programming4us
           
 
 
Programming

Relevant IAM Standards and Protocols for Cloud Services (part 1)

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
11/28/2010 3:22:56 PM

1. IAM Standards and Specifications for Organizations

The following IAM standards and specifications will help organizations implement effective and efficient user access management practices and processes in the cloud. These sections are ordered by four major challenges in user and access management faced by cloud users:

  1. How can I avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience for my users? SAML.

  2. How can I automatically provision user accounts with cloud services and automate the process of provisoning and deprovisioning? SPML.

  3. How can I provision user accounts with appropriate privileges and manage entitlements for my users? XACML.

  4. How can I authorize cloud service X to access my data in cloud service Y without disclosing credentials? OAuth.

1.1. Security Assertion Markup Language (SAML)

SAML is the most mature, detailed, and widely adopted specifications family for browser-based federated sign-on for cloud users. Once the user authenticates to the identity service, she can freely access provisioned cloud services that fall within the trusted domain, thereby sidestepping the cloud-specific sign-on process. Since SAML enables delegation (SSO), by using risk-based authentication policies customers can elect to employ strong authentication (multifactor authentication) for certain cloud services. This can be easily achieved by using the organization’s IdP, which supports strong authentication and delegated authentication. By employing strong authentication techniques such as dual-factor authentication, users are less vulnerable to phishing attacks that have been growing steadily on the Internet. Strong authentication to cloud services is also advisable to protect user credentials from man-in-the-middle attacks—i.e., when computers or browsers fall victim to trojans and botnet attacks. By supporting a SAML standard that enables a delegated authentication model for cloud customers, the CSP can delegate the authentication policies to the customer organization. In short, SAML helps CSPs to become agnostic to customer authentication requirements.

Figure 1 illustrates an SSO into Google Apps from the browser. The figure illustrates the following steps involved in the SSO process of a user who is federated to Google:

  1. The user from your organization attempts to reach a hosted Google application, such as Gmail, Start Pages, or another Google service.

  2. Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for your organization’s IdP supporting the SSO service. The Relay State parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This Relay State parameter is meant to be an opaque identifier that is passed back without any modification or inspection.

  3. Google sends a redirect to the user’s browser. The redirect URL includes the encoded SAML authentication request that should be submitted to your organization’s IdP service.

  4. Your IdP decodes the SAML request and extracts the URL for both Google’s Assertion Consumer Service (ACS) and the user’s destination URL (the Relay State parameter). Your IdP then authenticates the user. Your IdP could authenticate the user by either asking for valid login credentials or checking for valid session cookies.

  5. Your IdP generates a SAML response that contains the authenticated user’s username. In accordance with the SAML 2.0 specification, this response is digitally signed with the partner’s public and private DSA/RSA keys.

  6. Your IdP encodes the SAML response and the Relay State parameter and returns that information to the user’s browser. Your IdP provides a mechanism so that the browser can forward that information to Google’s ACS. For example, your IdP could embed the SAML response and destination URL in a form and provide a button that the user can click to submit the form to Google. Your IdP could also include JavaScript on the page that automatically submits the form to Google.

  7. Google’s ACS verifies the SAML response using your IdP’s public key. If the response is successfully verified, ACS redirects the user to the destination URL.

  8. The user has been redirected to the destination URL and is logged in to Google Apps.

Figure 1. SSO transaction steps using SAML


1.2. Service Provisioning Markup Language (SPML)

SPML is an XML-based framework being developed by OASIS for exchanging user, resource, and service provisioning information among cooperating organizations. SPML is an emerging standard that can help organizations automate provisioning of user identities for cloud services (e.g., an application or service running at a customer site requesting Salesforce.com for new accounts). When SPML is available, organizations should use it to provision user accounts and profiles with the cloud service. If SPML is supported, software-as-a-service (SaaS) providers can enable “just-in-time provisioning” to create accounts for new users in real time (as opposed to preregistering users). In that model, the CSP extracts attributes from the SAML token of a new user, creates an SPML message on the fly, and hands the request to a provisioning service which in turn adds the user identity to the cloud user database.

Adoption of SPML can lead to standardization and automation of user or system access and entitlement rights to cloud services so that customers are not locked into proprietary solutions.

Figure 2 illustrates an SPML use case in which an HR system is requesting a provisioning system in the cloud with the SPML request. In the figure, HR System of Record (requesting authority) is an SPML web services client interacting with the SPML provisioning service provider at the cloud service provider, which is responsible for provisioning user accounts on the cloud services (provisioning service target).

Figure 2. SPML use case


1.3. eXensible Access Control Markup Language (XACML)

XACML is an OASIS-ratified, general-purpose, XML-based access control language for policy management and access decisions. It provides an XML schema for a general policy language which is used to protect any kind of resource and make access decisions over these resources. The XACML standard not only gives the model of the policy language, but also proposes a processing environment model to manage the policies and to conclude the access decisions. The XACML context also specifies the request/response protocol that the application environment can use to communicate with the decision point. The response to an access request is also specified using XML.

Most applications (web or otherwise) have a built-in authorization module that grants or denies access to certain application functions or resources based on entitlements assigned to the user. In a centrally managed IAM architecture, application-specific authorization models (silos) make it difficult to state the access rights of individual users across all applications. Hence, the goal of XACML is to provide a standardized language, a method of access control, and policy enforcement across all applications that implement a common authorization standard. These authorization decisions are based on various authorization policies and rules centered on the user role and job function. In short, XACML allows for unified authorization policies (i.e., the use of one consistent XACML policy for multiple services).

Figure 3 illustrates the interaction among various health care participants with unique roles (authorization privileges) accessing sensitive patient records stored in a health care application.

Figure 3. XACML use case


The figure illustrates the following steps involved in the XACML process:

  1. The health care application manages various hospital associates (the physician, registered nurse, nurses’ aide, and health care supervisor) accessing various elements of the patient record. This application relies on the policy enforcement point (PEP) and forwards the request to the PEP.

  2. The PEP is actually the interface of the application environment. It receives the access requests and evaluates them with the help of the policy decision point (PDP). It then permits or denies access to the resource (the health care record).

  3. The PEP then sends the request to the PDP. The PDP is the main decision point for access requests. It collects all the necessary information from available information sources and concludes with a decision on what access to grant. The PDP should be located in a trusted network with strong access control policies, e.g., in a corporate trusted network protected by a corporate firewall.

  4. After evaluation, the PDP sends the XACML response to the PEP.

  5. The PEP fulfills the obligations by enforcing the PDP’s authorization decision.

The interaction takes place using a request-response protocol with the XACML message as the payload. In this way, XACML is used to convey the evaluation of policies against access decision requests.
Other -----------------
- Identity and Access Management : IAM Architecture and Practice
- Identity and Access Management : Why IAM?
- Identity and Access Management : Trust Boundaries and IAM
- Parallel Programming with Microsoft .Net : Parallel Tasks - The Default Task Scheduler
- Parallel Programming with Microsoft .Net : Parallel Tasks - Design Notes
- Parallel Programming with Microsoft .Net : Parallel Tasks - Anti-Patterns
- Parallel Programming with Microsoft .Net : Parallel Tasks - Variations (part 2)
- Parallel Programming with Microsoft .Net : Parallel Tasks - Variations (part 1)
- Parallel Programming with Microsoft .Net : Parallel Tasks - An Example
- Parallel Programming with Microsoft .Net : Parallel Tasks - The Basics
- jQuery 1.3 : The jQuery UI plugin library
- jQuery 1.3 : The Form plugin
- jQuery 1.3 : How to use a plugin
- jQuery 1.3 : Sharing a plugin with the world
- Auditing an Existing Site to Identify SEO Problems (part 3) - Fixing an Internal Linking Problem
- Auditing an Existing Site to Identify SEO Problems (part 2) - The Importance of Keyword Reviews
- Auditing an Existing Site to Identify SEO Problems (part 1 - Elements of an Audit
- First Stages of SEO : Defining Your Site’s Information Architecture
- First Stages of SEO : The Major Elements of Planning
- Understanding Your Audience and Finding Your Niche
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us