Skip to main content

Posts

Showing posts from January, 2014

Using OpenAM as a REST based PDP

OpenAM has a powerful policy decision point functionality (PDP) that can be leveraged entirely over the REST endpoints provided out of the box.  These endpoints allow for nice decoupling between the PDP and authentication infrastructure and your app.  A few things to setup first...

Policies - policies map to the resource URL's that you want to protect, along with additional data such as the subjects (users) the policy will affect, as well as conditions such as IP address, time, authentication level requirements and so on.

Authentication Modules - an obvious component, but the modules can also be configured with an authentication level (an arbitrary numeric value) that provides an assurance level once a user has used a particular chain / module.  The auth level can then be leveraged via the policy.

AuthenticationAuthenticating the user over REST in v11 has changed slightly.  There is now the use of JSON based callbacks that allow for more flexible authentication scenarios.  For exampl…

Role Mining & Peer Analytics in OpenIDM

I created a few custom endpoint extensions for use with OpenIDM, that allows for the analysis of users and their entitlements.  I won't go into the virtues of roles and role based access control, but these endpoints are a simple way to quickly identify similarities between groups of users and then quickly find any differences or exceptions.  These exceptions would then be analysed either by a certification system or perhaps manually by the security admin teams.

Peer Analysis

The first endpoint simply groups users (generally managed users) together based on a functional similarity.  This is generally known as 'top down' mining in full blown role mining projects.  The endpoint returns a JSON object with role names and an array of users that are part of that functional grouping.


Peer Entitlements

The role object on it's own it's much use.  What we're really interested in, is what entitlements should be associated with that role.  This makes the onboarding of new users…