You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by "Francesco Chicchiricco (Confluence)" <no...@apache.org> on 2019/03/07 15:20:00 UTC
[CONF] Apache Syncope > Access Management features
There's **1 new edit** on this page
---
|
---
| | [](https://cwiki.apache.org/confluence/display/SYNCOPE/Access+Management+features?src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1551972000118&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=view
"page icon")
---
[Access Management
features](https://cwiki.apache.org/confluence/display/SYNCOPE/Access+Management+features?src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1551972000118&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=view
"Access Management features")
| | | | |  | | Francesco
Chicchiricco edited this page
---
|
| | Here's what changed:
---
|
# Features
1. 3rd party apps authentication, SSO and authorization:
1. Act as [SAML 2.0](https://en.wikipedia.org/wiki/SAML_2.0) Identity Provider; Integrate via
1. [mod_shib](https://wiki.shibboleth.net/confluence/display/SP3/Apache) (Apache HTTPd)
2. [nginx-http-shibboleth](https://wiki.shibboleth.net/confluence/display/SP3/Nginx) (Nginx)
3. [iis7_shib.dll](https://wiki.shibboleth.net/confluence/display/SP3/IIS) (IIS)
2. Act as [OpenID Connect 1.0](https://openid.net/connect/) Provider, gain [certification](https://openid.net/certification/); integrate via
1. [mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc) (Apache HTTPd)
2. [nginx-openid-connect](https://github.com/nginxinc/nginx-openid-connect) (Nginx)
3. [Microsoft.AspNetCore.Authentication.OpenIdConnect .Net package](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.openidconnect?view=aspnetcore-2.1) (IIS)
3. Implement the latest version available of the [CAS protocol](https://apereo.github.io/cas/5.3.x/protocol/CAS-Protocol.html); integrate via the various [CAS clients](https://apereo.github.io/cas/5.3.x/planning/Architecture.html#cas-clients) available:
1. Apache HTTPd
2. Nginx
3. Java
4. .NET
5. PHP
6. Perl
7. Python
8. Ruby
2. Standard set of authentication modules, and API to extend / create new ones:
1. [JAAS](https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service)
2. username / password with different back-ends (DBMS, LDAP, ...)
3. TLS client certificate
4. [Time-based One-time password](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm)
5. SAML 2.0 SP
6. OpenID Connect 1.0 Client
7. Radius
8. Kerberos
9. [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor)
10. [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn)
11. ...
3. Authentication chains by combining more authentication modules, similar to Linux's PAM (required, sufficient, requisite, ...)
1. Step-up authentication (e.g. associate level to authentication modules in a chain, and let 3rd party apps require minimum level to access)
2. Multi-factor authentication
4. Authorization
1. Access Policies
1. URL-based
2. grant-based (for JWT)
2. Implement [XACML](https://en.wikipedia.org/wiki/XACML) 3.0
3. Implement [UMA](https://en.wikipedia.org/wiki/User-Managed_Access)
# Components
1. (New) Flexible UI for web access
1. dynamically adapting for the configured authentication features (modules, chains, levels, ...)
2. highly customizable, either graphically and processing
2. (NEW) [API gateway](https://microservices.io/patterns/apigateway.html) for REST APIs authentication and authorization
3. Core, which will provide additional REST endpoints for Access Management features
## References
### Projects and products
* OpenSSO / OpenAM
* CAS
* Apache Fortress
* Apache CXF Fediz
* Keycloack
### Topics
* Enterprise Single SignOn
* API gateway
* mobile
* Physical Access Management / IoT
* [eIDAS](https://www.eid.as/)
...
---
| | | [Go to page
history](https://cwiki.apache.org/confluence/pages/viewpreviousversions.action?pageId=91554092&src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1551972000118&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9 "Go to page
history")
---
---
| [View
page](https://cwiki.apache.org/confluence/display/SYNCOPE/Access+Management+features?src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1551972000118&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=view)
---
| | [Stop watching
space](https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=SYNCOPE&src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1551972000118&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=stop-
watching&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ4c3JmOjhhYTk4MDg3NGUzNmExZWIwMTRlMzZhMmM0MTY3OWI5IiwicXNoIjoiZTllMjYxNjdlMmEwYjZlM2Q5ZDhmM2JiYjliZmY3OThmMDRlZDM2NzhlNDlhYTJhYmJhMjBkYjQ2N2Q2YzA5YSIsImlzcyI6ImNvbmZsdWVuY2Vfbm90aWZpY2F0aW9uc0FSRUgtWFVEMS1QT1FHLUNTQU8iLCJleHAiOjE1NTI1NzY4MDAsImlhdCI6MTU1MTk3MjAwMH0.iwjsDDEaY_9tqoVOktsU6B3RtrowMNyJdoKJDOhCM8w)
| •
---|---
[Manage
notifications](https://cwiki.apache.org/confluence/users/editmyemailsettings.action?src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1551972000118&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=manage)
---
| 
---
This message was sent by Atlassian Confluence 6.9.0
---