based on three factor types: ➔ What the user knows such as a password or PIN ➔ What the user has such as a token or Smart card ➔ What the user is (physically) such as a fingerprint or retina Authorization The granting of access rights to a user, program or process Auditing Providing an audit trail of user actions What are the three main processes of Security?
a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. https://www.oasis-open.org/ What is OASIS?
OASIS eXtensible Access Control Markup Language (XACML) TC https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml OASIS Web Services Secure Exchange (WS-SX) TC https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx What is OASIS (Continued)?
Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. • Security Assertion Markup Language (SAML) includes XML based assertions, protocols, bindings and profiles. https://www.oasis-open.org/committees/download.php/13525/s stc-saml-exec-overview-2.0-cd-01-2col.pdf What is SAML?
protected by a SP. The SP, requiring the identity of the requesting user, issues an authentication request to a IdP through the user agent. What is an Identity Provider (IdP) and Service Provider(SP)?
a service that can issue, cancel, renew and validate security tokens, and specifies the format of security token request and response messages. What is Security Token Service (STS)?
language and an access control decision request/response language (both written in XML). The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. https://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_t o_XACML.html What is XACML?
• PDP (Policy Decision Point) - Point which evaluates and issues authorization decisions • PEP (Policy Enforcement Point) - Point which intercepts user's access request to a resource and enforces PDP's decision. • PIP (Policy Information Point) - Point which can provide external information to a PDP, such as LDAP attribute information. Actors involved with XACML?
Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs. https://www.oasis-open.org/committees/tc_home.php?wg_abbr ev=security OAuth (Open Authorization) An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. http://oauth.net/
or Message Format ➔ SAML deals with XML as the data construct or token format ➔ OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens Transport ➔ SAML has Bindings that use HTTP. But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages ➔ OAuth uses HTTP exclusively. Scope ➔ SAML is typically used in Enterprise SSO scenarios - within an enterprise, enterprise to partner or enterprise to cloud scenarios. ➔ OAuth has been designed for use with applications on the internet, primarily for delegated authorization of internet resources. OAuth is designed for Internet Scale.
v2 License) • First Class support for CDI • Secures your beans, view layer, bean methods, REST endpoints, Servlets etc • Simple API for managing Users, Roles, Groups • Authenticate any way you want • Permissions API for fine grained authorization • Federation – SAML, WS-Trust, OpenID, OAuth • Social Login with Facebook, Twitter and Google+
web, mobile and rest applications • KeyCloak is an OOTB server for : ➔ Authentication ➔ Authorization ➔ Centrally managing Application Users, Roles and Roles Mapping ➔ Social Login • KeyCloak is deployable as a war, appliance or on OpenShift • KeyCloak project is part of the PicketLink family
following security features ➔ Authentication ➔ Authorization ➔ Management of Users, Roles and Groups ➔ Audit ➔ Social Login ➔ Single Sign On What is the problem space?
in the keycloak-war-dist-all.zip Step 1 Install the KeyCloak server on EAP Step 2 Boot KeyCloak Server Step 3 Import the demo Test Realm Step 4 Build and Deploy Examples Step 5 Login and observe Customer and Product Apps for SSO Step 6 Try the OAuth2 example KeyCloak Demo with OpenShift Step 1 Signup for a OpenShift account Step 2 Login to Openshift Step 3 Click on add application Step 4 Use Cartridge URL from doc and click next Step 5 Enter application name and choose medium gear Step 6 Make a note of the credentials for Wildfly Step 7 Click continue to the application and change the Admin account http://docs.jboss.org/keycloak/docs/1.0-beta-1/userguide/html/openshift.html How do I use KeyCloak?
and JBoss EAP ➔ PicketLink versions and feature set may vary • Getting Started Guide ➔ PicketLink Installer ➔ Maven Install - JBoss JDF BOM • Large Number of Quickstarts ➔ Visit http://www.picketlink.org/ and click Quickstarts button
Step 1 Install EAP Step 2 Download and Install Picketlink Quickstarts Step 3 Modify standalone.xml for security domain Step 4 Start the Server Step 5 Browse to the applications
for storing identities in: ➢ File System ➢ Database (JPA) ➢ LDAP ➔ Well defined API for creating custom identity stores ➔ Powerful Query API ➔ Operations are via IdentityManager interface ➢ @Inject IdentityManager to your beans Picketlink - Identity Management
Users, Roles, Groups classes. ➔ Default Relationships ➢ Group Membership, Group Role and Application Role • Custom Identity Classes • Custom Relationships • Provides flexibility for your project
scoped or ➢ Request (Stateless) scoped • Authenticator can be app based or request based ➔ Support multiple auth mechanisms in one app (Password + OpenID) • Support for various credential types provided. • Driven by PicketLink IDM. Picketlink - Authentication
(X509) and DIGEST styles • Password Encoding ➔ Defaults to Salted Hash or BYO • Mix and match Identity Stores ➔ Store Users in LDAP and Roles/Groups in DB Picketlink - Other IDM features
➔ hasPermission methods • Well defined API ➔ PermissionVoter ➢ hasPermission check: returns VotingResult ➔ PermissionResolver ➢ Resolves a permission among voters Picketlink - Permission API
party. ➔ Project CafeDwarf uses PL OpenID support. • OAuth2 Support ➔ Build your authorization server, resource and token endpoints. ➔ Watch for more quick-starts/demo apps in the next few months
kpeeples
yhana
yushin_n
inductor
ks91
lmi
daitak
rstankov
you
nokonoko1203
osyoyu
oracle4engineer
ikefukurou777
lara
caitiem20
iamctodd
erikaheidi
lauravandoore
jcasabona
sstephenson
chrislema
geeforr
eileencodes
philhawksworth
