webinar: consent 2.0: applying user-managed access to the privacy challenge

Copyright © 2015 ForgeRock, all rights reserved.

CONSENT 2.0

APPLYING USER-MANAGED ACCESS TO THE PRIVACY CHALLENGE

July 21, 2015


Your Hosts

Markus Weber

@MWAtForgeRock

Eve Maler

@xmlgrrl


Recent Pew Survey:

91% of American adults say thatconsumers have lost controlover how personal informationis collected and used by companies.

Source: http://www.pewresearch.org/key-data-points/privacy/


Recent Accenture Survey:

67% of individuals are willing to share data with companies

- drops to 27% if the business issharing data with a third party


ForgeRock’s Identity Platformand emerging standards


ForgeRock’s Identity Platformand emerging standards

COM

MO

N S

ERVI

CES


aspiration

risk mitigationcynicism


From the webto the IoT,the “fear/greed” tension around data sharing is only going to grow


“Post-compliance” consent tools only take us so far

OAuth: standard and scoped … butopt-in at run time, Alice-only, and closed-system

“Share”: proactive and delegable … butproprietary, closed-system, and often insecure


Customer Identity 2.0 needs Consent 2.0

Context The right moment to make the decision to share

Control The ability to share just the right amount

Choice The true ability to say no and to change one’s mind

Respect Regard for one’s wishes and preferences


The new Venn of access control and consent


Financial scenario

Alice wants to allow (consent to or delegate to) her accountant to import her tax data directly from her employer’s site into the tax return application he uses, with the ability to revoke that consent.


Healthcare / IoT scenario

Alice can see in her central dashboard what resources she already has shared.

She shared, for example, data from her implantable cardiac defibrillator with herdoctor.


ForgeRock’s OpenUMA solution

will help you meet

the new privacy challenge


ForgeRock is delivering two key OpenUMAcomponents by the end of 2015

authorization serverresource server

(client)

UMA Providerbased on

UMA Protectorbased on


Additionally…

• User tab for fielding pending requests• Resource labels for viewing and filtering• Special “Alice-to-Alice sharing” experience


How UMA works: federated authorization on top of OAuth

Loosely coupled to enablecentralized authorization-as-a-service for any number of an individual’s resource servers

A new concept, to enable party-to-party sharing driven by policy (or access approval) rather than requiring the individual to be present at access time

Authorization data is added to this token if trust in the requesting party is successfully elevated, typically through authentication and/or claims-gathering


Where the action is at Kantara

http://tinyurl.com/umawg

Brand-newUMA Developer Resources

Work Group


Where the action is at OpenID Foundation

HEART Profile for UMA

HEART Profile for OAuth 2.0

HEART Profile for OpenID Connect(comes with its own SSO API)

HEART OAuth Profile for FHIR

API

HEART UMA Profile for FHIR

API

http://openid.net/wg/heart/


ForgeRock helps you deliver Consent 2.0 experiences to your

customers that demonstrate context, control, choice, and respect


RSA Conference Asia Pacific & Japan 22 - 24 July, 2015, Singapore

Gartner Catalyst Conference 10 - 13 August, 2015, San Diego, CA

Les Assises30 September - 3 October, 2015, Monaco

Where in the World is ForgeRock?


Where to follow us:

https://twitter.com/ForgeRock

http://www.linkedin.com/company/forgerock

https://www.youtube.com/user/ForgeRock

https://vimeo.com/forgerock

http://forgerock.com/resources/


Try it & Participate!

https://forgerock.org/openuma/


THANKS! QUESTIONS?


The UMA nitty gritty

Resource owner

Resource server

Authorization server

Client

Authorization API

UI

UI

UI

Requesting party

ProtectionAPI

Authorization client

Protectionclient

RS-specificAPI

RS-specific client

2

1

5RPT

6

7

8

3

4

PAT

11

AAT

PAT

PAT

RPT

chooses resources toprotect – out of band

sets policies –out of band

AAT

9

10

PAT

RS needs OAuth client credentials at AS to get PATC needs OAuth client credentials at AS to get AATAll protection API calls must carry PATAll authorization API calls must carry AAT

1. RS registers resource sets and scopes (ongoing – CRUD API calls)

2. C requests resource (provisioned out of band; must be unique to RO)

3. RS registers permission (resource set and scope) for attempted access

4. AS returns permission ticket5. RS returns error 403 with as_uri and

permission ticket6. C requests authz data, providing permission

ticket7. (After claims-gathering flows not shown) AS

gives RPT and authz data8. C requests resource with RPT9. RS introspects RPT at AS (default profile)10. AS returns token status11. RS returns 20x

webinar: consent 2.0: applying user-managed access to the privacy challenge

Software

forgerocks identity

customer identity

needs consent

tax data

data sharing

forgerocks openuma solution

system share

postcompliance consent