Upload File

is xacml the only fine grained authz standard

6
For policy expression, it is probably not the only standard for f ine grained authz, but it is one of the best known. As an overall architecture for entitlements management… then No. Site Minder has more adoption in the market, although it’s not an open standard. OX implements two open standard profiles of OAuth2 which can be used to centralize authentication and entitlements management. OpenID Connect defines how a client (website or mobile app…) re-directs a person for authentication at their home domain. Connect also defines how a client registers and can get “claims” about a person (like email address) . The UMA profile of OAuth2 defines sever al new tokens which represent fine grain authorizations, and can address situations where two parent organizations may have different sets of policies. What is XACML?  The OASIS XACML version 3 standard defines a common XML syntax for expressing security policy. If you manage IT security for a very large organization, you may have several access management systems, for example Site Minder and Oracle Access Manager. Wouldn’t it be great if the policies you write in one were portable to another? Also, a standard syntax for policies makes it easier to “normalize” policies across the organization, both to consolidate and govern.

Upload: mike-schwartz

Post on 14-Oct-2015

6 views

Category:

Documents


0 download

Report

DESCRIPTION

However, adoption of XACML by Internet domains has been tepid at best. There are approximately 250 million Internet domains out there–only the most microscopic subset of those have a XACML PDP.

TRANSCRIPT

  • 5/24/2018 Is XACML the Only Fine Grained Authz Standard

    1/6

    For policy expression, it is probably not the only standard for fine grained authz, but it isone of the best known. As an overall architecture for entitlements management then No.

    Site Minder has more adoption in the market, although its not an open standard. OXimplements two open standard profiles of OAuth2 which can be used to centralizeauthentication and entitlements management. OpenID Connectdefines how a client(website or mobile app) re-directs a person for authentication at their home domain.Connect also defines how a client registers and can get claims about a person (like emailaddress). The UMA profile of OAuth2 defines several new tokens which represent fine grain

    authorizations, and can address situations where two parent organizations may havedifferent sets of policies.

    What is XACML?

    The OASIS XACML version 3 standard defines a common XML syntax for expressingsecurity policy. If you manage IT security for a very large organization, you may haveseveral access management systems, for example Site Minder and Oracle Access Manager.Wouldnt it be great if the policies you write in one were portable to another? Also, astandard syntax for policies makes it easier to normalize policies across the organization,both to consolidate and govern.

    http://www.gluu.org/resources/documents/standards/openid-connect/http://www.gluu.org/resources/documents/standards/openid-connect/

  • 5/24/2018 Is XACML the Only Fine Grained Authz Standard

    2/6

    However, adoption of XACML by Internet domains has been tepid at best. There areapproximately 250 million Internet domains out thereonly the most microscopic subsetof those have a XACML PDP. It has gained some big supporterssecurity paranoidorganizations like the military love it! But for the most part, XACML is a standard only

    of interest to serious security nerds.

    Here is a somewhat simplified XACML policy adapted from the spec. Im not a XACMLexpert, but I think it says the person must be from the med.example.com domain:

    What is UMA?

    Abstract: User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines howresource owners can control protected-resource access by clients operated by arbitraryrequesting parties, where the resources reside on any number of resource servers, andwhere a centralized authorization server governs access based on resource owner policy.

    Centralized Authorization is more important than policy normalization

    In my opinion, for 99% of the domains out there, the most important security benefit isderived from centralized authorization, not from standard policy expression.Consolidation saves money and improves security.

  • 5/24/2018 Is XACML the Only Fine Grained Authz Standard

    3/6

    Where business logic is shared between applications, code duplication is a waste of effortand makes maintenance more difficult. For example, if a school district hosts multiplewebsites, it would be inefficient to support each website writing code to call your databaseto check if the person is a teacher.

    It would be much better if the website could make a call to a central service, to make surethe person has teacher authorization. In this way, the district can implement thebusiness rules to determine who is a teacher in one place. Note: the app doesnt care howthe policy itself is expressed. It just wants to make sure that the district has decided the

    person is a teacher

    UMA supports PDP and PAP diversity

    It was a wise choice by the UMA editors to stay neutral on policy expression andmanagement. It enables vendors to implement a number of different approaches to policy

    management, including XACMLif thats your organizational preference.

    There are a number of solutions for entitlements management. XACML is just one. Someorganizations use Repose or Permis, or even commercial IAM product for entitlementsmanagement.

  • 5/24/2018 Is XACML the Only Fine Grained Authz Standard

    4/6

    One of the functions of the Policy Administration Point or PAP, is to provide tools forthe domain administrator to manage policies. IAM tools differentiate themselves on theusability of the PAP. For example, CA Site Minder has a graphical interface that enables

    domain system admins to define Rules which specify URLs, and policies, which saywho can get to those URLs. OxTrust has a web UI and REST interfaces to enable policymanagement. IBM Tivoli Access Manager even has a command line interface (inaddition to the Web UI and API) for policy management.

    UMA doesnt say who makes the policy decision

    To paraphrase, UMA just says a decision is made. As mentioned above, it doesnt sayhow the logic behind the policy is implemented, or even who makes the decision. UMAwas designed to enable a person to centrally manage authorizations granted todomains. Recently, Gluu helped clarify a use case for Enterprise UMA. In this case, theorganization, not the person makes the decision whether to allow access to a resource,specifically for web access management. The sequence diagram below documents the

    flow for the OX implementation of Enterprise UMA. If you are familiar with XACML, theHost would be the PEP; oxAuth would be the PDP; oxAuth Admin is where the PAPwhere admins can authorize manually or define policies.

  • 5/24/2018 Is XACML the Only Fine Grained Authz Standard

    5/6

    UMA cant do it alone authz needs authn!

    Most commercial identity and access management (IAM) suites provide two keyservices: authentication (identity) and authorization (access management). It would

    have been silly for UMA to define a endpoints for sso authentication this was workwas in progress at the OpenID Foundation. OpenID Connect provides severalworkflows for authentication, discovery, client registration, and user claims(attributes).

    Enterprise UMA Example: Design for an Apache PEP

    So how does UMA work? Consider the example below, which is the result of work beingcrowdfunded to build open source OAuth2 plugins for the Apache HTTPD server:

    So how could the PDP use the UMA Scopes? The following screenshot of OX should giveyou an idea. Vendors will differentiate themselves on how easy they make it to expresspolicies. OX has a geeky approach: we let the domain provide Python syntax code todefine the business logic for the authorize method. This lets companies express

    policies based on user claims, call web services, centralize logging, or even make arequest for entitlement to an external system, maybe even a XACML PDP. From thewebsite perspective, this is invisible. The PEP just requests that the policies be evaluated

    for the respective scope.

  • 5/24/2018 Is XACML the Only Fine Grained Authz Standard

    6/6

    Enterprise UMA Example: Policy Expression in OX

    So how could the PDP use the UMA Scopes? The following screenshot of OX should give

    you an idea. Vendors will differentiate themselves on how easy they make it to expresspolicies. OX has a geeky approach: we let the domain provide Python syntax code todefine the business logic for the authorize method. This lets companies express

    policies based on user claims, call web services, centralize logging, or even make arequest for entitlement to an external system, maybe even a XACML PDP. From thewebsite perspective, this is invisible. The PEP just requests that the policies be evaluated

    for the respective scope.

    Summary

    Enterprise UMA provides a convenient and flexible design for centralized authorization.

    In practice, XACML and UMA may be complimentary. However, UMA provides the bestway forward.

    Article resource:-http://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authz

    http://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authzhttp://gluu.soup.io/post/435069266/Is-XACML-the-only-fine-grained-authz

AuthZ Interop report out

A VO-Oriented AuthN/AuthZ Approach

XACML Intellectual Property Control (IPC) Profile Version 1docs.oasis-open.org/xacml/3.0/ipc/v1.0/os/xacml-3.0-ipc... · 2015-01-19 · XACML Intellectual Property Control (IPC) Profile

XACML Data Loss Prevention / Network Access Control (DLP ...docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/cs01/…  · Web viewTraffic flows between devices according to defined

XACML v3.0 Related and Nested Entities Profile ... - OASISdocs.oasis-open.org/xacml/xacml-3.0-related... · OASIS takes no position regarding the validity or scope of any intellectual

2 eXtensible Access Control Markup Language 3 …docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0...2 eXtensible Access Control Markup Language 3 (XACML) Version 2.0 4 OASIS

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk

eXtensible Access Control Markup Language (XACML) Version ...docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-cor…  · Web viewThe system entity that evaluates applicable policy

REST Profile of XACML v3.0 Version 1.0docs.oasis-open.org/xacml/xacml-rest/v1.0/csprd01/xa… · Web viewTitle REST Profile of XACML v3.0 Version 1.0 Author eXtensible Access Control

OASIS XACML Update

XACML MAP Authorization Profile Version 1 - OASISdocs.oasis-open.org/xacml/xacml-map-authz/v1.0/csprd01/xacml-ma… · John Tolbert ([email protected]), The Boeing Company

Fine-grained authorization with XACML

INFSO-RI-031688 Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo

eXtensible Access Control Markup Language (XACML) Version ...docs.oasis-open.org/xacml/access_control-xacml-2_0-core-spec-cd-0… · 10/11/2004  · access_control-xacml-2.0-core-spec-cd-04

Ws Voms Authz Howto

Fine grained access control for cloud-based services using ABAC and XACML

AuthZ Interop report out

eXtensible Access Control Markup Language (XACML) Version ...docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3... · xacml-3.0-core-spec-errata01-os-complete 12 July 2017 Standards

JSON Profile of XACML 3.0 Version 1.0 - OASISdocs.oasis-open.org/xacml/xacml-json-http/v1.0/csprd03/…  · Web viewImplementation-specific (e.g. Javascript) code may choose to parse

XACML-Grid and XACML-NRP Attributes and Policy Profiles · XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf

eXtensible Access Control Markup Language (XACML) Version 3docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf · This specification defines Version 3.0 of the eXtensible

Web Services Profile of XACML (WS-XACML) Version 1

XACML Showcase RSA Conference 2012. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n

USCGrid A (Very Quick) Introduction To Authn/Authz

XACML MAP Authorization Profile Version 1docs.oasis-open.org/xacml/xacml-map-authz/v1.0/os/xacml... · 2015. 1. 19. · xacml-map-authz-v1.0-os 19 January 2015 Standards Track Work

XACML v3.0 Administration and Delegation Profile Version 1docs.oasis-open.org/xacml/3.0/administration/v1.0/csprd02/xacml-3.… · xacml-3.0-administration-v1-spec-cs-01-en 10 August

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any

XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation

REST Profile of XACML v3.0 Version 1 - OASISdocs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1...1.5.2 Cloud Computing..... 7 1.5.3 REST ..... 8 1.5.4 RESTful Authorization as

XACML v3.0 Hierarchical Resource Profile Version 1docs.oasis-open.org/xacml/3.0/hierarchical/v1.0/cs... · xacml-3.0-hierarchical-v1.0-cs02 18 May 2014 . The . . . . hierarchical

JSON Profile of XACML 3.0 Version 1 - OASISdocs.oasis-open.org/xacml/xacml-json-http/v1.0/... · 4 The XACML architecture promotes a loose coupling between the component that enforces

JSON Profile of XACML 3.0 Version 1.0 - OASISdocs.oasis-open.org/xacml/xacml-json-http/v1.0/cs... · Web viewThe order of the objects and values in XACML does not matter. Therefore,

XACML Intellectual Property Control (IPC) Profile Version 1docs.oasis-open.org/xacml/3.0/ipc/v1.0/csprd03/xacml-3.0... · 2012-05-17 · XACML Intellectual Property Control (IPC)

XACML Data Loss Prevention / Network Access Control (DLP ...docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/... · XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile

Tutorial on XACML