블로그 이미지
평범하게 살고 싶은 월급쟁이 기술적인 토론 환영합니다.같이 이야기 하고 싶으시면 부담 말고 연락주세요:이메일-bwcho75골뱅이지메일 닷컴. 조대협


Archive»


 
 

OAuth 2.0 노트

아키텍쳐 /Security & IDM | 2014.08.11 17:05 | Posted by 조대협

OAuth 용어 정리

Resource Owner (사용자)

Authorization Server (인증서버

Resource Server (REST API)



 

OAuth 2.0 grant flow

Authorization code grant flow

주로 Web Application에서 사용됨

Implicit grant flow

자바스크립트 애플리케이션에서 많이 사용됨. 스크립트 단에서는 credential 등이 노출 될 수 있으니, 주로 Read only 용도로 많이 사용함. accessToken이 노출될것을 전제로 함.

모바일 애플리케이션도 많이 사용하는걸로 나오네??

Ÿ   Used in public clients

Ÿ   It's is a redirection-based flow (similar to the one in the authorization code grant)

Ÿ   The access token is received as a parameter of the redirection endpoint upon successful completion of the request, similar to the authorization code parameter in the authorization request response in the authorization code grant



Flow

     The first step is initiation of the flow. The client redirects the User agent to the Authorization server by using the authorization endpoint, the client identifier, and the redirection endpoint that will be used for the response.

     The Authorization server authenticates the Resource owner and requests his decision whether to authorize or deny the request.

     If the Resource owner authorizes the request (which is assumed), he is redirected back with response information, using the supplied redirection endpoint that was provided with the initial request. The response information is contained in the URL fragment that contains the access token and other parameters (we'll see the difference between a regular URL parameter and one found in a URL fragment in the detailed overview).

     Now that the User agent (the browser) is redirected back, the access token included in the response is passed to the Client application.

Client Server Application Case

Mobile App Case

(웹이 아니기 때문에, Redirect 처리를 어떻게 해야 할지 고민해야 함.

Samsung Account와 같이 전용 APK를 넣는 방식이나, 웹 페이지 Scrapping 방식등이 있음)

 

Resource owner password credential grant flow

직접 ID,PASSWORD를 보내는 방식으로, 1st level 파트너나 자사 시스템에 많이 사용.

기존의 HTTP BASIC이나 HTTP Digest 인증 방식을 migration하기가 용이함



     The resource owner (for example, the user) supplies the Client application with his username and password.

     The client application makes a request to the Authorization server, including the user's credentials and also his own identifier and secret.

     The Authorization server authenticates the client based on his identifier and secret, checks whether it is authorized for making this request, and checks the resource owner credentials and other parameters supplied. If all checks pass successfully, the Authorization server returns an access token in response.

Client credential grant flow

Userless 상태에서 많이 사용됨. (API 키와 유사한 방식)

 

 

'아키텍쳐  > Security & IDM' 카테고리의 다른 글

서버와 APNS(애플푸쉬서버)와의 보안 메커니즘  (3) 2014.10.07
OAuth 2.0 노트  (0) 2014.08.11
OAuth 2.0 based API 인증 메모  (0) 2014.06.05
Digital Signing의 개념  (0) 2014.05.21
Java keystore file  (0) 2013.09.27
SSL/TLS 관련 개념 링크  (1) 2013.09.24

괜찮은 책들 정리




Security Patterns in Practice

저자
Fernandez-Buglioni, Eduardo 지음
출판사
John Wiley & Sons (Asia) Pte. | 2013-06-25 출간
카테고리
과학/기술
책소개
Learn to combine security theory an...
가격비교

Security 전반에 걸쳐, 인증, 암호화, 인가등 다양한 시나리오에 대해서 패턴 중심으로 설명, 개념 잡기 아주 좋음



OAuth 2.0에 대해서 이해가 잘되게 설명된 책. 이거 보고 개념 잡았음



Beyond Software Archiecture

저자
Hohmann 지음
출판사
Addison Wesley | 2003-01-01 출간
카테고리
과학/기술
책소개
Successfully managing the relations...
가격비교

읽어야지 하면서 아직 못본책, 아키텍쳐 설계와 특히 라이센스 관리에 대한 디자인이 들어 있는 책




Vert.x를 보면서, HTTP단이야 HTTPS로 Security 보장이 된다지만, TCP/IP Server는 어떻게 하는가가 의문이었는데, 이부분도 이미 다 준비되어 있다. Configuration 몇줄 만으로 TLS가 지원 된다.


http://vertx.io/core_manual_java.html#ssl-servers

NetServer server = vertx.createNetServer()
               .setSSL(true)
               .setKeyStorePath("/path/to/your/keystore/server-keystore.jks")
               .setKeyStorePassword("password");


아무리 봐도 잘만들었어...


암호화 알고리즘 속도 비교 (대칭키)

아키텍쳐 | 2013.07.17 01:19 | Posted by 조대협

http://www.javamex.com/tutorials/cryptography/ciphers.shtml



Comparison of ciphers

Java supports a number of encryption algorithms out of the box. Which encryption algorithm to use can depend on a number of criteria:

  • how secure the algorithm is currently judged to be in the cryptographic literature;
  • the performance characteristics of the algorithm (e.g. the "raw speed" of the algorithm, and whether it supports parallel encryption);
  • how politically safe a decision it is to use a particular algorithm (paradoxically, this doesn't necessarily depend directly on the algorithm's security);
  • whether you have to interact with a legacy system.

Summary of algorithms

We compare measured speed of encryption with various algorithms available as standard in Sun's JDK, and then give a summary of various other characteristics of those algorithms. The encryption algorithms we consider here are AES (with 128 and 256-bit keys), DES, Triple DES, RC4 (with a 256-bit key) and Blowfish (with a 256-bit key).

Performance

First, the easy bit. Figure 1 shows the time taken to encrypt various numbers of 16-byte blocks of data using the algorithms mentioned.

Figure 1: Comparison of encryption times for various common
symmetric encryption algorithms provided as standard in Java 6.

It's important to note right from the beginning that beyond some ridiculous point, it's not worth sacrificing speed for security. However, the measurements will still help us make certain decisions.

Characteristics

Table 1 gives a summary of the main features of each encryption algorithm, with what I believe is a fair overview of the algorithm's current security status.

AlgorithmKey size(s)SpeedSpeed depends on key size?Security / comments
RC440-1024Very fastNoOf questionable security; may be secure for moderate numbers of encrypted sessions of moderate length. RC4 has the redeeming feature of being fast. However, it has various weaknesses in the random number sequence that it uses: see Klein (2008)1.
Blowfish128-448FastNo

Believed secure, but with less attempted cryptanalysis than other algorithms. Attempts to cryptanalyse Blowfish soon after publication are promising (Schneier, 19952 & 19963). But, unlike AES, it doesn't appear to have received much attention recently in the cryptographic literature. Blowfish has been superseded by Twofish, but the latter is not supported as standard in Java (at least, not in Sun's JDK).

AES128, 192, 256FastYes

Secure, though with some reservations from the crypto community. It has the advantage of allowing a 256-bit key size, which should protect against certain future attacks (collision attacks and potential quantum computing algorithms) that would have 264 complexity with a 128-bit key and could become viable in the lifetime of your data.

DES56Slow

Insecure: A $10,000 Copacobana machine can find a DES key in an average of a week, as (probably) could a botnet with thousands of machines.

The simple answer is: "Don't use it– it's not safe". (RFC 4772).

Triple DES112/168, but equivalent security of 80/112Very slowNo

Moderately secure, especially for small data sizes. The 168-bit variant estimated by NIST (2006) to keep data secure until 20304.

Triple DES performs three DES operations (encrypt-decrypt-encrypt), using either two or three different keys. The 168-bit (three-key) variant of Triple DES is generally considered to offer "112 bits of security", due to a so-called meet-in-the-middle attackAES offers a higher level of security for lower CPU cost.

Table 1: Characteristics of commonly used encryption algorithms included in Java 6.

Remarks on AES

AES stands for Advanced Encryption Standard and is actually an algorithm that was originally called Rijndael, after its inventors Rijmen & Daemen. It is the algorithm that most people will end up using unless they have a strong reason to use anything else:

  • it is a politically safe decision: the encryption standard of the US National Institute of Standards and Technology (NIST), and the US government reportedly approves AES with 192 or 256-bit keys for encrypting top secret documents (or put another way, your boss won't sack you for choosing AES...);
  • it is largely considered secure, though with some reservations:
    • nobody yet has (publicly) a full attack on AES, or a partial attack that is practical (though some impractical partial attacks exist5);
    • however, AES is algebraically simpler than other block ciphers: effectively, it can be written as a series of mathematical equations, and there is a worry that somebody could demonstrate a way to solve those equations (see Ferguson & Schneier, Practical Cryptography, pp. 57-58);
    • the NSA may have chosen Rijndael as they secretly know how to break it, or secretly estimated that they could develop a way to break it.
  • it is fast (Ferguson & Schneier (op cit), p. 59, argue that this is the reason it was picked over Serpent as the AES standard).

Key sizes

On the next page, we look at the issue of choosing and setting key sizes for encryption in Java.

'아키텍쳐' 카테고리의 다른 글

Technical Debt  (1) 2013.10.30
License Key Management  (0) 2013.08.01
암호화 알고리즘 속도 비교 (대칭키)  (0) 2013.07.17
API platform  (0) 2013.07.17
API design for client which support limited HTTP method  (0) 2013.07.10
아키텍트의 종류와 역할  (3) 2012.09.06

Authentication (인증 방식)

일반적인 id,passwd 기반의 인증 방식

사용자 정보와 사용자 credential (id/passwd)를 데이타베이스에 저장해놓고, 사용자로 부터 id/passwd를 입력받아, 이를 비교하여 인증하는 방식.

일반적은 중소 규모 사이트 개발에는 RDBMS를 사용하는 것이 일반적이며,조직 구조, 여러가지 Role, 권한등을 저장할때는 LDAP등을 사용한다. 근래에는 대규모 사용자를 저장하기 위해서 Cassandra와 같은 NoSQL을 저장하는 경우도 많다.

이러한 저장소에 비밀 번호를 저장할때 평문으로 저장하는것 보다, 암호화된 형태로 저장하는 것이 좋다. 그래서 MD5 SHA1같은 Hash로 변경해서 저장한다. 이렇게 하면, Hacker에 의해서 데이타 베이스가 탈취되더라도 데이타 베이스내의 passwd Hash 값만 저장되어 있기 때문에, 원본 passwd는 알아낼 수 가 없다.

hash = sha1-256(passwd)

그렇다면 원본 passwd를 알아낼 수 없다면, 인증은 어떻게 할까? 답은 쉽다. 사용자가 입력한 passwd를 같은 알고리즘으로 Hash값을 계산한 후에, 데이타 베이스에 저장된 Hash 값과 일치하는지를 체크하면 된다.

이런 Hash 알고리즘도 요즘은 어느정도는 복호화가 가능하다. asdf1234MD5 hash 값은 1adbb3178591fd5bb0c248518f39bf6d http://www.md5decrypt.org/를 통해서 테스트 해보면, MD5 Hash를 쉽게 디코딩 할 수 있다 비밀번호나 스트링등을 MD5로 변환한 dictionary를 가지고 있다가, dictionary를 기반으로 하여 search를 하면, Hash 전의 값을 찾아내는 방법이다.

이를 보안상의 헛점을 극복하는 방법이 SALT라는 기법인데, passwordhash로 변경하기 전에 password 끝에 random string을 붙여서 Hash로 변경하면, dictionary 기반의 attack에서는 random string이 끝에 붙어 있기 때문에, dictionary에 저장되어 있을 가능성이 상대적으로 낮게 되고, 이로 인해서 이러한 dictionary attack을 회피할 수 있다.

hash = sha1-256( strcat(passwd,salt) )

이때 salt도 데이타 베이스에 hash 값과 함께 저장한다.

Salt의 길이를 늘리고, random화 하면, 보안 수준도 같이 올라간다.

여기에 조금 더, 복잡도를 높이는 방식은, salt에 의해서 계산된 hash값을 다시 같은 salt를 더해서 N번 재 hash하는 방식이 있다.(보통 1000번 이상의 루프를 추천합니다.)

hash = sha1-256( strcat(passwd,salt) )

hash = sha1-256( strcat(hash,salt) )

:

:

X.509 기반 인증

X.509 PKI 기반의 인증서를 이용하여 서버가 클라이언트를 인증하는 방식으로, 쉽게 이야기 해서, 클라이언트를 인증할때, id,passwd를 이용하는 방식이 아닌 인증서를 사용하는 방식이다. 인터넷 뱅킹의 공인 인증서등을 생각하면 되며, 양방향 SSL을 사용하면, 이 방식의 인증을 구현할 수 있다.

특히 서버간의 통신에 대해서, 강한 인증이 필요한 경우, 양방향 SSL을 사용하게 되면, 서버간의 인증을 쉽게 구현할 수 있다.

Claim based Authentication (CBA)

아키텍쳐 /Security & IDM | 2013.06.07 22:58 | Posted by 조대협


CBA Claim based authentication


ADFS 2.0 등 MS 진영에서 주로 사용함

- Claim : Subject를 identitify 할 수 있는 name, group 등 (쉽게 말해서 attribute)

- Token : Claim을 transpport하기 위한 packet ( 1개 이사으이 claim이 packaging되며, digitial signature로 packaging됨) ex) SAML packaging도 하나의 Token의 예

- Issuer: Token을 만드는 대상 (Idp가 주로 Issuer가 되는 경우가 많음)

- Secure Token Server (STS) : The central issuing authority. (In most case STS works as Idp) - 인증하고 Token 만들어주는 서버. (ADFS 2.0 )

- Replying party - Claim based authentication 을 사용하는 Sp (Service Provider)


Process

전체적인 흐름 자체는 SAML과 유사함.

사용자가 resource를 요청하면 STS (Idp)서버로 redirect해서 login 한후,  token 발급 받아서, 그 token으로, resource에 가서 인증하고 log in 하는 시나리오


1. User attempts to access an application.

2. User is redirected to the STS.

3. User authenticates to the STS.

4. The STS pulls claim information from the appropriate store and uses the information to create a token.

5. The token is sent back to the user.

6. Token is submitted to application.


3.7.2.1.1. Passive Client Flow


1. User attempts to access resource.

2. Resource redirects browser to STS URL.

3. Browser redirects to STS URL.

4. User authenticates to STS.

5. STS issues token to client.

6. Token is passed to resource.

7. User is granted access to resource.



3.7.2.2.1. Active Client Flow


1. Username used to request CBA token.

2. STS authenticates user.

3. CBA token issues to application.

4. Call made to web service using token.

5. WIF validates security token.

6. Response returned.



3.7.3. Cross-Realm Federation with CBA

As we’ve seen, each application must be configured with an issuer. This issuer is the one that creates the tokens that will be trusted by the application. So what happens when an application trusts one issuer but a user logs into a different issuer? How can the user still use the application? The answer is cross-realm federation.

Cross-realm federation allows you to log into one STS and access applications that are configured for another STS. There are many situations where this might be the case. You might have a situation where you have an application that is accessed by customers or partners, but you don’t want to manage user accounts for those users. You can have the users log into a separate IdP but still allow them access to your application. You may also have a situation where your organization has acquired a new company. This company already had their own IdP. If you need to provide these users access to your company’s applications, you don’t have to wait until you port all the users over to your IdP. They can still log into their own IdP and have access to your company’s applications.

You can set up a federation trust between two issuers. In addition to configuring the trust, you have to configure a token translation. With a token translation, you configure the incoming claim and what the outbound claim should be changed to.

1. User attempts to access application.

2. User is redirected to issuer1 configured on application.

3. User selects issuer2 for authentication.

4. User authenticates to issuer2 and receives token.

5. User presents token to issuer1.

6. Issuer1 converts token to one that can be used by applications and send that token to user.

7. User presents new token to application.


MS 문서 https://www.google.co.kr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&sqi=2&ved=0CDQQFjAA&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F7%2Fd%2F0%2F7d0b5166-6a8a-418a-addd-95ee9b046994%2FGeneva_Beta1_DataSheet.pdf&ei=XuSxUYuUAYWbigeJiYGIAg&usg=AFQjCNGbmhiqxvwNx-T4OKxVL5gVApVAZA&sig2=QPNpHxknVD6NHYHVVHCeBw&bvm=bv.47534661,d.aGc 
에 설명 엄청 잘되어 있음


MS에서는 WIF (Windows Identity Foundation) - .NET Framework과 ADFS 2.0(서버)를 이용해서 구현


Identity Management System (IDM) Overview

Terry.Cho (http://bcho.tistory.com)


1. Background

 

IDM (Identity Management system) is one of most important and complex component in common IT system. 

Pain Point

Here is sample pain point in Identity management scenario when it comes from identity management area commonly.

 

Federation.

1)        Enterprise build their IT system with very simple & isolated identity management feature. All of each system has own IT management features.

2)        Number of the IT system has been grown, and it has own identity management system.

3)        End user starts complain to log in with different id for each system.

Lifecycle management & Provisioning

1)        After employee leaves company, Enterprise it admin needs to delete all of identity across the system.

2)        After new employee has been joined, his identity need to be created in email, ERP, CRM etc. Some identity creation needs to be approved by manager

 

Without common Identity management platform, identity management is being very painful. 

B2B vs B2C

There are two main category that uses identity management. One is B2B and the other one is B2C.

B2B is enterprise IT. It is designed for manage internal user or restricted number of end client.

The characteristic of B2B system is,

-       It has very complex scenario to support their business

-       It has a lot of package based legacy system like ERP,CRM etc.

-       It needs very elaborate authorization control.

-       It has many types of roles (admin, manager, end user, org admin etc).

So the product which supports B2B scenario,  focuses legacy system integration (provisioning, connector, standard support - WS-Security, SAML, XACML etc ) , work flow support etc.

This area is mainly driven by enterprise vendor like Oracle,CA,IBM etc.

 

In contrast, B2C area has different requirement.

In B2C area , it provides service to customer like SNS.

-       It supports huge # of end user (+million)

-       Role type and authorization control is very simple compare to B2B scenario.

-       Open standard based federation model (OAuth 2.0, Open ID etc)

-       Global deployment 

Trend & Implementation options

To build up IDM system there are 3 different approach.

1)       Option A. build with open source framework

build IDM system from scratch or reuse open source frame work.

To support just single silo system, big identity management system is not required. In this case, user just build the IDM system from scratch. For small to medium # of user, RDBMS backend preferred.  For medium to big number of user, LDAP or Microsoft Active Directory is preferred.

 

To provided more platformanized (or well defined) IDM, open source frame work can be used.

Spring Security is one of major player in this area. It is more focused on web based application.

Apache Shiro is also one of the other major player. It can support web and others (REST API based security control etc).   

2)       Option B. build with niche vendor solution  

If IT has to support more complex scenario. It that case it can consider solution. There are a lot of solutions which are optimized to specific scenario.

For example, Centrify is well optimized to support Active Directory based single sign on in B2B scenario. PingIdentity is good for user account federation scenario.

3)       Option C. Full package from enterprise vendor

If the company has a lot of package based legacy system and it needs sophisticated role based authorization control, long running work flow for authorization approval, audit etc, full packaged IDM is recommended.

These kind of IDM product is delivered by enterprise vendor like Oracle,IBM,CA etc.



Figure 1. IDM gartner magic quadrent 2010

Trend is,

For B2C, commonly it uses Option A and if there is more complex requirement it uses (or moves from Option A to ) Option B. Big B2C company like Facebook, Google builds up their own IDM system with Option A approach.

 

For B2B, for small & isolated system it uses Option A. For restricted scenario, Option B. For enterprise wide it uses Option C. Commonly enterprise IT system has its own LDAP server internally and they provides minimum single sign on with solutions (Option B).

 Commonly they has SSO, Provisioning only, not support authorization and other stuff.  The authorization supports requires a lot of customization both in IDM and service application side. And full package vendor solution is very expensive, complex and hard to manage. 

2. IDM System common features

Here is common feature which is provided by traditional IDM systems.

1)       User Management

It managed user identity during full life cycle. It created, update and delete the user identity information.

Ÿ   Lifecycle management

This feature manages whole life cycle of user identity management from creation to remove. Depends on requirement, user identity can be expired based on pre-defined logic. It also can manage password expiration date etc.

Ÿ   Work flow

Some user identity creation or new authorization permission guarantee needs a approval. For example in case of banking account creation, it needs to check user identity. This kinds of approval required long running process.

It is implemented by using work flow engine (eg. BPM etc)

Ÿ   Provisioning

When user identity has been created or modified, it need to be replicated another system. For example new email has been created in email system, new account in sales system need to be created. In that case the user profile should be replicated (provisioned). It is one of very important feature in centralized IDM.

Ÿ   Delegated Admin

To manage user identity , single IDM admin is not enough. If the company has a lot of organization and authorization control is requires, single IDM admin cannot cover whole of the requests. So in that case restricted admin authority need to be delegated to someone (ex. managers in the organization ). This feature is delegated admin.

One more thing for this feature, if the delegated admin has been leaved the company the delegated authority should be propagated to another user in the IDM.

Ÿ   Identification management

In specific system, user identity which prove "Who is the user?" is very important.

In Banking, Stock Trading system, user identity proven is very important issue. To support them IDM manages additional information like user certification, finger print and user biometric data 

2)       Access Management

Access management defines "Can user access specific resource?". It allows system to provide restricted access

Ÿ   Authentication

Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. This is commonly done by comparing user identity & credentials (id & password)

Ÿ   Authorization (ACL , Entitlement)

This is process of granting or denying access to resource.

In other term, it is controlled by "ACL (Access Control List)". It describes "Who can access what resource".

In authorization scenario, there are 3 types of access control

       RBAC (Resource Based Access Control)

Resource access is controlled by user role. Individual user can have number of role. For example a user can be "Partner" ,"Admin" ,"End User". Resource control is granted by pre defined access control based on each role.

RBAC is one of most broadly used authorization method.

       DAC (Discretionary Access Control)

It is more flexible compare to RBAC. DAC manages authority based on user identity (user id or it's associated group)

       MAC (Mandatory Access Control)
User are given permission to resources by system administrator. Only the admin can grant permission to resource.

Ÿ   Federation (SSO)

If there are number of systems and user logged once in one system, it doesn't need to log into other system anymore. This is Single Sign On.

There are standards to support SSO like SAML, CAS, Kerberos etc.  

3)       Repository

Repository persists user identity & profile.

User identity has user id and password for log in. ACL (Access Control List) and user profile which contains user related data for example - name, address , email etc.

This repository is read intensive. And it needs to support tree like structure because, user identity combines user organization structure too. In this reason LDAP is common solution for repository.

If system have to support global roll out, it should also consider regulation issue. Some user information cannot be stored outside their country. When it designs user profile scheme, legal check is required.

And to support the global roll out, data replication across data center should be supported.  

4)       Audit & Reporting

Audit means, "who did what to which resource?". It can enables admin to track resource usage, denial resource access etc. In some system , the access log can be used to track user pattern. Web access log analysis scenario is one of the example. In addition the resource access log can be used to metering service usage. (cloud computing scenario etc)

For denial access, it need to support notification message to admin and reporting. To prevent denied access, it also need to support "black list".

This area is consists of logging, gathering, analysis, reporting and achieving. Now days, it is implemented by using big data technology. (logging framework etc)  

5)       Integrations

Integration feature is integrate multiple identity management system.

There are many perspectives. Replicate user profile from one to other systems is covered by "provisioning". Authentication across number of system can be covered by Single Sign On. Authorization over number of system can be covered by XACML based authorization system.

To simplify integration, we can have 3 perspective like below

Ÿ   Open standard support

Integration support is old problem in Identity management area. So there are already open standard to support the integration issue.

In B2C area, Open ID and OAuth are major player that support authentication.

In B2B area, there are a lot of standard like

-        SAML,WS-Security: support SSO & Federation

-        XACML: support authorization

-        LDAP or Microsoft Active Directory : repository integration

-        WS-Trust : API Security

Ÿ   Internal service integration

In enterprise, there are a lot of internal system. Especially legacy enterprise system (ERP,CRM) has very complex user profile scheme, organization structure and sometimes it doesn't support open standard.  So it needs special integration connector to support the integration (provisioning, authorization etc).

The Connector support is main feature of internal service integration

Ÿ   External service integration

It covers identity integration covers external system which resides in outside of company.  

-        B2C integration - There are already well know B2C service system like google, Windows Live accout, Face book, Twitter account. B2C integration scenario is usually implemented with open standard (OAuth, OpenID, Active Directory etc)

-        B2B integration - This area can have various scenario depends on requirement. If company A provides service B's from company B with white-label. They need to support SSO. In this case company A,B need to integrate their authentication by using SSO. In this scenario, if company B charge the service, user identity need to be provisioned from company A to company B to measure their usage.

B2B integration is occurred by ad-hoc way. There are no common approach in this area. Best way is clarify gap between two different identity management system and make integration scenario case by case. This approach is similar to EAI (Enterprise Application Integration).

-        B2B (Cloud) integration - There are already cloud enterprise cloud service like SalesForce.com, Microsoft Office 365. This service needs to integrate with company wide IDM system. 

3. IDM deployment model

To understand IDM deployment model, we have to understand IDM term first

Ÿ   IdP (Identity Provider) : This is IDM. It persists user identity, authenticate & authorize incoming request.

Ÿ   SP (Service Provider) : It provides service to end user. It has resource. Access to the resources are restricted by Idp. Example. Web Site etc.

Ÿ   Token : User credentials (id & password, or log in token - which is used for authentication)

There are 3 types of deployment models

Isolated IDM Model

Each service provider has it's own IdP. End user has to log in for each service provider with different identity.



Centralized IDM Model

Each services shares single IdP. This is most ideal model. End user can log in and access with single user identity.

All of access controls in all Service Provides are controlled by single ACL. It is consistent.

But it is hard to meet in real world. Product (open source or solution) already has it own Idp internally. If all of Service Providers are built from scratch, it can support this model.



Federated IDM Model

End user perspective, it is same to centralized IDM model. End user logs in Service Provider with single user identity. But each Service Provider has different IdP in backend.

This is common use case in IDM area. Authentication is integrated by SSO (Federation) and Authorization is covered by Entitlement (XACML etc)




Here is reference architecture of federation model



User management system create & update user profile. The profile is propagated to each IdP servers thru provisioning components. Service Provider has recent version of user profile.

End user logs in Service provider. It is federated by using SSO.


 

Bouncy Castle

프로그래밍/LIBS | 2013.03.15 17:00 | Posted by 조대협

http://www.bouncycastle.org/java.html


Java 기반의 암호화 라이브러리

'프로그래밍 > LIBS' 카테고리의 다른 글

Bouncy Castle  (0) 2013.03.15
Fuse 관련  (0) 2011.08.02
XDoclet 간단 예제..  (0) 2007.09.11
무료 차트 API  (0) 2007.08.10