opensource authentication and authorization

Open SourceAuthentication

& Authorization

Allan Foster [email protected]

Wednesday, March 9, 2011

mailto:[email protected]


“Build us a Web App”

2


Lots of examples....

3


New Application Demands

4

CollaborativeWorkgroupsClient - ServerMulti user...In the cloud?


Its a WebApp!

5


Business Logic

6

Your Business...Your Logic...

You know how to do this!


Lots of Help

7

Language...

Java

PHPRuby

Groovy

.Net

C & C+

+

Python

Perl


Oh yes, LOTS of help!

8

PEAR

JSF

AJAX

Hibernate

Ice FacesSpring

Velocity

Frameworks...


And don’t forget...

9


10

Access Control

Who are our users?Who can access what?

What can they do?How do we manage this?


Its not that complicated..

11

Authentication

SSO

Authorization


Authentication?

12

Corporate LDAP


But what about...

13


or...

14


or

15

SecureID RSA Logo


Maybe all?

16


Authentication isn’t enough...

17


Authentication isn’t enough...

18

SSO is expected!

I have one set of credentials, Why

can’t I just use them ONCE?


19

Even between multiple Organizations

FederationeGov

GoogleApps


20

SSO implies having a single

trusted Authentication

service...


21

That can be used by MANY different

applications!


22

Without regard toHOW

the authentication is being performed


23

What About Authorization?


24

Is this user allowed

to perform

this action on

this resource?


25

Group Membership?

Roles?

Some Complex Matrix?

Dynamic Conditions?


26

Access control logic can be embedded in our application...

BUT..


27

New SpecsNew RulesExceptions

Changes...andmore changes!

...And testing!


Reprogram the door?

28


Centrally managed service

29

Can I?


AuthN and AuthZ as a service

30

IdenAty services (OpenAM)


31

AuthenticationSSO

Authorization


32


33

Authentication is NOT

Identity Management

Validation against EXISTING identity sources!


34

We don’t need to know user implementation details

We only need to know

User Identity

and possibly some user attributes.


Integrate into existing process

35

Plugable Authentication modules

Built on Standards - JAAS

Multiple Modules & Chains


36

LDAP

x509 Certificate

SecureID

SafeWordJDBC

MSISDN

Unix

AD -

SPNE

GO

SmartCardsCustom

Membership

SAML2

Extensible


37

Authentication determines identity

Identity is what matters..

NOT

the method it is determined


38


39

Browser ApplicaAon OpenAM

Request applicaAon content

Redirect for AuthenAcaAon

Request AuthenAcaAon from AuthenAcaAon server

NegoAate AuthenAcaAon...

Redirect back to ApplicaAon with Token

Request applicaAon content

Validate Token

ValidaAon Response

Provide applicaAon content


40

Authentication

SSOAuthorization


41


42


43


44

Allan FosterSpeakerConFoo 2011


45


46

Allan FosterSpeakerConFoo 2011


47


48

One Pass

Multiple Doors

Single Sign On


49

Application validates credentials...

Does NOT issue them!


50

We don’t “Login”

We validate Identity.

This is a conceptual hurdle for developers!


51

Authentication service determines identity

Authentication service issues tokens


52

Browser ApplicaAon OpenAM

Request applicaAon

Validate Token

ValidaAon Response

Provide applicaAon content


53

New applicationseasily integrate

into existing infrastructure


54

And for many projects

This is success!

Single Sign on!


55

Authentication

SSO

Authorization


56

Multi User Application

Access Control

Rights and Privileges


Access Control can be

57

Very ComplexDomain Specific

Dependent on Many Conditions


Several Options

58

• Ad Hoc• J2EE Policy• URL Access• Custom Developed• External Policy Engine


Ad Hoc

59

•Localized if - then - else

•Cumbersome•No Reuse•Inconsistent enforcement•Unverifiable•Possible security holes


J2EE Policy

60

•Standards..•Role Based•Supported in the deployment•Designed from the start•Difficult to change•Domino Effect


URL Access

61

•Course Grained•Tree Level Access•Often at Application or server Level•Access Control NOT Entitlements


Custom Policy

62

•Expensive•Hard to Maintain•Proprietary•Administration is Daunting!•Difficult to change and adapt


External Policy Engine

63

•Policy Evaluation•Extensible•Flexible•Centralized Administration•What about domain specifics?


6427

EnAtlement services (OpenAM)


65

Can This User

access This Resource

under These Conditions?


66

Define Rules for Access

Rules can be changed dynamically

Standards based - XACML3


Rules

67

ResourcesActionsSubjectsConditions

Response Attributes Advice


Resources

68

URLsAccountsButtonsProjectsetc......

HierarchicalScalable

Plugable API


Actions

69

Performed on a resource

Fine Grained access

WithdrawBalanceTransfer

GETPOSTDELETE

COPY

CreateReadUpdateDelete


Subjects

70

Who does the rule apply to?

Member LDAP GroupDatastore Attribute

Session AttributeDatastore Attribute Custom Subject

Plugable API Combination Logic


Conditions

71

Simple or Complex Dependencies

IP Address

Session Attribute

Bank Balance Time of DayAuthenticationlevel

Attribute

Plugable API Combination Logic

Session Timout


72

Access control can be:

Role based,Attribute based,

or Dynamic.


73

Policy Decision Point

Policy Enforcement Point

Policy Administration Point



74



75

Simplest case

Agent plugged into web container.

ISapiNSApi

Mod_auth


76

Zero changes to app.

Simple to install..

Easily protect “Closed” apps



77

Fine for URL access controlwhen resource is a URL.

But how do we address entitlements?



78

Simple Web Service Call wrapperCoded into Application

if (entitled(userToken, resource, env)) { ... ...}

Language Agnostic!

This User This Resource These CondiAons


Simple JSON responses

79

{ "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http://www.anotherexample.com:80/index.html" } }


http://www.anotherexample.com:80/index.html

http://www.anotherexample.com:80/index.html


80



81

Policy Evaluation

Separate the Rule evaluation

from the enforcement


82

Scalable and extensible policy engine

Scalable to millions of entitlements

Standards based - XACML3


83


Policy Administration

84

Administration UI Dynamic rule changes

AuditabilityConsistency


85

Standards based XACML3

Any editor...Any workflow...


86

Rule changes take immediate effect

No impact on application development


87

Keep track of rules and changes

Reuse rules for reusable resources


Separate Administration

88

Application Administration is

separate from

Entitlement Administration


89

Simplify the app admin

Consistent administration of

permissionsfor all apps.


ForgeRock

90


OpenAM

91

OpenAM As A Servicegives

Flexibility, Consistency &Management

to Authentication

and Entitlements.


OpenAM

92

Started life as Sun Access Manager

OpenSourced in 2007

Strong Community


OpenAM

93

OpenAM is

fully opensource, 100% Java,

scalable,high performance,

AuthN and AuthZ


OpenAM

94

Full XACML3 SupportSimple policies and Complex

EntitlementsExtensible Plugins

Central AdministrationLeverage existing SSO


OpenAM

95

OpenAM Community

ForgeRock

http://www.forgerock.com


http://www.forgerock.org

http://www.forgerock.org

96

Download it.Use it.

Get involved!

[email protected]




Questions?

97


Demo

98


Open SourceAuthentication

& Authorization

Allan Foster ForgeRock


100

Access Control - Policy

Rights and Privileges - Entitlements

Scalability

Flexibility


opensource authentication and authorization

Documents

identity identity

authentication isnt

access control logic

applicaaon content52wednesday

existing identity sources

new applications

business logic

j2ee policy url access