webinar: consent 2.0: applying user-managed access to the privacy challenge
TRANSCRIPT
Copyright © 2015 ForgeRock, all rights reserved.
CONSENT 2.0
APPLYING USER-MANAGED ACCESS TO THE PRIVACY CHALLENGE
July 21, 2015
Copyright © 2015 ForgeRock, all rights reserved.
Your Hosts
Markus Weber
@MWAtForgeRock
Eve Maler
@xmlgrrl
Copyright © 2015 ForgeRock, all rights reserved.
Recent Pew Survey:
91% of American adults say thatconsumers have lost controlover how personal informationis collected and used by companies.
Source: http://www.pewresearch.org/key-data-points/privacy/
Copyright © 2015 ForgeRock, all rights reserved.
Recent Accenture Survey:
67% of individuals are willing to share data with companies
- drops to 27% if the business issharing data with a third party
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRock’s Identity Platformand emerging standards
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRock’s Identity Platformand emerging standards
COM
MO
N S
ERVI
CES
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRock’s Identity Platformand emerging standards
COM
MO
N S
ERVI
CES
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRock’s Identity Platformand emerging standards
COM
MO
N S
ERVI
CES
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRock’s Identity Platformand emerging standards
COM
MO
N S
ERVI
CES
Copyright © 2015 ForgeRock, all rights reserved.
From the webto the IoT,the “fear/greed” tension around data sharing is only going to grow
Copyright © 2015 ForgeRock, all rights reserved.
“Post-compliance” consent tools only take us so far
OAuth: standard and scoped … butopt-in at run time, Alice-only, and closed-system
“Share”: proactive and delegable … butproprietary, closed-system, and often insecure
Copyright © 2015 ForgeRock, all rights reserved.
Customer Identity 2.0 needs Consent 2.0
Context The right moment to make the decision to share
Control The ability to share just the right amount
Choice The true ability to say no and to change one’s mind
Respect Regard for one’s wishes and preferences
Copyright © 2015 ForgeRock, all rights reserved.
Financial scenario
Alice wants to allow (consent to or delegate to) her accountant to import her tax data directly from her employer’s site into the tax return application he uses, with the ability to revoke that consent.
Copyright © 2015 ForgeRock, all rights reserved.
Healthcare / IoT scenario
Alice can see in her central dashboard what resources she already has shared.
She shared, for example, data from her implantable cardiac defibrillator with herdoctor.
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRock’s OpenUMA solution
will help you meet
the new privacy challenge
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRock is delivering two key OpenUMAcomponents by the end of 2015
authorization serverresource server
(client)
UMA Providerbased on
UMA Protectorbased on
Copyright © 2015 ForgeRock, all rights reserved.
Additionally…
• User tab for fielding pending requests• Resource labels for viewing and filtering• Special “Alice-to-Alice sharing” experience
Copyright © 2015 ForgeRock, all rights reserved.
How UMA works: federated authorization on top of OAuth
Loosely coupled to enablecentralized authorization-as-a-service for any number of an individual’s resource servers
A new concept, to enable party-to-party sharing driven by policy (or access approval) rather than requiring the individual to be present at access time
Authorization data is added to this token if trust in the requesting party is successfully elevated, typically through authentication and/or claims-gathering
Copyright © 2015 ForgeRock, all rights reserved.
Where the action is at Kantara
http://tinyurl.com/umawg
Brand-newUMA Developer Resources
Work Group
Copyright © 2015 ForgeRock, all rights reserved.
Where the action is at OpenID Foundation
HEART Profile for UMA
HEART Profile for OAuth 2.0
HEART Profile for OpenID Connect(comes with its own SSO API)
HEART OAuth Profile for FHIR
API
HEART UMA Profile for FHIR
API
http://openid.net/wg/heart/
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRock helps you deliver Consent 2.0 experiences to your
customers that demonstrate context, control, choice, and respect
Copyright © 2015 ForgeRock, all rights reserved.
RSA Conference Asia Pacific & Japan 22 - 24 July, 2015, Singapore
Gartner Catalyst Conference 10 - 13 August, 2015, San Diego, CA
Les Assises30 September - 3 October, 2015, Monaco
Where in the World is ForgeRock?
Copyright © 2015 ForgeRock, all rights reserved.
Where to follow us:
https://twitter.com/ForgeRock
http://www.linkedin.com/company/forgerock
https://www.youtube.com/user/ForgeRock
https://vimeo.com/forgerock
http://forgerock.com/resources/
Copyright © 2015 ForgeRock, all rights reserved.
Try it & Participate!
https://forgerock.org/openuma/
Copyright © 2015 ForgeRock, all rights reserved.
The UMA nitty gritty
Resource owner
Resource server
Authorization server
Client
Authorization API
UI
UI
UI
Requesting party
ProtectionAPI
Authorization client
Protectionclient
RS-specificAPI
RS-specific client
2
1
5RPT
6
7
8
3
4
PAT
11
AAT
PAT
PAT
RPT
chooses resources toprotect – out of band
sets policies –out of band
AAT
9
10
PAT
RS needs OAuth client credentials at AS to get PATC needs OAuth client credentials at AS to get AATAll protection API calls must carry PATAll authorization API calls must carry AAT
1. RS registers resource sets and scopes (ongoing – CRUD API calls)
2. C requests resource (provisioned out of band; must be unique to RO)
3. RS registers permission (resource set and scope) for attempted access
4. AS returns permission ticket5. RS returns error 403 with as_uri and
permission ticket6. C requests authz data, providing permission
ticket7. (After claims-gathering flows not shown) AS
gives RPT and authz data8. C requests resource with RPT9. RS introspects RPT at AS (default profile)10. AS returns token status11. RS returns 20x