Post on 13-Apr-2017
Open Standards in
Identity Management
Prabath Siriwardenaprabath@apache.org | prabath@wso2.com
GSoC Mentor Summit 2016
Pillars of Identity and Access Management
● Identity Federation and Single Sign on● User Administration and Provisioning● Identity and Access Governance
GSoC and WSO2
● WSO2 produces a set of open source software to address different aspects in the connected business.
● All WSO2 products are released under the most business friendly open source license, Apache 2.0.
● GSoC mentor organization since 2014● 11 GSoC projects successfully completed in 2016● Identity standards implemented under GSoC (mentored by WSO2)
○ UMA (User Managed Access)○ XACML JSON profile○ XACML REST profile○ SAML 2.0 Assertion Query/Request Profile
Identity and Access Management (IAM) is the security discipline that enables the right individuals
to access the right resources at the right times for the right reasons.
Standard Bodies for Identity and Access Management
● OASIS● IETF● OpenID Foundation● W3C● Kantara Initiative● FIDO Alliance
OAuth 2.0
● An authorization framework developed by IETF and documented under RFC 5849.
● Enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.
● Access delegation● OAuth 1.0 vs. OAuth 2.0
OAuth 2.0
OAuth 2.0 (Authorization Code Grant Type)
OAuth 2.0 (Implicit Grant Type)
OAuth 2.0 (Client Credentials Grant Type)
OAuth 2.0 (Password Grant Type)
OpenID Connect
● A standard developed by the OpenID Foundation.● Built on top of OAuth 2.0● Uses JWT standard developed by the IETF JOSE working group● Uses JWT to transport user identity from the identity provider to the
service provider
OpenID Connect
OpenID Connect
SAML 2.0
● An XML-based standard for exchanging authentication and authorization data between entities which is a product of the OASIS Security Services Technical Committee.
● History○ SAML 1.0 was adopted as an OASIS standard in Nov 2002 ○ SAML 1.1 was ratified as an OASIS standard in Sept 2003 ○ SAML 2.0 became an OASIS standard in Mar 2005
● Components○ Assertions: Authentication, Attribute and Authorization information ○ Protocol: Request and Response elements for packaging assertions ○ Bindings: How SAML Protocols map onto standard messaging or
communication protocols ○ Profiles: How SAML protocols, bindings and assertions combine to
support a defined use case● SAML Assertion Query/Request Profile (GSoC 2016 open source
implementation)
SAML 2.0 Web SSO (HTTP Redirect Binding)
SAML 2.0 Web SSO vs. OpenID Connect
● Both can be used to facilitate Identity Federation and SSO● SAML 2.0 Web SSO is based on XML while OIDC is based on JSON● SAML 2.0 Web SSO is based on SAML while OIDC is based on JWT● SAML 2.0 is has many bindings (SOAP, HTTP) while the only binding
OIDC has is the HTTP.● OpenID Connect is preferred standard for Mobile Apps and SPAs.
SPML (Service Provisioning Markup Language)
● OASIS Technical Committee for Service Provisioning was formed in 2001 to define an XML-based framework for exchanging user, resource, and service provisioning information.
● XML based● Two bindings
○ SOAP○ File
● SPML v2.0 is the latest version.● Too bulky - like the UDDI specification in the SOAP world.
SCIM (System for Cross-domain Identity Management)
● SCIM is purely RESTful. ● The initial version supported both JSON and XML - now JSON only. ● Introduced a REST API for provisioning and also a core schema (which
also can be extended) for provisioning objects. ● SCIM 1.1 was finalized in 2012 - and then it was donated to the IETF. ● Once in IETF, it has to change the definition of SCIM to System for
Cross-domain Identity Management and it's no more supporting XML - only JSON.
● SCIM 2.0 was released as the RFC 7644 in Sept 2015 under IETF
The Evolution of Provisioning Standards
● An OASIS standard for fine-grained access control.● Components
○ Architecture (PAP, PDP, PEP, PIP)○ Request-Response protocol○ Policy language (XML-based)
● JSON profile XACML 3.0 (GSoC 2016 - open source implementation)● REST API for XACML (GSoC 2016 - open source implementation)
XACML (eXtensible Access Control Markup Language)
XACML (eXtensible Access Control Markup Language)
Contact us !