NYC Identity Summit Tech Day: Authorization for the Modern World

© 2016 ForgeRock. All rights reserved.

AUTHORIZATION FOR THE MODERN WORLD

I AM AUTHENTICATED!

NOW… WHAT IS IT THAT I CAN DO?

1

VÍCTOR AKÉCO-FOUNDER & VP CUSTOMER [email protected]


REQUIREMENTS FOR THE DIGITAL ERA

UNIFIED IDENTITYBEING IN CONTROL OF ACCOUNT, DATA AND ACCESS REGARDLESS OF IT’S SOURCE

UNIFIED FLOWSABILITY TO AUTHENTICATE AND AUTHORIZE RELIABLY FOR ANY IDENTITY

UNIFIED ARCHITECTUREKNOW YOU CAN TRUST AN IDENTITY WITHOUT BEING AWARE OF THE PROTOCOL


AUTHENTICATION

AuthenticationService

CONTEXTUAL

ADAPTIVE

STRENGHTSMULTIFACTOR

EXTENSIBLE

FRICTIONLESS

Module

STEP UP

Module

Module

CustomModule

ANY IDENTITYPLUG-IN

SCRIPTABLE

EXTERNAL CRED STORES

EXTERNAL CRED STORES


AUTHENTICATIONFOR MODERN AND LEGACY SYSTEMS

§ 24+ OUT-OF-BOX MODULES INCLUDING DEVICE ID, OTP, ADAPTIVE RISK, GOOGLE, FACEBOOK, MS

§ AUTHENTICATION METHODS CAN BE CHAINED TOGETHER FOR ENFORCING DIFFERENT LEVELS OR STRENGTH OF SECURITY

§ SCRIPTED AUTHN MODULES EXTEND FUNCTIONALITY ON CLIENT SIDE AND SERVER SIDE USING GROOVY AND JAVASCRIPT

Create New Authentication Chain

SAML2 Authentication

Adaptive Risk / Device ID

ForgeRock Mobile Authenticator

Save Device Profile


ADAPTIVE RISKENABLES BETTER USER EXPERIENCE

§ THE ADAPTIVE RISK MODULE ASSESSES THE RISK BASED ON PRE-CONFIGURED PARAMETERS

§ OVER 20 PARAMETERS, INCLUDING IP ADDRESS, IP HISTORY, COOKIE VALUE, LOGIN HISTORY, GEO-LOCATION, ETC.

§ RISK SCORES ABOVE THE RISK THRESHOLD REQUIRE ADDITIONAL STRONGER AUTHENTICATION

§ CAN BE USED IN AUTHENTICATION CHAIN OR FOR STEP-UP RE-AUTHENTICATION

94

RISK SCORE


FORGEROCK AUTHENTICATOR

§ MULTI-FACTOR AUTHENTICATION WITH ONE-TIME PASSWORDS CAN BE DELIVERED VIA MAIL, SMS OR USING THE FORGEROCK MOBILE AUTHENTICATOR APP FOR IOS AND ANDROID

§ CONTEXT USING ADAPTIVE AUTHN AND DEVICE ID CAN ADD ADDITIONAL LEVEL OF ASSURANCE

§ THIRD PARTY OPTIONS FOR SMART CARDS, BIOMETRICS, MOBILE PHONE AS A TOKEN, ETC.

One Time Password585026


AUTHORIZATION


AUTHORIZATION TERMINOLOGY

PEP PDP

PIP

PAP

PRP

PROTECTEDRESOURCE

PEP – POLICY ENFORCEMENT POINTPDP – POLICY DECISION POINTPIP – POLICY INFORMATION POINT

PRP – POLICY RETRIEVAL POINTPAP – POLICY ADMINSTRATION POINT

CLIENT

ADMIN


RBAC - ROLE BASED ACCESS CONTROL

Role A

Role B

Role C

PPPP

PPP

PPPP

PermissionsRoles§ MODEL WIDELY USED IN THE

ENTERPRISE

§ HEAVY ARCHITECTING WORK TO DEFINE ROLES AND PERMISSIONS

§ NOT VERY AGILE WHEN IT COMES TO CONTEXTUAL AUTHORIZATION

§ EASY TO AUDIT

§ EASY TO ADMINISTER


AuthorizationEngine

ABAC - ATTRIBUTE BASED ACCESS CONTROL

A A A

A A

A A

A A

A A

A A

A

Policies

§ MODEL ADOPTED FOR ENTERPRISE AND CUSTOMER FACING APPS

§ CONTEXT AWARE USING ENVIRONMENTAL ATTRIBUTES

§ RULES EVALUATED IN REAL TIME BY THE AUTHORIZATION ENGINE

§ FINE GRAINED ACCESS CONTROL

§ MORE AGILE

§ REQUIRES BETTER ADMINISTRATION

§ ROLE NAMES MIGHT BE SEEN AS ATTRIBUTES

PIP


IDENTITY RELATIONSHIPS

Located at

§ RELATIONSHIPS CONVEY AUTHORIZATION INFORMATION

§ CAN BE USED TO FEED A POLICY ENGINE TOGETHER WITH ATTRIBUTES


AUTHORIZATION SERVICE

AuthorizationService

CONTEXTUAL

ABACRELATIONSHIPS

EXTENSIBLE

FRICTIONLESS

Resource

RBAC

ANY IDENTITY

Directory

3rd Party

Subject

Environemt

ResponseAttributes

Scripted


OAUTH2/OIDC

RESOURCESERVER

RESOURCE REQUEST

AUTHORIZATIONSERVER

OAUTH2/OPENID CONNECTSERVER

CLIENT

RESOURCE OWNER

ACCESS TOKEN REQUEST

AUTHORIZATION REQUEST

CONSENT


API PROTECTION – UMAUSER MANAGED ACCESS

RESOURCESERVER

AUTHORIZATIONSERVER

OAUTH2/OPENID CONNECT/UMA SERVER

CLIENT

RESOURCE OWNER

FINE GRAINEDCONSENT

REQUESTINGPARTY


API PROTECTION

§ TOKEN BASED AUTHORIZATION§ API INSPECTS THE REQUESTS AND

LOOKS FOR A VALID AUTHORIZATION TOKEN

§ USE STANDARDS§ OAUTH 2.0§ OPENID CONNECT§ JWT API

RequestAccess

AUTHORIZATION LAYER


JSON WEB TOKEN (JWT)

JSON WEB TOKEN (JWT) IS A MEANS OF REPRESENTING CLAIMS TO BE TRANSFERRED BETWEEN TWO PARTIES. THE CLAIMS IN A JWT ARE ENCODED AS A JSON OBJECT THAT IS DIGITALLY SIGNED USING JSON WEB SIGNATURE (JWS) AND/OR ENCRYPTED USING JSON WEB ENCRYPTION (JWE).

AS DEFINED BY THE OPENID FOUNDATION


HOW DO WE ENFORCE AUTHENTICATION AND AUTHORIZATION?


POLICY AGENTS

POLICY AGENTS

OPENAM POLICY AGENTSFOR APPLICATIONS THAT CAN CONSUME HTTP HEADERS

WEBAPPLICATION

HTTPHEADERS


POLICY AGENTS

POLICY AGENT +REVERSE PROXY

OPENAM POLICY AGENTSFOR APPLICATIONS THAT CAN CONSUME HTTP HEADERS

WEBAPPLICATION

HTTPHEADERS


OPEN IDENTITY GATEWAY

OPENIG (OPEN IDENTITY GATEWAY)FOR APPLICATIONS THAT CAN NOT CONSUME HTTP HEADERS, TO PROTECT APIS AND INTEGRATE USING OAUTH2/OIDC/SAML2 & UMA

WEBAPPLICATION

REPLAY CREDENTIALSPROTECT APIs USING OAUTH2/OIDC & UMASAML2 RELYING PARTY


PROGRAMMATICALLY USING REST

REST/OAUTH2/OPENID CONNECT/UMADEVELOPER FRIENDLY INTEGRATION FO NEW APPLICATIONS

REST/OAUTH/OIDC/UMA

WEBAPPLICATION


DEMO

ROOMS APPLICATION

JWT IN ACCESS

CARD

AUTHORIZATIONSERVICE

RESOURCE

SUBJECT

ENV

RESPONSEATTRIBUTES

room://*

Check OIDC/JWT claims: iss, Role & audience

JWT Verifier script:Validate signature.

JWT Verifier script:Extract claims and addsthem to the response

JWT Token with claims:iss: idp123audience: openam1.example.comsub: [email protected]: Manager GivenName: Victor Surname: Ake

Get me yourJWT Token

I want to use room://1Here my JWT Token

Here what subjectCan do in room://1


ForgeRock

ForgeRock

ForgeRockIdentity

ForgeRock

Forgerock.com

Blog.forgeroclk.com

THANK YOU FOR THE FISH!CREDITS and THANKS to:Simon Moffat ([email protected]) for the JWT token validator and the whole idea for this demo:

https://forgerock.org/2016/05/federated-authorization-using-3rd-party-jwts/

Some Icons used in this presentation: Icon made by Freepik from www.flaticon.com

VÍCTOR AKÉCO-FOUNDER & VP CUSTOMER [email protected]

NYC Identity Summit Tech Day: Authorization for the Modern World

Software

Transcript of NYC Identity Summit Tech Day: Authorization for the Modern World