys
in
the
reset
flow
๏ UI
based
email
templates
configura/on
33
34. Self
registra/on
with
locking
๏ Separate
web
service
to
self
registra/on
with
account
lock
๏ Upon
registra/on
sending
confirma/on
link
to
account
unlock
๏ Only
users
with
valid
email
address
gain
access
to
system
๏ Configurable
email
no/fica/on
template
34
37. 37
More
Informa/on
!
๏ The
slides
and
webinar
will
be
available
soon.
๏ Please
refer
Iden/ty
Server
documenta/on
-‐
hKps://
docs.wso2.org/display/IS500/WSO2+Iden/ty+Server
+Documenta/on