Get best of the week

Overview of Securing the Perimeter: Deploying Identity and Access Management with Free Open Source Software


Today we want to share a literary find directly related to our subject area. Identity and Access Management

Themeat the moment it is quite closed, which creates problems for us, first of all, with the selection of highly qualified specialists from the leading developer to the RP and the architect. The training of such specialists who have moved from another subject area takes a lot of time. No less problem is the cautious attitude to this area of ​​many customers who do not understand "why do we need all this," if there is a normal domain infrastructure. Despite the fact that the author of the book directs the reader to the creation of IAM-infrastructure based on OSS and gives examples of specific solutions, the main value of the book, in our opinion, is to systematize the field and classes of products designed to solve problems in the field of identification, authentication and management access, as well as in an accessible description of open standards and technologies,assembled in one place and laid out on shelves.

The book is recommended:

  • We recommend reading in full for architects and information security experts to form an understanding of IAM and existing OSS solutions.
  • For enterprise architects, you can limit yourself to the first chapter to get a complete picture of products and capabilities.
  • For software- and Solution- architects, it is advisable to read completely in order to form an idea of ​​existing solutions, both traditional and modern, and to use the described approaches in practice.
  • For the heads of IT and information security enterprises to get a picture of the capabilities and tasks of IAM products, the first chapter will be enough.
  • - — , SAML OpenID Connect, , , .

Below we consider the chapters of the book and their contents.

Chapter 1. Domain: IDM, IAM, IAG, DS. IAM and DS as a starting point. Open Source and a little Gluu

This chapter discusses the functions and tasks of an enterprise-level Identification and Access Control Service (Identity Service) and compares solutions / components that implement the functions of such a system - IDM (Identity Management), IAM (Identity and Access Management), IAG ( Identity and Access Governance), DS (Directory Services). A brief overview of the standards and technologies available in this area is given. The chapter is the foundation for the formation of a holistic picture.

In detail
(Identity Service), enterprise- . « ». , . :

  • (Identity Management, IDM).
  • (Identity & Access Management, IAM)/
  • (Identity & Access Governance, IAG).
  • (Directory Services, DS).

(IDM) () . , , . IDM « » (Identity Lifecycle), — , , , .. IDM , , .

(IAM) « » . , IDM. IAM , , IAM . IDM IAM . , , (, IDM), (, IAM). , ( , ) , IAM IDM.

, , IAM. 90- , RADIUS. 90- PDP-PEP Pattern, Netegrity SiteMinder. 2000- SAML XACML, XML/SOAP- . OAuth-, RESTful/JSON-.

(IAG) , (IDM) (IAM). IAG , , . IAG «» - (, ) . « » - , IAG , , , (Segregation of Duties) .

, (Directory Services). - . , , , .

, . , IAG, IAM . , — « » ( IAM Directory Service , IDM IAG), « » ( , ).

: LDAP, SAML, OAuth, OpenID Connect (OIDC) User Managed Protocol (UMA). - Gluu Server, OSS : pen source , , pen source , «».

Chapter 2. Young fighter course on LDAP. LDAP to assist IAM. The Data Showcase

Chapter 2 provides a very voluminous briefing for a non-LDAP book that can be cut and read separately from the entire book. It contains a “young fighter course” in LDAP for those who are not interested in LDAP itself, but need to understand its structure and mechanisms for solving related tasks. In theory and practice, using the development of a Python application as an example, we describe the concept of a Data Mart for collecting disparate data about ultrasound in one place. Little has been said about connecting Gluu Server to an LDAP server as a source of KM data.

In detail
, , LDAP, LDAP .

-10 LDAP :

  1. LDAP .
    : , — . — MS AD, LDAP-. MS AD .
  2. LDAP - .
    : , — .
  3. LDAP . / .
  4. LDAP- . .
  5. LDAP- (, ).
  6. .
  7. UNIX CLI-.
  8. .
  9. .
  10. LDAP !

, LDIF- LDAP-. LDAP. LDAP. LDAP-: CLI-, GUI:

  • UNIX-way: ldapserach, ldapmodify, ldapdelete.
  • , : Apache Directory Studio, JXplorer, Web2LDAP, phpLDAPAdmin, FusionDirectory.

(Data Mart) , ( ) . , / Microsoft Active Directory, - LDAP- (, FreeIPA 389Server ), , , ERP- ( , SAP), -. IAM « », ( ). — Python, , LDAP- LDIF-. Python- .

, — , «» Gluu Server LDAP, Gluu , .

Chapter 3. SAML: excursions, statements, protocols. Snibboleth IDP and Snibboleth SP. Python-SAML

Chapter 3 is entirely devoted to comprehensively probing SAML. A perceptible description of the structure of SAML elements is provided: statements, protocols, profiles, and much more. And for practical purposes, a description of various ways to interact with the SAML Identity Provider is provided, from deploying the Snibboleth Identity Provider to using the Python-SAML library for this task.

In detail
SAML. 90-, - , . LDAP , (Single Sign-On, SSO), - - . WebSSO, SAML - SAML WebSSO . , SAML, 2005 , XML. SAML 2.0 (SAML 1.1, Libery Alliance ID-FF 1.2 Snibboleth 1.3). , SAML 2.0 («assertion», «relying party», «identity provider» ..), SSO IAM . , SAML.

( , SAML) SAML: Assertions (), Bindings ( ), Protocols () Profiles (). SAML . «» SAML, Service Provider Identity Provider. : , (Identity Provider-initiated, IDP-initiated) , (Service Provider-initiated, SP-initiated). (HTTP Redirect (GET), HTTP Post, Simple Sign, SAML SOAP, Reverse SOAP, HTTP Artifact, SAML URI). SAML: Web Browser SSO Profile, Single Logout Profile Attribute Profile.

, Gluu Server ( ). Snibboleth Identity Provider, Gluu Server. Identity Provider Service Provider, Service Provider Snibboleth Service Provider.

Python: Python-SAML SAML , SAML .

Chapter 4. OAuth: not a protocol, but a framework. Excursion. Example with Google API. Gluu Server example

OAuth’s place in the “world” of authentication and authorization protocols is explained. The structure of OAuth as an authorization framework is explained: roles of participants in OAuth interactions (Authorization Server, Resource Server, Client), tokens (Bearer and JWT), interaction scenarios (so-called “grants”). A practical example of authorization in the Google API with OAuth. And a practical example of setting up OAuth in Gluu Server.

In detail
, OAuth. : OAuth ( ), ( «» ). OAuth . SAML , OAuth ( OIDC) «» (consumer) .

OAuth-: (Authorization Server), (Resource Server), (Client). , , , : Bearer Token, JWT (JSON Web Token). OAuth, «grants» ( , OAuth - Resource Server): Authorization Code Grant, Implicit Grant, Resource Owner Password Credential Grant, Client Credential Grant, Token Introspection.

Google API OAuth-: API OAuth. - Client Grant Flow Gluu Server.

OAuth 5, 6 8. 5 OAuth — OIDC, -. 8 UMA, OAuth API (API access management). 6 - OAuth API.

Chapter 5. OpenID Connect. Theory: structure, terminology. Deploying the Gluu Server OIDC Provider

Explains the history and location of OpenID Connect. Comparison with SAML. Structure, actors, interaction scenarios in OpenID Connect. Deploying an OpenID Connect server based on Gluu Server. Deploying a client application in JavaScript to implement the OpenID Connect client.

In detail
OpenID Connect ( OIDC , , Connect; OIDC) , «Federated Identity» Consumer Identity Provider (Consumer IdP) Facebook, Google Microsoft. - OAuth- IdP, OpenID Connect.

OIDC SAML ( 3); SAML OIDC. OIDC SAML, XML SOAP, «» JSON RESTful -. — SAML ( - ), OIDC — «» , .

, OIDC. OIDC, 5 — .

Gluu Server OpenID Connect Provider. JavaScript Gluu Server OpenID Connect Provider.

Chapter 6. Proxy: Web proxy for IAM. Apache httpd, Nginx, Kong, Istio

Destination web proxy. Open source solutions: Apache httpd, Nginx, Kong, Istio.

In detail
-. IAM — -.

( IAM ):

  • - , .
  • .
  • .
  • .
  • .
  • Amazon Web Services.

- -: Apache httpd, Nginx, Kong Istio. .

Chapter 7. Strong Authentication. TOTP / HOTP. SSL / TLS. FIDO UAF / U2F. Web Authentication, CTAP

Password Authentication Issues. TOTP / HOTP one-time password authentication technology. Certificate Authentication in Mutual SSL / TLS. FIDO Technologies UAF and U2F, W3C Web Authentication, CTAP. FIDO support in Gluu Server.

In detail
«» .

OTP (TOTP HOTP), . OTP — . OTP- OTP- (Google Authenticator ).

SSL TLS (Mutual SSL/TLS). SSL/TLS ( Certificate Authority, CA), . — ( CA) . , . Mutual SSL/TLS , , .

Fast Identity Online (FIDO) FIDO Alliance, : Universal Authentication Framework (UAF) Universal Second Factor (U2F). FIDO UAF (passwordless) . FIDO U2F (2FA), . , FIDO, — , . FIDO . FIDO , , , -, .

W3C Web Authentication API, FIDO Alliance, FIDO, . , (Signature, Key Attestation), , (W3C Web Authentication API), (Client to Authenticator Protocol, CTAP).

Gluu Server. FIDO Gluu Server. 2FA/MFA -.

Chapter 8. User-Managed Access (UMA) Profile. UMA Grant / Federated Authorization. Gluu Server, Gluu Gateway

UMA 2.0 authorization protocol extending OAuth 2.0 is considered. Practical cases. Theoretical review of UMA Grant. Overview of UMA Federated Authorization. Implementation of UMA Authorization Server based on Gluu Server. Use Gluu Gateway to connect client applications to UMA.

In detail
, (User-Managed Access Protocol, UMA 2.0). , . , OIDC, OAuth 2.0, 4. «Alice to Bob Sharing». , UMA, , UMA. UMA «UMA 2.0 Grant for OAuth 2.0 Authorization». ( UMA Resource Server UMA Authorization Server) «Federated Authorization for UMA 2.0».

UMA , - -. , (federated document sharing), Google Docs. — . «» , .

UMA (narrow, medium, wide), «» (Resource Owner (RO), Requesting Party(RqP), Permission Ticket ..). UMA Grant (UMA RPT Requests with Interactive Claims Gathering, UMA RPT Requests with a Pushed Claim Token), RPT Request Options (Client Credentials). UMA Federated Authorization, (authorization servers) (resource servers).

Gluu Server UMA Authorization Server scopes, , (interactive claims gathering workflows). UMA- (authorization server) UMA- (resource server), Gluu Gateway Gluu Federation. UMA 2.0.

Chapter 9. IDM: functional overview. MidPoint, Syncope, Wren: IDM, Gluu Casa

In developing the ideas of Chapter 1, we consider the reasons why IDM is important for the organization. A functional overview of open-source IDM systems Evolveum MidPoint, Apache Syncope, Wren: IDM, Gluu Casa.

In detail
, IAM, IDM IAM (. 1), , Identity Management. opensource-: Evolveum MidPoint, Apache Syncope, Wren:IDM Gluu Casa.

IDM , IDM «» , IAM IAG. IAM- , IDM-. «» .

MidPoint, Syncope Wren:IDM IDM: (approvals), (workflows), (synchronization connectors) (self-service password management). Gluu Casa (2FA; «» 7). , , IDM , .

Chapter 10. Multiparty Federation. Topologies. Roles SAML Feredation / OpenID Federation. Standards OTTO Federation, Trustmarks. Jaagger Federation Mgmt Tool / Fides

Association of participants providing access to a trust network (Multiparty Federation). The triangle of trust (Trust Triangle). Characteristics LOA, LOP, LOC. Topologies: Meshed Federation, Proxy Federation, Interfederation Trust. Federation Actors: Registration Authority, Federation Operator, Entity. Technologies SAML Federation, OpenID Federation. Standards OTTO Federation, Trustmarks. Jagger Federation Management Tool, OTTO-Node / Fides.

In detail
, (Multiparty Federation). , , , , , .

« » (Trust Triangle, OpenID Connect) , «»:

  • (Person) (control) (, ).
  • (OpenID provider) , (protection) .
  • (Relying Party) (assurance), , , , .

:

  • (Level of assurance, LOA).
  • (Level of protection, LOP).
  • (Level of control, LOC).

. Identity Provider Service Provider « »:

  • (Meshed Federation), InCommon. eduGAIN.
  • (Proxy Federation Service). . Identity Provider, Service Provider, Identity Provider Service Provider. , , .
  • (Interfederation Trust). . InCommon eduGAIN, .

« », (NIST Special Publication 800-63C, NIST 800-63-C). (Federation Actors) Registration Authority (RA), Federation Operator (FO), Participant Entity .

SAML Federations OpenID Federations. SAML Federation Jagger Federation Management Tool. Open Trust Taxonomy for OAuth (OTTO) Federation, Trustmarks.

- OTTO-Node/Fides. «» (federation): - .

Summary from reading the book

The book gives a very extensive overview of all those that may interest a specialist who needs to build a secure authorization and access control infrastructure in modern realities. It is thanks to the compact coverage of such complex topics collected under one cover that the reader receives food for thought in the dosage necessary for that. The book will be useful both for those who for the first time need to understand the ideas and technologies of this field, and those who need to update and refresh their knowledge in this topic.

More articles:


All Articles