P4A Security Infrastructure

From wiki.gpii
Jump to: navigation, search

Introduction

The Security infrastructure provides services related to (a) the registration of the service suppliers (providers) and consumers and the registration of the services in the P4All platform, (b) the authentication of the users and (c) their authorization per service. The service includes administrative functionality for account and profile editing. Security – related actions are logged and offered to the charging services. The security infrastructure is expected to facilitate the developers by offering the developers the option to easily integrate P4A security services with their assistance services.

Target Audience(s)

The target users of the Security infrastructures are: (a) the developers - service suppliers, (b) the service consumers - the end users, (c) the administrators of the platforms and (d) other sub-systems that may need security - related information, e.g. the charging systems that exploits the authentication timestamps.

Potential Applications

All involved stakeholders are expected to benefit from the functionality offered by the P4All security infrastructure. All types of users have a single point of entry for registration, authentication and authorization. The administrators will be able to monitor and control the users of the platform. The developers - service suppliers will be able to use off-the-shelf functionality to integrate their services, instead of providing their own components. Furthermore information will be available to third systems such as the charging system.

In the context of P4All ecosystem, we foresee that at least the following components are candidates to use the security system:

  • AoD (Assistance on Demand), where the service providers, the service consumers and the carers will be registered users of the security platform. The services, offered through AoD, are resources managed by the security system.
  • DSpace: The developers can be registered in the Security system.
  • Unified Listing: The user of the unified listing can be registered in the security infrastructure

All other components of P4All project can use the security infrastructure (including eLearning, open Market, Transforming Media, UL Database, Language Translation, component repository as referred in [1]

Technologies

We foresee the usage of an implementation of the OAuth2 standard (RFC 6749). We will also provide the authentication mechanism (currently based upon username/password) and create the registration functionality.

Open Source IAM Solutions

  • OpenIAM (http://www.openiam.com/) claims seamless IAM stack with rich UI, modern SOA Architecture, connectors for easy integration and affordable subscription based model. It consists of the OpenIAM Identity Manager and the OpenIAM Access Manager.
  • The ForgeRock Open Identity Stack (http://forgerock.com/products/open-identity-stack/) is open source solution for identity and access management. The Open Identity Stack includes the OpenAM for access management, the OpenDJ for directory services, and the OpenIDM for user administration and provisioning.
  • LinID (http://www.linid.org/welcome/index.htm) was developed and supported by Linagora (leader in French open source market). LinID comes with two main components the Directory Manager and the LDAP Manager.
  • Soffid IAM (http://soffid.com/) is an open source Identity management solution including user management, provisioning tools, role based access control, Enterprise SSO, business process management, digital signature, web single sign on and federation.
  • Fortress (http://iamfortress.org/overview)is a standards-based and open source IAM system that provides ANSI RBAC (INCITS 359) management and enforcement capabilities to networked applications and systems.
  • midPoint (https://wiki.evolveum.com/display/midPoint/Home) is a tool that synchronizes several identity repositories, manages them and makes them available in unified form. It belongs to the user provisioning category of the enterprise identity management field.
  • OpenRegistry is an open source Identity Management System (IDMS) developed by UNICON (http://www.unicon.net/solutions/identity-and-access-management). It is a place to manage and store data about people affiliated with an organization. OpenRegistry condenses identity data sourced from a variety of systems into a canonical record suitable for provisioning to systems such as Active Directory or OpenLDAP.

NLIGHT (http://www.nlight.eu/documents/open-source-idm/) compares three solutions: midpoint, OpenIDM and Apache Syncope and finds that OpenIDM from forgeRock gathers the higher number of contributors, offers high code analysis and comes 2nd in the number of committed users

Non - open source Solutions

http://www.oracle.com/us/products/middleware/identity-management/oiam/overview/index.html

Licence Information

The licences accompanying the security infrastructure contain re-distribution friendly directives (Apache, BSD etc.). None of them is proprietary and/or of limited (re)use.

Status, Known Issues & Planned Work

The system is currently in the phase of requirements identification, specifications and the review of currently available open-source solutions. The specs will be finalized and included in D201.1 (due M18, July 2015) for the Task 201.3.

Further Resources

We have defined a list of scenarios as shown in the following table.

Scenario title Description Task
Scenario 1: Service Consumer (end user), Service Supplier, Carer and Service Registration Act 1 - End user registration: The end user registers to the platform and complete his profile including typical and extended personal info. Typical information include first and last name, username and password, email account, mobile number (if available), nationality, the level of familiarity with IT, the preferred channel(s) for system interaction. Payment – related details and other auxiliary options such as his interest in crowd-funding processes are also included. 205.3
Act 2 - Carer registration: The carer registers to the platform and completes his/her profile. He / she should be associated with at least one end user. This association is performed during registration and verified by the end user.
Act 3 - Service supplier registration: The service supplier registers to the platform and completes his profile.
Act 4 - Service registration: The service is the primary resource used in the P4All infrastructure. The service supplier is registering a service in the platform. Descriptive metadata are completed, including target users, usage details and charging models. The service provider specifies the acceptable user and administrative actions upon the service.
Act 5 - End user subscription to a service: The end user (service consumer) subscribes to a set of P4All services, completing the necessary fields and after explicitly verifying that he has been informed of the terms and conditions and the policies applied. The subscription to the service is verified by an email.
Act 6 - End user un-subscription from a service: The end user unsubscribes from a P4All service. The un-subscription from the service is verified by an email to his primary account.
Act 7 - Profile management: The end user, the carer and/or the service supplier can edit their profiles (registration and subscriptions); the service suppliers can manage the registration of the services.
Scenario 2: Authentication and Authorization Act 1 - Authentication: The end user, the carer and/or the service supplier authenticates using his username and password. After the verification of the credentials, the user is informed of successful logon and about his last login. 205.3
Act 2 - Authorization: The end user, the carer and/or the service supplier is authorized to perform an action upon a service (resource). The user and the service (resource) should have been already registered to the platform, while the user should have subscribed to the service. The Oauth2 mechanisms will be used for authentication.
Scenario 3: Provision of Logs and Statistics Act 1 - Authentication and Session logs: The system provide the information related to the authentication of a user (service consumers, carers and suppliers) to the platform. Session information (duration) is also included. This can be performed, indicatively, for statistical and charging purposes. 205.3
Act 2 - Authorization logs: The system provide the information related to the authorization of a user (service consumers, carers and suppliers) to a service. This can be performed, indicatively, for statistical and charging purposes.

Videos/Demos

The first version of IAM component has been deployed and hosted in link.

Documentation/FAQs

Who can use the security infrastructure? - All entities involved in the P4All ecosystem are encouraged to use the security infrastructure.

The guidelines for the 1st version of security IAM component could be found here


Related/Alternative Tools

We are in the process of examining the characteristics and capabilities of (open source) tools implementing the OAuth2 protocol. ForgeRock and python implementations being candidates. The work continues.

Getting Involved

Code Repository