Location and Authorization

Dave Kearns recently mused on the use of location in access control:
I could see [the user's location] being used in a graded authentication scheme to reduce or deny access based on a possibly adverse location (e.g., someone trying to access a Pentagon database from Uzbekistan).
and Kim Cameron responded, mapping this into his identity metasystem vision:
In the identity metasystem, the relying party could indicate in its policy that it requires several sets of identity claims- one indicating who the user is, and another indicating where the user is. The claims might come from different authorities (e.g. an enterprise and a trusted location provider). These would be implemented as two Security Token Services (claims transformers). Both sets of claims, taken together, would identify the user from the point of view of the relying party.
Now, first, I have to agree with Dave's 2002 article - this does indeed seem more like authorization than authentication. Now to the question of geo-location... Liberty defined the ID-SIS Geolocation Service earlier this year. An access control system (like, say, Sun Java System Access Manager) can implement policy based on location (or any other attribute or 'claim'). So, an application (or, more likely, some agent protecting that app - in access control jargon a 'policy enforcement point' or PEP) can provide access to a given resource depending on policy constraints such as "Is the user within 100m of location X". When a user attempts to access the resource, the PEP sends a policy query for that constraint to the access control system's 'policy decision point' (PDP). The PDP queries the geolocation service for the user's current location and responds 'true' or 'false' to the PEP accordingly, which then grants or denies access to the resource as appropriate.
The elegance of this approach is that only one component of the system (the PDP) need be trusted with the user's identity (this might also be possible in Kim's identity metasystem). The information available to other components around the network is limited to exactly what they need to know - i.e. does the user's identity meet a given constraint. And, of course, you could deploy such a system right now using products from a number of vendors, since all of the above is defined by Liberty and is shipping today.
Comments:

Post a Comment:
Comments are closed for this entry.
About

superpat

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today