Open Standards in

Identity Management

Prabath Siriwardenaprabath@apache.org | prabath@wso2.com

GSoC Mentor Summit 2016

Pillars of Identity and Access Management

● Identity Federation and Single Sign on● User Administration and Provisioning● Identity and Access Governance

GSoC and WSO2

● WSO2 produces a set of open source software to address different aspects in the connected business.

● All WSO2 products are released under the most business friendly open source license, Apache 2.0.

● GSoC mentor organization since 2014● 11 GSoC projects successfully completed in 2016● Identity standards implemented under GSoC (mentored by WSO2)

○ UMA (User Managed Access)○ XACML JSON profile○ XACML REST profile○ SAML 2.0 Assertion Query/Request Profile

Identity and Access Management (IAM) is the security discipline that enables the right individuals

to access the right resources at the right times for the right reasons.

Standard Bodies for Identity and Access Management

● OASIS● IETF● OpenID Foundation● W3C● Kantara Initiative● FIDO Alliance

OAuth 2.0

● An authorization framework developed by IETF and documented under RFC 5849.

● Enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.

● Access delegation● OAuth 1.0 vs. OAuth 2.0

OAuth 2.0

OAuth 2.0 (Authorization Code Grant Type)

OAuth 2.0 (Implicit Grant Type)

OAuth 2.0 (Client Credentials Grant Type)

OAuth 2.0 (Password Grant Type)

OpenID Connect

● A standard developed by the OpenID Foundation.● Built on top of OAuth 2.0● Uses JWT standard developed by the IETF JOSE working group● Uses JWT to transport user identity from the identity provider to the

service provider

OpenID Connect

OpenID Connect

SAML 2.0

● An XML-based standard for exchanging authentication and authorization data between entities which is a product of the OASIS Security Services Technical Committee.

● History○ SAML 1.0 was adopted as an OASIS standard in Nov 2002 ○ SAML 1.1 was ratified as an OASIS standard in Sept 2003 ○ SAML 2.0 became an OASIS standard in Mar 2005

● Components○ Assertions: Authentication, Attribute and Authorization information ○ Protocol: Request and Response elements for packaging assertions ○ Bindings: How SAML Protocols map onto standard messaging or

communication protocols ○ Profiles: How SAML protocols, bindings and assertions combine to

support a defined use case● SAML Assertion Query/Request Profile (GSoC 2016 open source

implementation)

SAML 2.0 Web SSO (HTTP Redirect Binding)

SAML 2.0 Web SSO vs. OpenID Connect

● Both can be used to facilitate Identity Federation and SSO● SAML 2.0 Web SSO is based on XML while OIDC is based on JSON● SAML 2.0 Web SSO is based on SAML while OIDC is based on JWT● SAML 2.0 is has many bindings (SOAP, HTTP) while the only binding

OIDC has is the HTTP.● OpenID Connect is preferred standard for Mobile Apps and SPAs.

SPML (Service Provisioning Markup Language)

● OASIS Technical Committee for Service Provisioning was formed in 2001 to define an XML-based framework for exchanging user, resource, and service provisioning information.

● XML based● Two bindings

○ SOAP○ File

● SPML v2.0 is the latest version.● Too bulky - like the UDDI specification in the SOAP world.

SCIM (System for Cross-domain Identity Management)

● SCIM is purely RESTful. ● The initial version supported both JSON and XML - now JSON only. ● Introduced a REST API for provisioning and also a core schema (which

also can be extended) for provisioning objects. ● SCIM 1.1 was finalized in 2012 - and then it was donated to the IETF. ● Once in IETF, it has to change the definition of SCIM to System for

Cross-domain Identity Management and it's no more supporting XML - only JSON.

● SCIM 2.0 was released as the RFC 7644 in Sept 2015 under IETF

The Evolution of Provisioning Standards

● An OASIS standard for fine-grained access control.● Components

○ Architecture (PAP, PDP, PEP, PIP)○ Request-Response protocol○ Policy language (XML-based)

● JSON profile XACML 3.0 (GSoC 2016 - open source implementation)● REST API for XACML (GSoC 2016 - open source implementation)

XACML (eXtensible Access Control Markup Language)

XACML (eXtensible Access Control Markup Language)

Contact us !