Could I Manage My Own Data. Please?

• Business Trends & Technical Solutions
• Distributed Business (Decentralisation)
• Mobility & Automation
• Delegation
• Why UMA?
• Use-cases
• UMA overview
• Current status & more information
• No tokens were harmed during the making of these slides!

ORG A ORG ORG B

• Examples
• Extended organisations
• Supply Chain
• Distribution Channel
• Outsourcing Partners
• SaaS
• Challenges
• Identity not resident with apps
• Secure identity transport
• Trust

Org A
(IdP)
Authenticate
Assert
Org B
(SP)
Honourable mentions
• ID-FF
• Shibboleth
• WS-Federation
✓
Identity Federation
(Cross-domain SSO)
✗
Non-browser clients
Ease of implementation

ORG A ORG B

• Examples
• Mobile (devices, “Things”)
• Data monetization
• Challenges
• Authorization of ‘Client’
• Persistance
• Trust

Org A
(AS)
Validate Token
Org B
(RS)
Get Token (AT +/ RT)
Request Access
Honourable mentions
• SAML ECP
• WS-Trust
✓
Client security & identity (Client != User)
✗
Identity Transport

Validation +/ Userinfo
Org A
(OP)
AuthN/Z
Token & Claims
Token & Claims
Org B
(RP)

OIDC
OAuth

SAML OIDC

ORG A ORG B ORG C

Res.
Res.
Res.
Res.
PEP
PEP
PEP
PEP
PDP
Res.
Res.
Res.
Res.
PE
P PE
P PE
P
PEP
New Profiles
• ALFA
• JSON/REST
✓
Attributed-based & App-External
✗
Cross-domain? Service Registration?

Control
Access

• Electronic Healthcare Records
• Alice grants selective access to GP, Insurance Company, Relatives
• Financial Services
• Grant limited access to financial records to accountant; loan providers etc.
• Enterprise Applications
• Centralised control across multiple applications; individuals can control their own data
• IoT
• Alice grants Bob access to the Garden; Jim access to the House
• Facilities Management; Industrial & Engineering Applications
• See more examples

• User control / ownership
• Third party access
• Centralised control for multiple services
• Persistence
• (Security)
• Cross-domain Access Control

• OpenID Connect (practically)
• Secure identity transport
• Trust
• XACML (notionally)
• ABAC
• Externalised access control

• U ser M anaged A ccess
• A profile of OAuth
• “UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers , and where a centralized authorization server governs access based on resource owner policy .”

I want to share this stuff selectively
• Among my own apps
• With family and friends
• With organizations
I want to protect this stuff from being seen by everyone in the world
I want to control access proactively, not just feel forced to consent over and over

Outsources protection to a centralized “digital footprint control console”
Standardized APIs for privacy and “selective sharing”

Resource owner choose resources to protect
– out of band set policies
– out of band
1. RS registers resource sets and scopes
(ongoing)
2. C requests resource
3. RS registers permission
4. AS returns permission ticket
5. RS error with ticket
6. C requests authz data and RPT with ticket
7. AS gives RPT and authz data (after optional claim flows)
8. C requests resource with RPT
9. RS returns resource representation
PAT AAT
RO
RPT
RqP RqP
Authorization server server
Client Client
PAT
Protection
API
4
1
PAT
3
PAT
Protection client
UI
Authorization server
Authorization
API
AAT
7
RPT
UI
Resource server
RS-specific
API
5
9
AAT
Resource server
RPT
2
8
RS-specific client
6
AuthZ client
Client
UI
Requesting party

• UMA v0.9 public review
• Core, Resource Set Registration & Claim Profiles
• Completed: 06 September 2014
• Interop in progress
• Next steps
• Core & Resource Reg: H1/15
• Claim Profiles & Binding Obligations(?): H2/15
• IETF

• Known implementations
• Gluu
• CloudIdentity
• OpenUMA (ForgeRock)
• Implementations List (Kantara)
• More info
• UMA WG Home (Kantara)
• New Venn of Access Control (Maler)

• Standards
• OAuth, OpenID Connect: start now
• Infrastructure
•
• Avoid vendor lock-in – ensure vendors can support upcoming standards quickly
Avoid rip & replace – it’s unnecessary. There are good solutions that will overlay what you have to add what you need
• Do not trust to home-grown implementations; this is too easy to get wrong (and way too important)
• Participate in the WG
• Security is not all about security
• Security drives improved user experience drives better business

Questions?
@andrewhindle linkedin.com/in/ahindle