Post on 11-Jan-2017
© 2016 ForgeRock. All rights reserved.
AUTHORIZATION FOR THE MODERN WORLD
I AM AUTHENTICATED!
NOW… WHAT IS IT THAT I CAN DO?
1
VÍCTOR AKÉCO-FOUNDER & VP CUSTOMER INNOVATIONFORGEROCKvictor.ake@forgerock.com
© 2016 ForgeRock. All rights reserved.
REQUIREMENTS FOR THE DIGITAL ERA
UNIFIED IDENTITYBEING IN CONTROL OF ACCOUNT, DATA AND ACCESS REGARDLESS OF IT’S SOURCE
UNIFIED FLOWSABILITY TO AUTHENTICATE AND AUTHORIZE RELIABLY FOR ANY IDENTITY
UNIFIED ARCHITECTUREKNOW YOU CAN TRUST AN IDENTITY WITHOUT BEING AWARE OF THE PROTOCOL
© 2016 ForgeRock. All rights reserved.
AUTHENTICATION
AuthenticationService
CONTEXTUAL
ADAPTIVE
STRENGHTSMULTIFACTOR
EXTENSIBLE
FRICTIONLESS
Module
STEP UP
Module
Module
CustomModule
ANY IDENTITYPLUG-IN
SCRIPTABLE
EXTERNAL CRED STORES
EXTERNAL CRED STORES
© 2016 ForgeRock. All rights reserved.
AUTHENTICATIONFOR MODERN AND LEGACY SYSTEMS
§ 24+ OUT-OF-BOX MODULES INCLUDING DEVICE ID, OTP, ADAPTIVE RISK, GOOGLE, FACEBOOK, MS
§ AUTHENTICATION METHODS CAN BE CHAINED TOGETHER FOR ENFORCING DIFFERENT LEVELS OR STRENGTH OF SECURITY
§ SCRIPTED AUTHN MODULES EXTEND FUNCTIONALITY ON CLIENT SIDE AND SERVER SIDE USING GROOVY AND JAVASCRIPT
Create New Authentication Chain
SAML2 Authentication
Adaptive Risk / Device ID
ForgeRock Mobile Authenticator
Save Device Profile
© 2016 ForgeRock. All rights reserved.
ADAPTIVE RISKENABLES BETTER USER EXPERIENCE
§ THE ADAPTIVE RISK MODULE ASSESSES THE RISK BASED ON PRE-CONFIGURED PARAMETERS
§ OVER 20 PARAMETERS, INCLUDING IP ADDRESS, IP HISTORY, COOKIE VALUE, LOGIN HISTORY, GEO-LOCATION, ETC.
§ RISK SCORES ABOVE THE RISK THRESHOLD REQUIRE ADDITIONAL STRONGER AUTHENTICATION
§ CAN BE USED IN AUTHENTICATION CHAIN OR FOR STEP-UP RE-AUTHENTICATION
94
RISK SCORE
© 2016 ForgeRock. All rights reserved.
FORGEROCK AUTHENTICATOR
§ MULTI-FACTOR AUTHENTICATION WITH ONE-TIME PASSWORDS CAN BE DELIVERED VIA MAIL, SMS OR USING THE FORGEROCK MOBILE AUTHENTICATOR APP FOR IOS AND ANDROID
§ CONTEXT USING ADAPTIVE AUTHN AND DEVICE ID CAN ADD ADDITIONAL LEVEL OF ASSURANCE
§ THIRD PARTY OPTIONS FOR SMART CARDS, BIOMETRICS, MOBILE PHONE AS A TOKEN, ETC.
One Time Password585026
© 2016 ForgeRock. All rights reserved.
AUTHORIZATION
© 2016 ForgeRock. All rights reserved.
AUTHORIZATION TERMINOLOGY
PEP PDP
PIP
PAP
PRP
PROTECTEDRESOURCE
PEP – POLICY ENFORCEMENT POINTPDP – POLICY DECISION POINTPIP – POLICY INFORMATION POINT
PRP – POLICY RETRIEVAL POINTPAP – POLICY ADMINSTRATION POINT
CLIENT
ADMIN
© 2016 ForgeRock. All rights reserved.
RBAC - ROLE BASED ACCESS CONTROL
Role A
Role B
Role C
PPPP
PPP
PPPP
PermissionsRoles§ MODEL WIDELY USED IN THE
ENTERPRISE
§ HEAVY ARCHITECTING WORK TO DEFINE ROLES AND PERMISSIONS
§ NOT VERY AGILE WHEN IT COMES TO CONTEXTUAL AUTHORIZATION
§ EASY TO AUDIT
§ EASY TO ADMINISTER
© 2016 ForgeRock. All rights reserved.
AuthorizationEngine
ABAC - ATTRIBUTE BASED ACCESS CONTROL
A A A
A A
A A
A A
A A
A A
A
Policies
§ MODEL ADOPTED FOR ENTERPRISE AND CUSTOMER FACING APPS
§ CONTEXT AWARE USING ENVIRONMENTAL ATTRIBUTES
§ RULES EVALUATED IN REAL TIME BY THE AUTHORIZATION ENGINE
§ FINE GRAINED ACCESS CONTROL
§ MORE AGILE
§ REQUIRES BETTER ADMINISTRATION
§ ROLE NAMES MIGHT BE SEEN AS ATTRIBUTES
PIP
© 2016 ForgeRock. All rights reserved.
IDENTITY RELATIONSHIPS
Located at
§ RELATIONSHIPS CONVEY AUTHORIZATION INFORMATION
§ CAN BE USED TO FEED A POLICY ENGINE TOGETHER WITH ATTRIBUTES
© 2016 ForgeRock. All rights reserved.
AUTHORIZATION SERVICE
AuthorizationService
CONTEXTUAL
ABACRELATIONSHIPS
EXTENSIBLE
FRICTIONLESS
Resource
RBAC
ANY IDENTITY
Directory
3rd Party
Subject
Environemt
ResponseAttributes
Scripted
© 2016 ForgeRock. All rights reserved.
OAUTH2/OIDC
RESOURCESERVER
RESOURCE REQUEST
AUTHORIZATIONSERVER
OAUTH2/OPENID CONNECTSERVER
CLIENT
RESOURCE OWNER
ACCESS TOKEN REQUEST
AUTHORIZATION REQUEST
CONSENT
© 2016 ForgeRock. All rights reserved.
API PROTECTION – UMAUSER MANAGED ACCESS
RESOURCESERVER
AUTHORIZATIONSERVER
OAUTH2/OPENID CONNECT/UMA SERVER
CLIENT
RESOURCE OWNER
FINE GRAINEDCONSENT
REQUESTINGPARTY
© 2016 ForgeRock. All rights reserved.
API PROTECTION
§ TOKEN BASED AUTHORIZATION§ API INSPECTS THE REQUESTS AND
LOOKS FOR A VALID AUTHORIZATION TOKEN
§ USE STANDARDS§ OAUTH 2.0§ OPENID CONNECT§ JWT API
RequestAccess
AUTHORIZATION LAYER
© 2016 ForgeRock. All rights reserved.
JSON WEB TOKEN (JWT)
JSON WEB TOKEN (JWT) IS A MEANS OF REPRESENTING CLAIMS TO BE TRANSFERRED BETWEEN TWO PARTIES. THE CLAIMS IN A JWT ARE ENCODED AS A JSON OBJECT THAT IS DIGITALLY SIGNED USING JSON WEB SIGNATURE (JWS) AND/OR ENCRYPTED USING JSON WEB ENCRYPTION (JWE).
AS DEFINED BY THE OPENID FOUNDATION
© 2016 ForgeRock. All rights reserved.
HOW DO WE ENFORCE AUTHENTICATION AND AUTHORIZATION?
© 2016 ForgeRock. All rights reserved.
POLICY AGENTS
POLICY AGENTS
OPENAM POLICY AGENTSFOR APPLICATIONS THAT CAN CONSUME HTTP HEADERS
WEBAPPLICATION
HTTPHEADERS
© 2016 ForgeRock. All rights reserved.
POLICY AGENTS
POLICY AGENT +REVERSE PROXY
OPENAM POLICY AGENTSFOR APPLICATIONS THAT CAN CONSUME HTTP HEADERS
WEBAPPLICATION
HTTPHEADERS
© 2016 ForgeRock. All rights reserved.
OPEN IDENTITY GATEWAY
OPENIG (OPEN IDENTITY GATEWAY)FOR APPLICATIONS THAT CAN NOT CONSUME HTTP HEADERS, TO PROTECT APIS AND INTEGRATE USING OAUTH2/OIDC/SAML2 & UMA
WEBAPPLICATION
REPLAY CREDENTIALSPROTECT APIs USING OAUTH2/OIDC & UMASAML2 RELYING PARTY
© 2016 ForgeRock. All rights reserved.
PROGRAMMATICALLY USING REST
REST/OAUTH2/OPENID CONNECT/UMADEVELOPER FRIENDLY INTEGRATION FO NEW APPLICATIONS
REST/OAUTH/OIDC/UMA
WEBAPPLICATION
© 2016 ForgeRock. All rights reserved.
DEMO
ROOMS APPLICATION
JWT IN ACCESS
CARD
AUTHORIZATIONSERVICE
RESOURCE
SUBJECT
ENV
RESPONSEATTRIBUTES
room://*
Check OIDC/JWT claims: iss, Role & audience
JWT Verifier script:Validate signature.
JWT Verifier script:Extract claims and addsthem to the response
JWT Token with claims:iss: idp123audience: openam1.example.comsub: victor.ake@forgerock.comRole: Manager GivenName: Victor Surname: Ake
Get me yourJWT Token
I want to use room://1Here my JWT Token
Here what subjectCan do in room://1
© 2016 ForgeRock. All rights reserved.
ForgeRock
ForgeRock
ForgeRockIdentity
ForgeRock
Forgerock.com
Blog.forgeroclk.com
THANK YOU FOR THE FISH!CREDITS and THANKS to:Simon Moffat (simon.moffatt@forgerock.com) for the JWT token validator and the whole idea for this demo:
https://forgerock.org/2016/05/federated-authorization-using-3rd-party-jwts/
Some Icons used in this presentation: Icon made by Freepik from www.flaticon.com
VÍCTOR AKÉCO-FOUNDER & VP CUSTOMER INNOVATIONFORGEROCKvictor.ake@forgerock.com