When the product is a foundational service, a term used to refer to a service hosted in the base of a public cloud provider, the concerns for claim provisioning, token service, managed service identities, secrets management and security configuration dashboards must be addressed in modules dedicated to this layer. Any service that sits on top of the foundational service has the luxury of utilizing the cloud provider published resource manager templates and can use them interchangeably for different technologies representing these functionalities of an IAM. The choice of technologies used in the foundational layer become rather restricted and almost a Do-it-yourself approach. The services built in the cloud, on the other hand, experience rich functionalities and interchangeable with those from competing vendors. The costs of DIY approach are known to be high, but the flexibility and resource efficiency are undeniable. We review some of the essential functions that these technologies must implements and the support for their automations.
With an identity claim model, an application or web service is no longer responsible for the following: 1) authenticating users 2) storing user accounts and passwords, 3) calling membership providers like enterprise directories to lookup user information 4) integrating with identity systems from other organizations and 5) providing implementations for several protocols to be compliant with industry standards and business practice. All the identity related decisions are based on claims supplied by the user. An identity is a set of attributes that describe a principal. A claim is a piece of identity information. The more slices of information an application receives, the more complete the pie representing the individual. Instead of the application looking up the identity, it merely serializes them to the external system. A security token is a serialized set of claims that is digitally signed by the issuing authority. It gives the assurance that the user dd not make up the claim. An application might receive the claim via the security header of the SOAP envelope of the service. A browser-based web application arrives through an HTTP POST from the user’s browser which may later be cached in a cookie if a session is enabled. The manner might vary depending on the clients and the medium, but the claim can be generalized with a token. Open standards including some well-known frameworks are great at creating and reading security tokens. A security token service is the plumbing that builds, signs and issues security tokens. It might implement several protocols for creating and reading security tokens but that is hidden from the application.
The relying parties are the claim-aware applications and the claims-based applications. These can also be web applications and services, but they are usually different from the issuing authorities. When it gets a token, the relying parties extract claims from the tokens to perform specific identity related tasks
A claim is a combination of a claim type, right, and a value. A claim set is a set of claims issued by an issuing authority. A claim can be a DNS, email, hash, name, RSA, sid, SPN, system, thumbprint, Uri, and X500DistinguishedName type. An evaluation context is a context in which an authorization policy is evaluated. It contains properties and claim sets and once the evaluation is complete, it results in an authorization context once authorization policies are evaluated. An authorization policy is a set of rules for mapping a set of input claims to a set of output claims and when evaluated, the resulting authorization context has a set of claims sets and zero or more properties. An identity claim in an authorization context makes a statement about the identity of the entity. A group of authorization policies can be compared to a machine that makes keys. When the
No comments:
Post a Comment