Role based access control for the services
When confidential information is delivered beyond company borders, the privileges should be carefully examined when users are trying to access this information. The first step in the process is proper authentication. But after the user has been authenticated, then what?
Authentication should be separate from authorization. Authorization is a function or a process where a user is granted certain privileges so she can work with the information available. These privileges are usually constructed as roles or user attributes. A role gives you certain types of permissions to do something to a limited set of data or content. A role is a collection of permissions created within the application.
When state-of-the-art on-line applications are created, they should support role-based authorization from the start. Application Servers such as BEA WebLogic and development frameworks such as Java and .NET include interfaces for creating role-based access control mechanisms in web applications.
Once an application is created, it has a certain role set it understands. Ubilogin eIDM is a tool to deploy these roles and authorizations to the real users. Ubilogin eIDM models the service providers / applications to the database (and GUI). When these services are documented and their roles are created to the database, they are available for the extranet admin users. The most notable benefit in this situation is the fact that the provider organization administrators only need to model these services to the Ubilogin eIDM, the actual authorization management is handled by the extranet admin users.
Service Provider authorizations
In Ubilogin eIDM solutions, the bulk of the maintenance and administration work is done by the extranet users and the extranet user organization.
However, the service provider organization has the option of making authorizations in many different ways, even forcing an authorization between two extranet user companies. This use case is most obvious in e-government related services where e.g. the government representative (service provider) will appoint a representative (authorized) to an outsourcing/delegating person (authorizing party).
Separate the authentication from the authorization
With Ubilogin eIDM federation partners can expand their solutions, especially the receiving party in a federation relationship. In federation users are authenticated by the partner, but the actual privileges are maintained in the Ubilogin eIDM. In this way authentication is separated from the authorization, and both of their configuration data are maintained separately. This resolves some of the issues companies have with federation, when user information is exposed from the company internal network to the other network.
This also applies to the normal use case in extranets, where users do not have an existing federation partnership, but merely use Ubilogin eIDM for extensive user authorization. For the application which needs protection, this means that it must understand roles or attributes which then can be translated into application specific permissions. Separating the authentication and authorization makes it possible to build more fine grained access policies within the application infrastructure, improve security and still maintain a lower level of costs in administration.
SAML 2.0 Attribute Authority
Ubilogin eIDM and Ubilogin SSO work together in many ways in extensive IAM deployments. Ubilogin eIDM uses the authentication services provided by Ubilogin SSO.
Moreover, although the SAML 2.0 stack and the relevant features are actually a part of the Ubilogin SSO product, the SAML 2.0 Attribute Authority features are quite important for the Ubilogin eIDM.
The SAML 2.0 Attribute Authority can deliver on-the-minute information for the application about a particular user. By making a simple Attribute Query, the application can determine the correct privileges or updates attributes of the user identity during a session. This is a highly useful function when e.g. accepting transactions during a longer session.
For the application developers, Ubilogin SAML SPs are recommended for the integration as they provide the SAML stack for the service provider side along with a productized features for SAML Attribute Queries and more.