tag:blogger.com,1999:blog-62475947943497767212024-03-13T16:26:49.208-07:00Hasini's ViewsHuman knowledge belongs to the world...Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.comBlogger77125tag:blogger.com,1999:blog-6247594794349776721.post-55013972160744525152015-08-17T17:52:00.000-07:002015-08-17T17:54:35.152-07:00RahasNym: Protecting against Linkability in the Digital Identity Eco System<div dir="ltr" style="text-align: left;" trbidi="on">
This is the poster paper published and presented on the $subject in IEEE International Conference on Distributed Computing Systems (ICDCS 2015) which was held in Ohio, Columbus, USA from 29th June to 2nd July.<br />
<br />
The poster paper can be found in the <a href="http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7164980" target="_blank">conference proceedings</a>.<br />
<br />
Following is the poster that was presented during the poster session of the main conference:<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="510" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/m2AoX9VJXuz7BP" style="border-width: 1px; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="477"> </iframe> <br />
<div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/HasiniG/rahasnym-preventing-linkability-in-the-digital-identity-eco-system" target="_blank" title="RahasNym: Preventing Linkability in the Digital Identity Eco System">RahasNym: Preventing Linkability in the Digital Identity Eco System</a> </strong> from <strong><a href="https://www.slideshare.net/HasiniG" target="_blank">HasiniG</a></strong> </div>
<br />
We were lucky to get the best poster award for this work.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb7Zr8zSVrrrb8e8SSLSJGMrYckeo8aQnEU9sHiccCakFgnMfMl-S9mZfXEkReZ5rYd_kTnEaBuNQG-3rfhzdmY0EqKAIDZtUjV6uznGx5we0t7Oqo-eoLsYzISjAPBO5s60rx2dLJHMA/s1600/IMG_20150702_094251203.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb7Zr8zSVrrrb8e8SSLSJGMrYckeo8aQnEU9sHiccCakFgnMfMl-S9mZfXEkReZ5rYd_kTnEaBuNQG-3rfhzdmY0EqKAIDZtUjV6uznGx5we0t7Oqo-eoLsYzISjAPBO5s60rx2dLJHMA/s640/IMG_20150702_094251203.jpg" width="640" /></a></div>
<br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-47116353384575157492015-08-17T16:52:00.001-07:002015-08-17T17:38:57.898-07:00Privacy Preserving Biometrics-Based and User Centric Authentication Protocol<div dir="ltr" style="text-align: left;" trbidi="on">
This is my first research paper from grad school. This was published in the 8th International Conference on Network and System Security (<a href="http://anss.org.au/nss2014/" target="_blank">NSS 2014</a>) which was held in Xi'an, China from 15th-17th October 2015.<br />
<br />
The full paper can be found <a href="http://link.springer.com/chapter/10.1007%2F978-3-319-11698-3_30#page-1" target="_blank">here</a> in Springer Lecture Notes in Computer Science.<br />
<br />
Following are the slides I used when presenting the paper at the conference.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="355" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/AyBPooHTMAIrgk" style="border-width: 1px; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="425"> </iframe> <br />
<div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/HasiniG/privacy-preserving-biometricsbased-and-user-centric-authentication-protocol" target="_blank" title="Privacy Preserving Biometrics-Based and User Centric Authentication Protocol">Privacy Preserving Biometrics-Based and User Centric Authentication Protocol</a> </strong> from <strong><a href="https://www.slideshare.net/HasiniG" target="_blank">HasiniG</a></strong> </div>
<br />
Interestingly, we got the best paper award for this paper at NSS 2014.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdW0LuEslc59x5UZGuQAIZ1APwfh3uQbnbzuZEiQli5c2keWos4UWDf5Qe_WSRPe3Gn-2UL42VWXY5wu3rUhxBGOuPnUtG_UBPfKIFOSc_QWru-9FdExv7DXiYRRAE9gI7GqbA-VTCgRo/s1600/image.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdW0LuEslc59x5UZGuQAIZ1APwfh3uQbnbzuZEiQli5c2keWos4UWDf5Qe_WSRPe3Gn-2UL42VWXY5wu3rUhxBGOuPnUtG_UBPfKIFOSc_QWru-9FdExv7DXiYRRAE9gI7GqbA-VTCgRo/s640/image.jpg" width="640" /></a></div>
<br />
<br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-63677942675934021952014-03-28T20:27:00.000-07:002014-03-28T20:28:37.952-07:00Global Cafe this week: Japan - a country of sushi eating samurai<div dir="ltr" style="text-align: left;" trbidi="on">
Global Cafe is a very interesting weekly event held at International Center of Purdue University on Friday from 5.30-7.30 PM where students from a particular country can present about their country, culture and importantly share an authentic dish of the country with the attendees.<br />
<br />
Today, the Japanese students association did a session on Japan. I am writing down some of the interesting and new things I got to know here.<br />
<br />
Japan is a small island with a very high population. Sushi is considered as the most favorite food among school children. Washoku is the traditional meal served in traditional restaurants which includes a soup and about 3 side dishes. This is considered as an intangible heritage by UNESCO.<br />
Takikomi Gohan is another popular Japanese rice dish which they shared with us today. It was delicious and following is a picture I took before I start eating it. :)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg_37QMgI_4I_bQ5Czhe7RGk7g-VlikiowJbm_UFU5uBfnu45wzzYaGFd8k1f_DV6epJ_9UgpgpJ9xUq66b7V9Mm3bpWMLNxN2Aa8yPXPZfgi0M_HeWOxZD3pEvfyr2SWyFwq7IpbERF8/s1600/2014-03-28+17.42.31.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg_37QMgI_4I_bQ5Czhe7RGk7g-VlikiowJbm_UFU5uBfnu45wzzYaGFd8k1f_DV6epJ_9UgpgpJ9xUq66b7V9Mm3bpWMLNxN2Aa8yPXPZfgi0M_HeWOxZD3pEvfyr2SWyFwq7IpbERF8/s1600/2014-03-28+17.42.31.jpg" height="240" width="320" /></a></div>
<br />
<br />
They clarified the actual meaning of Otaku which means a person who is dedicated for a certain hobby or a favorite activity. I also heard for the first time that Japan is famous for anime. It might be my ignorance that I haven't heard it before. They showed some famous animations and also an video of real people who mimic cartoons. Anime Otaku are the people who are into animations.<br />
<br />
Geisha is traditional female who entertain visitors in traditional restaurants. But they are not prostitutes as interpreted by some movies. They wear traditional Japanese dress and it needs lot of practice to become Geisha. Apprentice of Geisha are called Maiko. Geisha are not seen by general public and their performances can not be recorded or taken photographs of where as Maiko can be seen by public. Cost of visiting such traditional restaurants where Geishas are, is very high.<br />
<br />
Budo is different kinds of Japanese martial arts such as Karathe, Judo etc. Some say that Budo descend from Samurai-who are the warriors in ancient Japan. But it is a both yes/no question. Budo is not to hurt anyone else but to overcome one's own self.<br />
<br />
They also clarified the difference between Ninja and Samurai. Ninja are the people who were considered as messengers employed in spying etc. They usually carry a small a knife like tool where as Samurai are the real military warriors who carry the traditional samurai sward. But once the Samurai was prohibited in Japan around 1867, currently people have only the dream of becoming a samurai because they are very attractive. <br />
<br />
So above is just a glimpse of what I learned about Japan from today's session most of which are new to me and I hope to explore more about certain aspects such as Japanese cuisine etc.<br />
Looking forward to do a session on Sri Lanka with the Sri Lanakan friends in Purude. :)</div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-62793351058153555462014-02-04T19:07:00.000-08:002014-02-04T19:07:10.477-08:00Presenting Algorithms/Protocols in a neat way using Latex<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="http://en.wikibooks.org/wiki/LaTeX" target="_blank">Latex</a> is a very useful tool for scientific writings. It has many cool features to present our writings in a neat manner. I use the TeX Live version of Latex on Ubuntu and I am going to describe how to present algorithms/protocols which contains different steps using the <i>algorithm</i> and <i>algorithmic</i> packages of Latex.<br />
<br />
If these two packages do not come with the default installation, you need to install <a href="https://sites.google.com/site/securedecentralizedblog/hasini/algorithm.sty?attredirects=0&d=1" target="_blank">algorithm.sty</a> <span id="goog_57190804"></span><span id="goog_57190805"></span> and <a href="https://sites.google.com/site/securedecentralizedblog/hasini/algorithmic.sty?attredirects=0&d=1" target="_blank">algorithmic.sty</a> files to your local installation or you can just place them in the folder where you have the latex file you are currently writing.<br />
<br />
First let me show an example output of the latex script which uses the above two packages:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq9GfN0_d_2EgpNVQbWy55ebEImx4RGXPBbb63RPdb6nIKrb8T7iLjUPpg8Y-WX17C-1o7WcuYFWysSmimiGHR1euC_9VbZdM00ORmxmdZLGZnDc4R4PvpogMWYnKEy3WFIOVYNkWAbHA/s1600/protocol.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq9GfN0_d_2EgpNVQbWy55ebEImx4RGXPBbb63RPdb6nIKrb8T7iLjUPpg8Y-WX17C-1o7WcuYFWysSmimiGHR1euC_9VbZdM00ORmxmdZLGZnDc4R4PvpogMWYnKEy3WFIOVYNkWAbHA/s1600/protocol.png" height="260" width="640" /></a></div>
As shown above, algorithm and algorithmic packages take care of all the details such as putting a border around the algorithm/protocol, including a topic for that, numbering the steps with precise alignment and breaking the steps even across several lines without affecting the alignment and numbering.<br />
<br />
Following is the Latex script to get an output as above:<br />
<br />
1. First you need to include the two packages with <i>\usepackage </i>command as shown below:<br />
<pre class="xml" name="code">\documentclass[a4paper,11pt]{article}
\usepackage{algorithm}
\usepackage{algorithmic}
</pre>
<br />
2. Then you can use the actual script which produces above output using the two packages as shown below:<br />
<pre class="java" name="code">\begin{algorithm}[H]
\floatname{algorithm}{Attack}
\renewcommand{\thealgorithm}{}
\caption{Steps that Mallory follows to obtain key K}
\label{protocol1}
\begin{algorithmic}[1]
\STATE $M$ : Eavesdrops the protocol 1 above and gets $X$ from step 1 and initiates the same protocol with $B$, by substituting $X$ for $K$ above.
\STATE $M\rightarrow{B}$ : $P = E_{B}(S_{M}(X)) = E_{B}(S_{M}(E_{B}(S_{A}(K))))$
\STATE $B$ : $V_{M}(D_{B}(P)) = V_{A}(D_{B}(E_{B}(S_{A}(X)))) = X$
\STATE $B\rightarrow{M}$ : $Q = E_{M}(S_{B}(X)) = E_{M}(S_{B}(E_{B}(S_{A}(K))))$\\
Since the same key pair is used for both encryption and signing, $S_{B}(E_{B}(message)) = message$\\
Therefore, $Q = E_{M}(S_{A}(K))$
\STATE $M$ : $D_{M}(Q) = S_{A}(K)$
\STATE $M$ : Since the same key pair is used for both encryption and signing, $E_{A}(S_{A}(K)) = K$. Mallory can obtain the key $K$ in this way and decrypt all the subsequent messages encrypted with key $K$.
\end{algorithmic}
\end{algorithm}
</pre>
<br />
[H] in line one specifies to include this algorithm in the current position itself without floating to somewhere else in the document.<br />
<br />
Line 2 customizes the name used to categorize these set of steps: you can name it as 'Algorithm', 'Protocol' etc. Here I have used the name 'Attack', since this describes an attack scenario.<br />
<br />
Line 3 also customizes a default command in the package by specifying not to number this particular piece of writing. In a research paper, when you have several protocol/algorithm listings, you might need to number them as you want. This command allows to customize that numbering in the way you want, by specifying whether to use Roman numbers, Arabic numbers or letters.<br />
<br />
Line 6 specifies style of numbering you need to number the steps of the protocol/algorithm. You also can opt out numbering by leaving the brackets blank.<br />
<br />
As shown in Lines 7 and below, each different step in the protocol needs to be preceded by the command \STATE to differentiation and numbering of each step in the protocol.<br />
<br />
That covers all the features need to obtain an output shown at the beginning of the post. Hope this helps. </div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-63548640080209209842013-10-21T14:17:00.001-07:002013-10-21T14:17:28.300-07:00Random Secrets in Cryptographic Operations<div dir="ltr" style="text-align: left;" trbidi="on">
Often we might need to generate random secrets and use them in cryptographic operations when we are implementing cryptographic protocols.<br />
<br />
For an example, I recently had to implement Zero Knowledge Protocol with Pedersen Commitment where I need to generate a random secret and convert it to a BigInteger in order to compute the pedersen commitment. <br />
<br />
In this simple post, I thought of noting down the way I found how to do it in Java.<br />
<br />
First, we can generate a random secret using "SecureRandom" in java. The article: <a href="https://www.cigital.com/justice-league-blog/2009/08/14/proper-use-of-javas-securerandom/" target="_blank">"Proper Use of Java's SecureRandom"</a> explains how to use SecureRandom properly in order to get it working in a uniform way across different platforms. <br />
In our example, we generate the random secret by feeding a pre-defined seed - our secret - into the pseudo random number generator of the SecureRandom, so that we can generate the same random secret at a later time as well.<br />
<br />
Next, we can convert it to a BigInteger value so that we can use it in cryptographic computations.<br />
<br />
Following code shows how the above two steps are implemented:<br />
<pre class="java" name="code">import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
public class Test {
public static void main(String[] args) throws NoSuchProviderException, NoSuchAlgorithmException,
UnsupportedEncodingException {
String password = "secret";
//generate random secret using password as the seed
SecureRandom randSec = SecureRandom.getInstance("SHA1PRNG", "SUN");
randSec.setSeed(password.getBytes("us-ascii"));
//create BigInteger of length 256 from the output of the SecureRandom's pseudo random number generator
BigInteger randSecBI = new BigInteger(256, randSec);
}
}
</pre>
<br />
<br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-65622416892299197522013-10-21T13:55:00.000-07:002013-10-21T13:55:44.620-07:00How to convert strings to big integers and vice versa<div dir="ltr" style="text-align: left;" trbidi="on">
This is a very simple post on something I found useful in recently.<br />
<br />
When creating cryptographic elements, we might need to convert Strings to BigIntegers and vice versa.<br />
<br />
A good example is: when you want to hide a secret value using a commitment scheme such as pedersen commitment (I avoid explaining the pedersen commitment here and will leave it for a future post).<br />
<br />
Following code demonstrate how you achieve the $subject in java:<br />
<pre class="java" name="code">import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
public class Test {
public static void main(String[] args) throws UnsupportedEncodingException {
String identifier = "secretPW";
//convert string to big integer
BigInteger identifierBI = new BigInteger(identifier.getBytes("us-ascii"));
System.out.println("Identifier: " + identifier + " converted to Big Integer: " + identifierBI);
//convert the big integer back to identifier and verify
String verifyIdentifier = new String(identifierBI.toByteArray());
System.out.println("Big Integer converted back to string val: " + verifyIdentifier);
}
}
</pre>
<br />
Note: as in line 8 above, it is good to mention the encoding when converting the string to bytes so that your code will run in the same way even when deployed in different platforms. </div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-33072769825301952792013-09-30T08:15:00.000-07:002013-09-30T13:53:18.607-07:00How to build an Android app with Eclipse in Ubuntu <div dir="ltr" style="text-align: left;" trbidi="on">
Recently I had to write an Android app and I followed the official Android app development guide at http://developer.android.com/training/index.html<br />
<br />
Here in this post, I intend to write down the steps I followed, issues I came across and how I did overcome them. I followed the approach of downloading the SDK separately and integrating eclipse with it, because I needed to use it with some other IDE too. You also can follow the <a href="http://developer.android.com/sdk/installing/bundle.html" target="_blank">other approach</a> where you can download the ADT bundle which has an Eclipse IDE with built-in Android Developper Tools.<br />
<br />
<b>Step 1:</b> <b>Installing Android SDK</b><br />
<br />
Download the Android SDK from <a href="http://developer.android.com/sdk/index.html">http://developer.android.com/sdk/index.html</a> and unzip it to a location of your choice. <br />
Change directory to [android_sdk_home]/tools and run ./android. This starts the Android SDK Manager through which you can install the platform tools, APIs etc. Check and install the necessary artifacts as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjdheZ3eUBmRMCBncR2U6AT_U867tIK2uAmOYX0zWuorSHA1KpMnHEM8Dn-qR3LaAhbI0_gHVBZtel0mIRaF23VyhpXr2N_bL09I_sprja5pP9JDEezJkHZQMMsce8Wq39w-MJ4AM7qX8/s1600/android_sdk_manager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjdheZ3eUBmRMCBncR2U6AT_U867tIK2uAmOYX0zWuorSHA1KpMnHEM8Dn-qR3LaAhbI0_gHVBZtel0mIRaF23VyhpXr2N_bL09I_sprja5pP9JDEezJkHZQMMsce8Wq39w-MJ4AM7qX8/s320/android_sdk_manager.png" width="320" /></a></div>
<br />
While installing, you might come across an error saying: "<b>Stopping ADB server failed (code -1)</b>", after the first installation completes, you might need to re-run the Android SDK Manager following the same steps above and the above error will not occur during the installation. It is important that you get rid of that error because it causes problems while you run the program later.<br />
<br />
<b>Step 2:</b> <b>Setting up the IDE</b><br />
<br />
I used eclipse for my first app and you can setup eclipse for Android application development by installing ADT plugin as mentioned in <a href="http://developer.android.com/sdk/installing/installing-adt.html">http://developer.android.com/sdk/installing/installing-adt.html</a><br />
<b> </b><br />
If the Android related options are not shown in the tool bar of eclipse once you restarted it after the installation of the plugin, go to Window->Custom Perspective->Command Groups Availability and check Android SDK and AVD Manager. Then go to the other tab in the same window: Toolbar visibility and check the same. You will see Android development options in the toolbar as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4yJ8uz2YIwsD1yU_-ENjc_DD8lyAQHXPgDsi0h3u8VfxM6MYv2yt5iqGnTfUuGWaz3nR5Tzz10RnBvtVxRHWAouPxpHXTk5w7qkQiIDb3SwyhljWU9Z7ExjzVG1V7EWXO-TxLSz8l8Pc/s1600/android_eclipse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="57" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4yJ8uz2YIwsD1yU_-ENjc_DD8lyAQHXPgDsi0h3u8VfxM6MYv2yt5iqGnTfUuGWaz3nR5Tzz10RnBvtVxRHWAouPxpHXTk5w7qkQiIDb3SwyhljWU9Z7ExjzVG1V7EWXO-TxLSz8l8Pc/s320/android_eclipse.png" width="320" /></a></div>
<br />
<br />
<b>Step 3:</b> <b>Creating the Android Application and Running it on the Emulator</b><br />
<br />
You can follow the post at <a href="http://developer.android.com/training/basics/firstapp/creating-project.html">http://developer.android.com/training/basics/firstapp/creating-project.html</a> to create an Android project in eclipse and identify its main component. Then you can follow the post: <a href="http://developer.android.com/training/basics/firstapp/running-app.html">http://developer.android.com/training/basics/firstapp/running-app.html</a> in order to get to know how to run your app in an emulator.<br />
<br />
You can read more about Android Emulator at <a href="http://developer.android.com/tools/devices/emulator.html" target="_blank">http://developer.android.com/tools/devices/emulator.html </a><br />
<br />
You have to create and run a virtual android device which is used as the emulator to run your app. You can do this via Android Virtual Device Manager which can be started either through the icon in the eclipse tool bar above or through command line, by executing ./android avd command. <br />
<br />
If you are using a 64-bit Ubuntu version, you may get an error saying: "<code><span class="typ">Failed</span><span class="pln"> to start emulator</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Cannot</span><span class="pln"> run program </span><span class="str">"/home/hasini/android//tools/emulator"</span><span class="pun">:</span><span class="pln"> error</span><span class="pun">=</span><span class="lit">2</span><span class="pun">,</span><span class="pln"> </span><span class="typ">No</span><span class="pln"> such file </span><span class="kwd">or</span><span class="pln"> directory</span></code>" when you are trying to run the emulator. <br />
In this case, you need to install ia32-libs with: "sudo apt-get install ia32-libs"<br />
<br />
After that you can successfully create a Android Virtual Device and run your project in it by Run->Run As->Android Application in Eclipse.<br />
Following is a screen capture of my first hello world Android App:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCmNgTrxcsGK2BDpRM-kptlmb8fverBC-cPcZ0PcR_YgEKeea8TuvkBTMwPw3Xw30q5pgD6PuMQqRHwfS4rjr7Q7Gsjo4YKOEAfdus8OUpragTexq7BoW_DXQEiAOyWxlop0AF5HK8xc/s1600/veryidx.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCmNgTrxcsGK2BDpRM-kptlmb8fverBC-cPcZ0PcR_YgEKeea8TuvkBTMwPw3Xw30q5pgD6PuMQqRHwfS4rjr7Q7Gsjo4YKOEAfdus8OUpragTexq7BoW_DXQEiAOyWxlop0AF5HK8xc/s320/veryidx.png" width="240" /></a></div>
<br />
That's it. Hope this post helps if you too came across the same problems I did, in creating my first android app.<br />
<br />
<code></code></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-90839136102514039682013-07-02T21:56:00.002-07:002013-07-07T23:02:03.764-07:00WSO2 Identity Server in the SCIM Interop at Cloud Identity Summit 2013<div dir="ltr" style="text-align: left;" trbidi="on">
WSO2 Identity Server is remotely participating in the SCIM Interop which will be held in parallel to Cloud Identity Summit 2013...<br />
<br />
Following are the connection details of the publicly hosted WSO2 IS instance for this interop:<br />
<br />
SCIM User Endpoint URL : https://209.126.229.93:9443/wso2/scim/Users<br />
<br />
SCIM Group Endpoint URL : https://209.126.229.93:9443/wso2/scim/Groups<br />
<br />
Credentials for Basic Auth Authentication:<br />
<br />
User Name : interopUser<br />
Password : interop#321<br />
<br />
Details for OAuth Bearer Token Based Authentication:<br />
<br />
Client Id : 00bZzLviiM1QOSvtFv7ZQDOWBNEa<br />
Client Secret : CsN87SjTCG_X9qGN6xcfwJOakrga<br />
Access Token URL : https://209.126.229.93:9443/oauth2endpoints/token<br />
Authorize URL : https://209.126.229.93:9443/oauth2/authorize<br />
<br />
For more details, you may refer my previous posts on <a href="http://hasini-gunasinghe.blogspot.com/2013/07/oauth-bearer-token-based-authentication.html" target="_blank">how to authenticate to SCIM REST endpoints via OAuth</a> and <a href="http://hasini-gunasinghe.blogspot.com/2012/11/wso2-identity-server-as-scim-service.html" target="_blank">how to consume SCIM endpoints through curl</a>...<br />
<br />
Please let us know your feedback...<br />
<br />
<b>Update</b> on 8th July: Interop testing was performed during the week of 1st July - 5th July with selected two partners: PingOne & Salesforce. The graphic below was designed to illustrate the WSO2 Identity Server - SCIM integration with two partners in the SCIM-Interop - CIS 2013.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-3MTjHAQe4wgGhOhAt1JgP_G3ufAsK29EnGcYgfLv4yWTPjl3uXTG0wO3Rb0OGxR9qsd85jVrsTv-zE7IoLAqXmJL9jTA8xulHakGWMfsxu8awuS6eqGporR8wNAez_eQ82F8LcFdklE/s1600/WSO2_SCIM_Interop_CIS.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-3MTjHAQe4wgGhOhAt1JgP_G3ufAsK29EnGcYgfLv4yWTPjl3uXTG0wO3Rb0OGxR9qsd85jVrsTv-zE7IoLAqXmJL9jTA8xulHakGWMfsxu8awuS6eqGporR8wNAez_eQ82F8LcFdklE/s400/WSO2_SCIM_Interop_CIS.jpg" width="400" /></a></div>
<br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-66257410818297086942013-07-01T22:05:00.000-07:002013-07-01T22:07:16.184-07:00OAuth Bearer Token based Authentication for WSO2 IS SCIM endpoints<div dir="ltr" style="text-align: left;" trbidi="on">
WSO2 Identity Server acts as a SCIM Service Provider (both hub and spoke type service providers) as well as SCIM Service Consumer.<br />
<br />
My previous post (<a href="http://hasini-gunasinghe.blogspot.com/2012/11/wso2-identity-server-as-scim-service.html" target="_blank">WSO2 Identity Server as a SCIM Service Provider</a>) explains how to consume SCIM REST endpoints in WSO2 IS, with curl - using Basic Auth authentication.<br />
<br />
WSO2 IS supports OAuth bearer token based authentication for SCIM REST endpoints from its 4.5.0 release onwards...<br />
This post explains how to leverage OAuth 2.0 feature of IS in order to authenticate to SCIM REST endpoints of IS...<br />
<br />
<b>Step 1:</b><br />
Login to IS (default credentials admin:admin) management console and create a new entry for an OAuth client application. After creating the application entry, click on it to view its details as below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-SyOUrHTzMMn0bYAnzvwbZ1uMsYxjJ_PkMU1rh_4VDCQ97jYrPRQ8gkD2szwUHaYtoFmoUNUiwb6qmJkOEWoiIz2lDXSzshWVGt3tU4tmrflkLk05g2w37lFscgP4LbOBxXvXpq5tVqw/s1103/oauth.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-SyOUrHTzMMn0bYAnzvwbZ1uMsYxjJ_PkMU1rh_4VDCQ97jYrPRQ8gkD2szwUHaYtoFmoUNUiwb6qmJkOEWoiIz2lDXSzshWVGt3tU4tmrflkLk05g2w37lFscgP4LbOBxXvXpq5tVqw/s400/oauth.png" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now copy the Client Id, Client Secret & Access Token Url for future use.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Step 2: </b></div>
<div class="separator" style="clear: both; text-align: left;">
Now lets obtain a valid access token in order to get authenticated to SCIM REST endpoints.</div>
<div class="separator" style="clear: both; text-align: left;">
We can use resource owner password credential grant type for this. Format of the the curl command to obtain the access token is:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>curl --user <b>Client Id</b>:<b>Client Secret</b> -k -d "grant_type=password&username=<b>username</b>&password=<b>password</b>" -H "Content-Type:application/x-www-form-urlencoded" <b>https://localhost:9443/oauth2endpoints/token</b></i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You need to replace the bold strings in the above command with valid values copied from the step 1 above and the username & password of the resource owner. (You can use admin,admin for that in default pack)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once you execute the above command, you will get a response as below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>{"token_type":"bearer","expires_in":3600,"refresh_token":"16e3de3b7af4e7a43b7e56cd9362ff",<b>"access_token":"492d8b51cb815bbe143f219ac2cf61c3"</b>} </i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Copy the access token value in the above response.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Step 3:</b></div>
<div class="separator" style="clear: both; text-align: left;">
Now we can consume the SCIM REST endpoints using the above access token.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For an e.g; you can use a curl command like below to create a user through SCIM REST endpoints:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>curl -v -k --header "Authorization: Bearer <b>access_token</b>" --data "{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasi","password":"hasinitg","emails":[{"primary":true,"value":"hasini_home.com","type":"home"},{"value":"hasini_work.com","type":"work"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users</i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You need to provide the access token copied in the above step 2, for the bold string in the above command...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That's it.. You can refer more curl commands to consume SCIM endpoints from <a href="http://hasini-gunasinghe.blogspot.com/2012/11/wso2-identity-server-as-scim-service.html" target="_blank">my previous post</a>. And also, you can use the SCIM sample clients in WSO2 IS samples to invoke the SCIM endpoints using both Basic auth and OAuth.</div>
</div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com1tag:blogger.com,1999:blog-6247594794349776721.post-56662189421874811202013-04-16T08:04:00.001-07:002013-04-16T08:07:02.192-07:00Enterprise Security and Identity Management Use Cases with WSO2 Identity Server<div dir="ltr" style="text-align: left;" trbidi="on">
This is the set of slides used in WSO2Con 2013 - tutorial session on the
topic: "<i>Enterprise Security and Identity Management Use Cases with WSO2
Identity Server</i>", along with demos for each of these use cases.<br />
<br />
I plan to blog about individual samples used to demonstrate each of these use cases in my future posts. <br />
<br />
<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" mozallowfullscreen="" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/18926324" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px;" webkitallowfullscreen="" width="427"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="http://www.slideshare.net/HasiniG/wso2-con-presentatiotion-template-white" target="_blank" title="Enterprise Security and Identity Management Use Cases with WSO2 Identity Server">Enterprise Security and Identity Management Use Cases with WSO2 Identity Server</a> </b> from <b><a href="http://www.slideshare.net/HasiniG" target="_blank">HasiniG</a></b> </div>
</div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-90525166280093732642013-01-04T18:42:00.001-08:002013-01-04T18:44:15.264-08:00Authorization with XACML when authenticated with X.509 certificates<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Use Case:</b><br />
<br />
In addition to authentication, authorization is a mandatory security requirement in most of the cases where users try to access various resources based on their privileges.<br />
Usually the same user identifier is used for both authentication and authorization. <br />
<br />
<br />
The most common scenario is to authenticate the users with their user names and use that user name to authorize the user based on their roles and privileges.<br />
<br />
In this post, we are going to implement a scenario where X.509 certificates are used in authentication and authorization is also performed in the flow, using XACML.<br />
<br />
WSO2 ESB will be the point of authentication and policy enforcement while WSO2 Identity Server will be the policy decision point.<br />
<br />
<b>Deployment:</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDRIfgAe7ESuz5j1OV_xNo3r7mpAkrX-eREwCcLm8m-CjI83RxMXz-jti0mwanmpuT_XF523YHCEItHDX-IZQUHR2MVDIXbjJ34ifFgZo8aQEGXPSqLOptQz1YrwaKEENm4vrpI5BQ9rI/s1600/architecture_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDRIfgAe7ESuz5j1OV_xNo3r7mpAkrX-eREwCcLm8m-CjI83RxMXz-jti0mwanmpuT_XF523YHCEItHDX-IZQUHR2MVDIXbjJ34ifFgZo8aQEGXPSqLOptQz1YrwaKEENm4vrpI5BQ9rI/s400/architecture_2.png" width="400" /></a></div>
<br />
1. Proxy service at ESB fronts a back end web service (lets say echo service hosted in the ESB itself) which is the actual resource accessed by the user.<br />
2. Proxy service is secured with WS-Security Sign & Encrypt policy where users are authenticated with their signatures based on X.509 certificates.<br />
3. ESB or the PEP identifies the user identifier as the DN in the certificate and sends the authorization request to the PDP-which is Identity Server.<br />
4. Identity server evaluates the authorization request based on the defined XACML policies and returns the decision.<br />
5. Based on that decision, ESB grants or denies the user the access to the actual web service.<br />
<br />
<b>Implementation with WSO2 Enterprise Service Bus and Identity Server</b>:<br />
<br />
1. Setting up Identity Server.<br />
<br />
- Download Identity Server 4.0.0 from <a href="http://wso2.com/products/identity-server/">here</a> and unzip it.<br />
- Change the port offset in carbon.xml to 1. (Since we are running both ESB and IS in the same machine) <br />
- Start the server, login to management console and go to Entitlement->Administration to upload the XACML policy.<br />
- Obtain the XACML policy from <a href="https://sites.google.com/site/securedecentralizedblog/is/xacmlpolicy.xml?attredirects=0&d=1">here</a> and import in to IS.<br />
- Promote the policy to PDP as shown in the below diagram.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirSWW9x6v7y5bnIJ44McQexSb0XOBuKi4DyA_OhW9h0Z8JTZA8RpAeKZzX-8y4zAAQgcvHAq2eNg9higKcYQ-1T3HYS4BtRrCOCp7pGqWYXo5KTHj9vt1TAEWFfIHiYxJgH4b2rxQ7SIE/s1600/PDP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirSWW9x6v7y5bnIJ44McQexSb0XOBuKi4DyA_OhW9h0Z8JTZA8RpAeKZzX-8y4zAAQgcvHAq2eNg9higKcYQ-1T3HYS4BtRrCOCp7pGqWYXo5KTHj9vt1TAEWFfIHiYxJgH4b2rxQ7SIE/s640/PDP.png" width="640" /></a></div>
<br />
<br />
2. Setting up ESB<br />
<br />
- In ESB, we need to create a proxy, add Entitlement mediator to its in sequence and secure the proxy service with Sign & Encrypt - X.509 policy.<br />
- Download and unzip ESB 4.5.0. <br />
- Obtain the proxy service configuration from <a href="https://sites.google.com/site/securedecentralizedblog/is/SecuredAuthorizationProxy.xml?attredirects=0&d=1">here</a> and deploy it in [ESB_Home]/epository/deployment/server/synapse-configs/default/proxy-services folder and start ESB.<br />
- In proxy service configuration, you might notice we have configured the entitlement callback class to org.wso2.carbon.identity.entitlement.mediator.callback.X509EntitlementCallbackHandler which extracts the user identifier from the X.509 certificate. <br />
<br />
3. Running the client.<br />
<br />
In order to invoke the above created proxy service and run the end to end scenario, obtain the sample secured client from <a href="https://sites.google.com/site/securedecentralizedblog/is/sample_client.zip?attredirects=0&d=1">here</a> and run it main class named : SignEncryptClient.<br />
<br />
You can try changing the certificates that the client uses and observe the authorization decision.<br />
<br />
<br />
<br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com1tag:blogger.com,1999:blog-6247594794349776721.post-3588378588876412652012-12-07T03:06:00.000-08:002012-12-07T03:13:59.038-08:00WSO2 Charon - Design<div dir="ltr" style="text-align: left;" trbidi="on">
<iframe frameborder="0" height="400" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/15532149" width="476"></iframe><br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-38430046174017199092012-12-07T03:05:00.000-08:002012-12-07T03:14:29.838-08:00Getting started with WSO2 Charon 1.0.0<div dir="ltr" style="text-align: left;" trbidi="on">
WSO2 Charon 1.0.0 is released... It is successfully integrated in WSO2 Identity Server 4.0.0 for identity provisioning.<br />
<br />
WSO2 Charon is the open source implementation of <a href="http://www.simplecloud.info/">SCIM</a> specification, and it is made available under Apache 2.0 license.<br />
<br />
You can check out my <a href="http://hasini-gunasinghe.blogspot.com/search/label/WSO2%20Charon%20Only">previous blogs</a> which was written around its Milestone 1 release.<br />
<br />
In this post, I will provide you step by step guide to play around with it by running the sampels.<br />
<br />
<b>Step 1: Obtaining binaries</b><br />
Two jars are shipped with the distribution. They are:<br />
<br />
1. <i>Charon-Core-1.0.0 jar</i> - This is the library that implements the specification and which can be used by any identity management solution to add provisioning capability.<br />
<br />
2. <i>charonDemoApp.war - </i>This is the reference implementation of SCIM service provider which uses Charon-Core for SCIM support. It is a RESTful webapp exposing SCIM endpoint which you can host in a servlet container.<br />
<br />
You can either obtain these jars from the release distribution or by building the source code.<br />
<br />
<b>Step 2: Setting up SCIM service provider</b><br />
We need two parties to observe identity provisioning capability. i.e: Service Provider and the Consumer. <i><b>You can use either Charon-Impl hosted in tomcat or WSO2 Identity Server 4.0.0 as the service provider</b></i>.<br />
<br />
<a href="http://hasini-gunasinghe.blogspot.com/search/label/Identity%20Provisioning">My previous blogs</a> explain WSO2 Identity Server's capability as a SCIM service provider. Therefore, here I will explain how to setup Charon-Impl as a SCIM SP.<br />
<div style="color: black; font-family: inherit;">
<span style="font-size: small;"><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">1. Download tomcat 7.0.11</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">2. Replace server.xml and tomcat-users.xml [found in tomcat_home/conf] with the attached files <a href="https://sites.google.com/site/securedecentralizedblog/is/tomcat-config.jar?attredirects=0&d=1">here</a>.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">4. Place the attached <a href="https://sites.google.com/site/securedecentralizedblog/is/charonserverkeystore.jks?attredirects=0&d=1">keystore</a> in your file system.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">5. Open the server.xml and locate the HTTPS connector. Edit the keystore file location to point to the above keystore.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">6. Run the server with sh catalina.sh jpda run.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">7. Access<span class="Apple-converted-space"> </span></span><a href="http://localhost:8080/" style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" target="_blank">http://localhost:8080/</a><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-converted-space"> </span>and click on Manager APP.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">8. Login with credentials:<span class="Apple-converted-space"> </span></span><a href="mailto:hasini@wso2.com" style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" target="_blank"><span class="il" style="background-color: #ffffcc;">hasini</span>@wso2.com</a><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">, 7786htg</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">9. Upload the </span></span><i>charonDemoApp.war</i><span style="font-size: small;"><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> which is obtained from step 1 and access<span class="Apple-converted-space"> </span></span><a href="http://localhost:8080/charonDemoApp/" style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" target="_blank">http://localhost:8080/<wbr></wbr>charonDemoApp/</a><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-converted-space"> </span>- you should see the Charon home page.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" /><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><a href="http://localhost:8080/charonDemoApp/interop_details.html" style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" target="_blank"></a></span></div>
<br />
<b>Step 3: Running the samples</b><br />
<span style="font-size: small;"><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">1. Compile the source of the charon-samples which is a maven project and found in the release distribution, using the command: <i>maven clean install</i>.</span></span><br />
<span style="font-size: small;"><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">2. Open charon-samples from your IDE.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" />
<span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">3 .Go to SampleConstants - here is where all the constants needed to run the samples are hard coded.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" />
<span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> i. Change the KEY_STORE_PATH to your file system location if the default one doesn't work. (This is only needed if you use https as the transport)</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" />
<span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> ii. Change the User and Group resource endpoint urls according to your system.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" />
<span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">4.
Now access "CreateUserSample" class from your IDE. You will see the
constants defined at the top - which are the values for the attributes
of the user that we are going to create.</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" />
<span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">5.
Run the client. You will see that the user created at server side is returned in JSON format and printed at
client side. (You can observe the message on the wire using a tool like tcpmon, as I have shown in a <a href="http://hasini-gunasinghe.blogspot.com/2012/03/implementing-scim-with-charon-part-iii.html">previous post</a>)</span><br style="background-color: white; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;" />
<span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><span style="background-color: white; display: inline ! important; float: none; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span>6. In the same way, try other samples as well, paying attention to instructions mentioned as comments in the sample code.</span><br />
<br />
<span style="font-size: small;">Note: You can also run the same set of samples against the SCIM endpoints of WSO2 Identity Server. The configuration that matches with Identity Server, is kept commented out in the SampleConstants file.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">That's it.. Enjoy SCIM..! :)</span><br />
<br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-76098031823116211222012-11-14T20:57:00.001-08:002012-11-14T22:51:38.543-08:00Towards a viable and secure health information system - Part 5<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
This is the fifth and the final of the <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series of blog posts</a> that I have been writting on the $sbject, inspired by the paper[1].</div>
<br />
Let
me include the following diagram which illustrates the overall picture
on the security requirements of a health information system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgDKtxdca9RY5TSIOnaKBuE55eJMtfngzuytORLfLEiFGRUi_WJldYlCQt-j5L4OKIm6b5-6ODn1DF5JWqQIYKGHH5N1oUEeI_p8kfgkBo0U-vwaIK5qrQNqpTQoHFEgWj-ScIMtaTP9I/s1600/fullImage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgDKtxdca9RY5TSIOnaKBuE55eJMtfngzuytORLfLEiFGRUi_WJldYlCQt-j5L4OKIm6b5-6ODn1DF5JWqQIYKGHH5N1oUEeI_p8kfgkBo0U-vwaIK5qrQNqpTQoHFEgWj-ScIMtaTP9I/s400/fullImage.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
In my previous four posts in this <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series</a>,
I have discussed about Identity Management/Authentication,, Authorization, Auditing and Cryptographic Operations related to the security of health information systems. In this post, I am going to write about another three aspects which are discussed in the paper[1]: de-identification of EMRs for research purposes, user interaction and dispute resolution and security metrics.</div>
<br />
<b>5. De-identification </b><br />
<br />
<div style="text-align: justify;">
While the EMRs are very useful in medical research as statistics, it should be guaranteed that the records are properly de-identified before disclosing them for research purposes.</div>
<div style="text-align: justify;">
Due to the ambiguities in related laws, complexities in de-identifying protected data and the risk involved, the data is rarely shared for research purposes which negatively affect the medical research.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
The paper mentions that it is challenging task than implied in the report to develop cryptographic mechanisms to properly anonymize records as required by secondary use considerations.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I need to read about data de-identification before providing my on views on this. However, those techniques should use proper protection against re-identification in order to maintain individuals’ health privacy and build trust in the health care system.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
During the research, I came across a description of an interesting research project named "Cloud DNA" [2]. This project is said to investigate on how to enable scientists to share properly de-identified EHRs in the cloud for easy storage, sharing and retrieval. </div>
<br />
<div style="text-align: justify;">
<b>6. User Interaction/Dispute Resolution</b><br />
<br />
<u>User Interaction:</u> <br />
Among other factor that we discussed, user interfaces for patients, providers and administrators are eaqully improtant for a secure system.<br />
The paper suggests the following areas to be explored with regard to this aspect:<br />
1. User friendly mechanisms to deal with complexity of user-selected privacy preferences.<br />
2. How much data to make available to patients in what format<br />
3. Techniques for patients to delegate their access rights<br />
<br />
Educating the patients on how to use a PHR service or patient's interface of an EMR system is very important aspect in realizing the goal of a widespread health information echo system. While informing them that they have the control of outside access to their records, it is important to highlight that more it is accessible to physicians, better the service they get.<br />
<br />
When the patient signs up for a PHR service or a health care provider, he can be presented with a set of easily understandable questions which ultimately defines the access control policies of their medical records.<br />
<br />
<u>Dispute resolution</u><br />
While it needs for patient to have access to and control of their records, should the patients given the right to correct their record? Or else how to resolve disputes on the information in the records? Most administrators do not like this since they can not always trust patients to keep their medical records honestly.<br />
But the patients should be given the chance to raise any dispute against the records in their profile.<br />
<br />
The paper illustrated following aspects to be explored with regard to this:<br />
1. Developing way for patients to securely and privately monitor their health records.<br />
2. Allowing ways for patients to dispute the records while preserving original records<br />
3. Coming up with ways to resolve conflicts on the deisputed records<br />
<br />
In my view: Patients should have access to all his EMRs and should be able to establish access control over them. But they should not be able to change the medical records as they wish. If there is dispute, or if a patient suspects a particular report, there should be a way to mark it as suspected immediately - but could only be changed by an authorized medical officer after further tests etc.<br />
<br />
<b>7. Security Metrics</b><br />
<br />
Though it is obvious that EMRs have benefits over traditional paper based medical records, there should be proper security metrics to gauge the level of information security/privacy provided by a particular health care information system.<br />
<br />
The paper mentions that in order to provide such assessment/analisis, meaningful matrics should be well developed and accepted which opens up research problems on which current work is also going on. Since the domain is limited, the paper believes that matrics can be developed.<br />
<br />
Challenges in developpping such metrics are the variety and complexity of threat models and diffculty of measuring potential flaws in Software.<br />
<br />
Research problems related to this aspect are:<br />
1. developing threat models covering both electronic and paper based medical records.<br />
2. developing techniques to quantify level of risk associated with sw based health information system<br />
<br />
<b>Conclusion</b>:<br />
<ul>
<li>I have been writing this <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series of blog posts</a> about the security, privacy, access control and identity management aspects related to health care IT systems from the understanding that I got from various sources and my experiences as well. This was mainly inspired by the paper[1] which provides a research road map on the same topic.</li>
</ul>
<ul>
<li>The paper[1] is mainly based on the PCAST report 2010 and this PCAST report have caused some arguments in the field. However, the paper[1] and this blog series has only taken the technical requirements that it has highlighted into consideration to identify the research problems and <b>this blog series doesn't intend to support or unsupport the report</b>.</li>
</ul>
<ul>
<li>Although the research community has identified and actively working on the research problems pertaining to the subject, there are many obstacles as well, such as difficulty in obtaining testbeds and test data for research due to the sensitivity and critical nature of the data. Therefore it has been hard for research to comeup with successful results without realistic and live data and also those results obtained from sample mock data are unlikely to be accepted by the community. </li>
</ul>
<ul>
<li>No matter how technically strong the healthcare IT solution is, there should be adequate and non-ambiguous legislation to fully realize the goal of a nation wide health IT echo system.</li>
</ul>
<ul>
<li>During my research on this, I've come across some active and interesting research efforts from some research groups such as Health & Medical Security Lab[3], SHARPS [4] , CERIAS [5], and MediVault [5].</li>
</ul>
<ul>
<li>The paper[1] provides a good overall understanding of the security
requirements of a healthcare information system. Most importantly, it
provides a very good understanding about the current research problems
in the area for a budding researcher who is passionate about carrying
out research in security, privacy and access control aspects, outcome of
which can be contributed to realize the vision of the secured and viable health IT echo system. </li>
</ul>
<b>Related work:</b> <br />
I have done a webinar on <a href="https://sites.google.com/site/myresearchhome/research#TOC-Security-Patterns-with-WSO2-ESB">Security Patterns with WSO2 ESB</a> for which I picked use cases from health care domain and it was when I first got interested in investigating further on the security, privacy and identity management requirements of healthcare IS. In that effort, I mainly referred MSc thesis on the topic : <a href="http://www.google.lk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CFkQFjAA&url=http%3A%2F%2Fntnu.diva-portal.org%2Fsmash%2Fget%2Fdiva2%3A348811%2FFULLTEXT01&ei=DOmyT9mZAsq4rAe43ITMCw&usg=AFQjCNGD_8n6Tqu32cKPooCUpk-I777HBw">Security in SOA-Based Healthcare Systems</a> by Richard Sassoon.</div>
<br />
<b>References:</b><br />
[1] <a href="http://www.google.lk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCAQFjAA&url=http%3A%2F%2Favirubin.com%2FHealthSec.2011.PCAST.pdf&ei=SWA5UOuyGcPNrQf8pYGIAg&usg=AFQjCNHjhUM-LBITAafS4GnDJLY1xkFoTQ">A Research Roadmap for Healthcare IT Security inspired by the PCAST Health Information Technology Report</a><br />
[2] <a href="http://www.cerias.purdue.edu/site/projects/detail/the_clouds_dna/">Cloud DNA</a><br />
[3] <a href="http://hms.isi.jhu.edu/index.php/research.html">Health and Medical Security Lab</a><br />
[4] <a href="http://seclab.illinois.edu/projects">SHARPS</a><br />
[5] <a href="http://www.cerias.purdue.edu/">CERIAS</a><br />
[6] <a href="http://medvault.gtisc.gatech.edu/people.html">MediVault</a><br />
[7] <a href="http://www.google.lk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CFkQFjAA&url=http%3A%2F%2Fntnu.diva-portal.org%2Fsmash%2Fget%2Fdiva2%3A348811%2FFULLTEXT01&ei=DOmyT9mZAsq4rAe43ITMCw&usg=AFQjCNGD_8n6Tqu32cKPooCUpk-I777HBw">Security in SOA-Based Healthcare Systems</a></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com1tag:blogger.com,1999:blog-6247594794349776721.post-39772091407883677552012-11-13T22:41:00.002-08:002012-11-16T23:15:29.309-08:00Towards a viable and secure health information system - Part 4<div dir="ltr" style="text-align: left;" trbidi="on">
This is the fourth of the <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series of blog posts</a> that I have been writting on the subject, which was mainly inspired by the paper[1].<br />
<br />
For the clarity and the ease of summarizing, let me include
the following diagram which illustrates the overall picture on the
security requirements of a health information system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgDKtxdca9RY5TSIOnaKBuE55eJMtfngzuytORLfLEiFGRUi_WJldYlCQt-j5L4OKIm6b5-6ODn1DF5JWqQIYKGHH5N1oUEeI_p8kfgkBo0U-vwaIK5qrQNqpTQoHFEgWj-ScIMtaTP9I/s1600/fullImage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgDKtxdca9RY5TSIOnaKBuE55eJMtfngzuytORLfLEiFGRUi_WJldYlCQt-j5L4OKIm6b5-6ODn1DF5JWqQIYKGHH5N1oUEeI_p8kfgkBo0U-vwaIK5qrQNqpTQoHFEgWj-ScIMtaTP9I/s400/fullImage.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
In my previous three posts in this <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series</a>,
I have discussed about Identity Management/Authentication,
Authorization and Auditing. In this post, I am going to write about what role cryptographic techniques play in healthcare IS.</div>
<br />
<b>4. Cryptographic Techniques</b><br />
Confidentiality, integrity and non-repudiation are key security requirements that should be met by any health information system. Encryption, digital signature are the de-facto mechanisms of achieving them. However, traditional encryption mechanisms have major limitations in accomplishing the goals of a distributed, country wide health information echo system.<br />
<div style="text-align: justify;">
Let me discuss this further adhering to my usual format: i.e discussing views from the paper[1] and me.</div>
<ul style="text-align: left;">
<li> As in any security sensitive system, data both at rest and on the wire should be encrypted.</li>
<li>Traditional public key cryptography has limitations to be used in a health information echo system because of the complexity in exchanging keys used to decrypt the EMRs, among the authorized principals who may come from around the country.</li>
<li>Therefore, keys used to encrypt the data (we can call this cryptographic authorization as well) are not attached to individuals, but attached to role/identity attributes.</li>
<li>If encrypted data is stored in one machine, the keys to decrypt should be obtained from another service which is separately managed.</li>
<li>The metadata related to EMR(which was discussed in detail in my <a href="http://hasini-gunasinghe.blogspot.com/2012/11/towards-viable-and-secure-health.html">second post</a>) which contains information about access control to EMRs, should be digitally signed.</li>
<li>Some of the metadata can be encrypted as well. Since the EMRs should be able to be searched from anywhere in the country, the keys to decrypt the metadata should be known to secure search engines but only the authorized personal should be able to decrypt the actual EMR data.</li>
</ul>
<ul style="text-align: left;">
<li>
The paper highlights the research problems motivated by the above requirements.</li>
<ul>
<li>Developing techniques to support flexible key management policies </li>
<li>Paper recommends using Attribute Based Encryption (ABE) for cryptographic access
control and identifies research problems along that line as:</li>
</ul>
</ul>
- Developing techniques to specify and enforce access control for EMRs based on ABE<br />
- Developing key management solutions for ABE<br />
- Provide cryptographic mechanisms to properly anonymize records as required by secondary use considerations such as research.<br />
<br />
Here are some of my thoughts on the usage of cryptographic techniques in healthcare information systems<br />
<ul style="text-align: left;">
<li>As the paper suggests, Attribute Based Encryption(ABE) would provide a scalable solution for the cryptographic needs of a health information system and also a solution for the key management requirements.The post[2] describes ABE in detail, in summary what happens is:<br />
<i>"The plaintext is encrypted with a set of attributes.
The KGS(Key Generation Server), which possesses the master key, issues different private keys
to users after authenticating the attributes they possess".</i></li>
</ul>
<div style="text-align: justify;">
<ul>
<li>The same post[2] describes two flavors of ABE which are Key Policy - Attribute Based Encryption and Ciphertext Policy Attribute Based Encryption. I believe the second one is more scalable since the keys are issued for the attributes that a principal possesses and whether the given cipher text can or can not be decrypted by that key is determined by the access policy enforced in the cipher text.</li>
</ul>
<ul>
<li>In the paper[4], Akinyele et al. have implemented a solution for self protecting EMRs using Attribute Based Access Control. There, they have used a standard format (CCR) and an automated policy engine which assign a access policy for each record in patients' EMRs using which the records are encrypted with ABE.</li>
</ul>
<ul>
</ul>
</div>
<div style="text-align: justify;">
<ul>
<li>However, there is huge trust placed on Key Generation Server for correctly authenticating and validating the attributes that a user possesses before issuing keys. Therefore necessary actions should be taken in order to prevent it being a central point of failure.</li>
</ul>
</div>
<div style="text-align: justify;">
<ul>
<li>Performance should also be considered along with security. Public key cryptography is known to posses performance bottlenecks than symmetric key cryptography. However, symmetric key cryptography also has its own limitations. The thesis[3] introduces a symmetric cryptographic approach for key management known as Attribute Based Group Key Management.</li>
</ul>
</div>
Above are based on some of my readings about privacy preserving cryptographic techniques which can be used to accomplish the requirements of healthcare IT systems.<br />
<br />
Another area related to the above discussion that I need to explore further is privacy preserving secure searching techniques to make the necessary EMRs available for the authorized physicians when they submit the search query from any location in the country.<br />
<br />
<b>References:</b><br />
[1] <a href="http://www.google.lk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCAQFjAA&url=http%3A%2F%2Favirubin.com%2FHealthSec.2011.PCAST.pdf&ei=SWA5UOuyGcPNrQf8pYGIAg&usg=AFQjCNHjhUM-LBITAafS4GnDJLY1xkFoTQ">A Research Roadmap for Healthcare IT Security inspired by the PCAST Health Information Technology Report</a><br />
[2] <a href="http://mohamednabeel.blogspot.com/2012/03/aattribute-based-encryption-abe-and-its.html">Attribute Based Encryption</a><br />
[3] <a href="http://mohamednabeel.blogspot.com/2012/07/my-phd-defense-presentation.html">Privacy Preserving Access Control for Third Party Data Management Systems</a><br />
[4] <a href="http://eprint.iacr.org/2010/565.pdf">Self-Protecting Electronic Medical Records Using Attribute-Based Encryption</a></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-80342947998257565972012-11-13T05:49:00.000-08:002012-11-14T22:30:22.290-08:00Towards a viable and secure health information system - Part 3<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
This is the third of the <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series of blog posts</a> that I have been writting, inspired by the paper[1].</div>
<br />
Let me include the following diagram which illustrates the overall picture on the security requirements of a health information system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgDKtxdca9RY5TSIOnaKBuE55eJMtfngzuytORLfLEiFGRUi_WJldYlCQt-j5L4OKIm6b5-6ODn1DF5JWqQIYKGHH5N1oUEeI_p8kfgkBo0U-vwaIK5qrQNqpTQoHFEgWj-ScIMtaTP9I/s1600/fullImage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgDKtxdca9RY5TSIOnaKBuE55eJMtfngzuytORLfLEiFGRUi_WJldYlCQt-j5L4OKIm6b5-6ODn1DF5JWqQIYKGHH5N1oUEeI_p8kfgkBo0U-vwaIK5qrQNqpTQoHFEgWj-ScIMtaTP9I/s400/fullImage.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
In my previous two posts in this <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series</a>, I have discussed about Identity Management/Authentication and Authorization. In this post, I am going to write about another important aspect of health care IS which is auditing.</div>
<br />
<b>3. Auditing</b><br />
<div style="text-align: justify;">
Auditing helps mainly in investigations about frauds or security breaches. In order to recreate an incident, meaningful and useful audit logs should be readily available. Protecting audit log archives is another challenge to be addressed.</div>
<br />
<div style="text-align: justify;">
Let me discuss this further adhering to my usual format: i.e discussing views from the paper[1] and me.</div>
<ul style="text-align: left;">
<li>The report mentions that the actions like the ones below in a health IT
system should be monitored and audited by a security infrastructure
which is independently managed.- Actions taken by different principals interacting with the system such as accessing, modifying and deleting EMRs<br />
- The policies/information used to authorize those actions.<br />
- Changes to authorization policies.</li>
</ul>
<div style="text-align: justify;">
<ul>
<li>It highlights the need of protecting audit logs with
cryptographic mechanisms such that they can not be deleted, changed or
tampered even by the administrators.</li>
</ul>
</div>
<ul style="text-align: left;">
<li>It also raises the need of facilitating the patients to review audit records pertaining to their EMRs.</li>
</ul>
<ul style="text-align: left;">
<li>The paper[1] draws attention towards an important concern related to auditing. That is: although it is easy to log every action, it generates lot of volume which causes problems in storage and retrieving info & recreatingan event when an incident occurs.</li>
</ul>
<div style="text-align: justify;">
<ul>
<li>Research problems identified by the paper in this space:- Exploring techniques to create audit logs in such a way that we can recreate events as well as limit the amount to store.<br />
- Finding new approaches for storage and retreival and also user-friendly access to logs.</li>
</ul>
</div>
Let me note down some of my ideas with this regard:<br />
<div style="text-align: justify;">
<ul>
<li>Distributed logging standards such as XDAS[2] can be used in for auditing at a certain layer in the distributed health IT echosystem.</li>
</ul>
</div>
<div style="text-align: justify;">
<ul>
<li>Efficient digital signature mechanism needs to be in place for integrity protection of the log.</li>
</ul>
</div>
<div style="text-align: justify;">
<ul>
<li><b>Cassandra</b> storage can be used to overcome the issue of large volumes of audit logs and a parallel processing techniques such as <b>MapReduce</b> can be used to efficient processing of audit logs at the retrieval stage. (Cassandra has been used in WSO2 Stratos which is the open source cloud middleware platform offered by WSO2. There, each tenant is able to view logs specific to that particular tenant. Similar techniques can be used to make audit records related to EMRs of a particular patient available to that patient which is a requirement raised in PCAST report as well.)</li>
</ul>
</div>
<br />
<b>References:</b><br />
[1] <a href="http://www.google.lk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCAQFjAA&url=http%3A%2F%2Favirubin.com%2FHealthSec.2011.PCAST.pdf&ei=SWA5UOuyGcPNrQf8pYGIAg&usg=AFQjCNHjhUM-LBITAafS4GnDJLY1xkFoTQ">A Research Roadmap for Healthcare IT Security inspired by the PCAST Health Information Technology Report</a><br />
[2] <a href="http://www.opengroup.org/security/das/xdas_int.htm">Introduction to XDAS</a></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-62853567458114714642012-11-11T20:13:00.003-08:002012-11-14T22:09:26.493-08:00Towards a viable and secure health information system - Part 2<div dir="ltr" style="text-align: left;" trbidi="on">
I have started discussing the $subject in <a href="http://hasini-gunasinghe.blogspot.com/2012/09/towards-viable-and-secure-health.html">my previous post</a> based on a research paper[1] that I happened to read.<br />
This is the second post of the <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series</a>. Lets again take a look at the following image which summarizes the key considerations with regard to security, privacy and identity management of a healthcare information system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV00fib6rvebUgIdVWN6enWP9AwSa35F20pW2OBuIZ8FFcGFciILJfU7_dNdYONsl51hiAkbEY6xxqjJTUETCilQ2mmtoMgnSNkAdXNCJNsq8ALxH0CDsBmW5yi6pM69hVyJXqnbZ59ms/s1600/fullImage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV00fib6rvebUgIdVWN6enWP9AwSa35F20pW2OBuIZ8FFcGFciILJfU7_dNdYONsl51hiAkbEY6xxqjJTUETCilQ2mmtoMgnSNkAdXNCJNsq8ALxH0CDsBmW5yi6pM69hVyJXqnbZ59ms/s400/fullImage.png" width="400" /></a></div>
<br />
In <a href="http://hasini-gunasinghe.blogspot.com/2012/09/towards-viable-and-secure-health.html">my previous post</a>, I have given an overall idea on security in health care IS and discussed the first aspect, which is Identity Management and Authentication.<br />
In this post, I am going to take the second aspect into consideration..<br />
<br />
<b>2. Authorization</b><br />
<div style="text-align: justify;">
Since a health information system contains personal information with varying sensitivity, not only authentication is sufficient, but also the rights of the authenticated principals to access certain data should be validated - which we refer as authorization.<br />
<br />
For an example, a patient's medical records should only be possible to access by an authenticated principal in the role of a physician and also only during his/her working hours, while clinical data can be accessed by nurses as well. On the other hand, researchers can access medical data only if they are properly de-identified. </div>
<div style="text-align: justify;">
There should be proper mechanisms in place to enforce such fine grained authorization.</div>
<div style="text-align: justify;">
<br />
Let me discuss this in terms of, what the paper[1] analyzes and what my views are, on the mechanisms to accomplish the security requirement of authorization.</div>
<div style="text-align: justify;">
<ul>
<li>The PCAST report highlights that according to current regulations, it is not necessary to have patients' consent to disclose treatment/payment information in certain conditions. Therefore patients do not have control over privacy of their medical records which affects negatively to build and maintain public's trust in health care IT.</li>
</ul>
<ul>
<li>Mentioning some background information, report advocates the idea of a universal language to exchange health information between different healthcare providers who may still have proprietary formats/schema of storing data. It proposes to use a language structured as individual data elements, together with metadata that provide an annotation for each data element. It can be an extensible markup language, where individual pieces of data can be tagged with context-sensitive metadata.</li>
</ul>
</div>
<div style="text-align: justify;">
<ul>
<li>Report envisions that such a data representation framework can enable fine grained authorization/privacy preferences where the consent for access each data element (authorization policy) is expressed through meta data attached to it. </li>
</ul>
</div>
<div style="text-align: justify;">
<ul>
<li>The paper[1] believes that the data representation framework plays a big role in secured EMR system with fine grained access control, and illustrates how the above recommendations motivates interesting research problems such as:</li>
</ul>
- how to programatically tag data based on a particular security/authorization policy</div>
- how to efffectively feed tagged-data elements to an policy engine to get the decision whether the requested access is allowed or not.<br />
- how to efficiently parse and process tagged data elements.<br />
<br />
Let me mention some of my views on this aspect:<br />
<div style="text-align: justify;">
<ul>
<li> Although I do not have much understanding to comment on meta-data tagged data elements[2], I too strongly believe that there should be fine grained authorization models employed which are also robust, efficient and scalable to achieve the level of privacy that the records in a healthcare IS needs.</li>
</ul>
</div>
<ul style="text-align: left;">
<li style="text-align: justify;">From my understanding about the authorization models used in the identity/privacy world, XACML is a good candidate to implement a fine grained authorization system for healthcare information echo system. It is a policy based mechanisms which is flexible for changing requirements and which facilitates to define fine grained authorization policies based on identity attributes of the principals.Other key attributes of a XACML based solution are: loosely coupled, externalized, centralized and standardized.</li>
</ul>
<ul style="text-align: left;">
<li>A real world use case example of using a XACML based authorization solution for health care can be found at [3].</li>
</ul>
<ul style="text-align: left;">
<li style="text-align: justify;">Privacy preserving secure search is an interesting aspect brought to discussion by the PCAST report. Although the search engines aggregate relevant data from multiple providers and provide the result for a search query, engine itself can not see the data which is authorized to be seen only by the certain parties.</li>
</ul>
<ul style="text-align: left;">
<li style="text-align: justify;">Authorization delegation is another aspect which has not been taken into consideration in the above report and the paper. It is important when physicians and patients use various mobile devices to access EHR and PHR where constrained authorization delegation needs to be performed. Industry standard to accomplish this requirement is OAuth[4].</li>
</ul>
<ul style="text-align: left;">
<li style="text-align: justify;">I found an interesting research project description [5] which develops an security schema for Veterans Affairs (VA) which claims to provide a secure, manageable, portable, scalable and cost effective solution with fine grained access control in place and which is easily pluggable to the existing system.</li>
</ul>
<br />
<b>In summary</b>:<br />
- Enabling to specify fine grained authorization rules based on privacy preferences and to enforce access control is a key aspect of a secure healthcare information system.<br />
- It should be possible to realize such an authorization model even with existing legacy EMR systems with minimal or no change to the underlying persistent mechanisms.<br />
- One strong mechanism suggested by PCAST report is to use metadata in a tagged data elements framework to achieve this which motivates several research problems.<br />
- Some existing technologies and standards can be used to implement certain aspects of an authorization solution for a health information system such as XACML for fine grained policy based access control and OAuth for authorization delegation.<br />
<br />
<b>References</b>:<br />
[1] <a href="http://www.google.lk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCAQFjAA&url=http%3A%2F%2Favirubin.com%2FHealthSec.2011.PCAST.pdf&ei=SWA5UOuyGcPNrQf8pYGIAg&usg=AFQjCNHjhUM-LBITAafS4GnDJLY1xkFoTQ"> A Research Roadmap for Healthcare IT Security inspired by the PCAST Health Information Technology Report</a><br />
[2] <a href="http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_049357.hcsp?dDocName=bok1_049357">Metadata and Meaningful Use</a><br />
[3] <a href="http://xacmlinfo.com/2012/05/02/xacml-sample-for-health-care-2/">XACML Sample for Health Care Application</a><br />
[4] <a href="http://blog.facilelogin.com/search/label/OAuth">OAuth</a><br />
[5] <a href="http://www.cerias.purdue.edu/site/projects/detail/trusted_medical_information_system_and_health_informatics/">Trusted Medical Information System and Health Informatics</a> </div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-85554546803907952282012-11-09T15:35:00.002-08:002012-12-07T03:15:39.980-08:00Identity Provisioning from On-Premise to Cloud<div dir="ltr" style="text-align: left;" trbidi="on">
Quoting from one of my initial posts on SCIM:<br />
<br />
"<i style="font-family: "Courier New",Courier,monospace;">Today the enterprise IT solutions adopt products and services from multiple
cloud providers in order to accomplish various business requirements.
Hence it is no longer sufficient to maintain user identities only in
corporate LDAP.</i><br />
<div style="font-family: "Courier New",Courier,monospace;">
<br /></div>
<i style="font-family: "Courier New",Courier,monospace;">In most cases, SaaS providers also need dedicated user accounts created
for the cloud service users, which raises the need of proper identity
provisioning mechanisms to be in place.</i>" <br />
<br />
<a href="http://wso2.com/products/identity-server/">Identity Server(IS) 4.0.0</a> which is a 100% open source Enterprise Identity & Entitlement Management Server, supports the open standard SCIM for identity provisioning as I have mentioned in <a href="http://hasini-gunasinghe.blogspot.com/search/label/SCIM">my previous posts</a> as well.<br />
<br />
With this, WSO2 <a href="https://stratoslive.wso2.com/home/index.html">Stratos Live</a> next release will also be supporting SCIM for Identity Provisioning.<br />
<br />
This post is about implementing a use case of identity provisioning from on-premise to cloud using Identity Server and Stratos (here, same IS distribution can be used to simulate Stratos IS with multi-tenancy aspects).<br />
<br />
Following diagram gives an overview of the deployment:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxNuksdAxzuthzFVYWPwX1fVwnTCIcHDDrxUuo-0_lIpCUJlLeu8hjesCIi94pzvtX5cGJS16bziRqgcjFt7SKHB8IVbf74voEHE15N_ekljxFktnUb7UB9Y2nREjmzjXAHkNZ9-tz7ak/s1600/MTsetup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxNuksdAxzuthzFVYWPwX1fVwnTCIcHDDrxUuo-0_lIpCUJlLeu8hjesCIi94pzvtX5cGJS16bziRqgcjFt7SKHB8IVbf74voEHE15N_ekljxFktnUb7UB9Y2nREjmzjXAHkNZ9-tz7ak/s400/MTsetup.png" width="400" /></a></div>
<b>Use case:</b><br />
Two organizations called wso2.com and willpower.org have their on-premise enterprise Identity Management Solutions running with Identity Server.<br />
Both these organizations use cloud services offered by WSO2 StratosLive and have created tenants in there.<br />
Now, they want to provision the user account, identity management operations such as creating/deleting users and groups, updating user identity attributes etc which happens in their on-premise Identity Server to the respective tenants they have in StratosLive, as shown in the above diagram.<br />
<br />
<b>Implementation</b>:<br />
In this case, Identity Server running inside the organizational boundaries of each organization act as SCIM consumers and the Identity Server as a Service running in StratosLive acts as a SCIM Service Provider.<br />
<br />
Each organization can register SCIM provider configurations pointing to their tenant space in SLive, within enterprise IS instances.<br />
<br />
Following is a step by step guide for this.<br />
<b>Step1: setup</b><br />
Download and unzip IS distribution into three different folders (to represent instances at: 1.wso2, 2.willpower, 3.SLive)<br />
<br />
Increment Ports->PortOffset element in carbon.xml s.t three instances are running in following ports:<br />
IS of WSO2: 9443<br />
IS of Willpower: 9444<br />
SLive IS: 9445<br />
<br />
You can find more details on how to do this step from the step1 of <a href="http://hasini-gunasinghe.blogspot.com/2012/11/identity-synchronozation-accross.html">my previous post</a>.<br />
<br />
<b>Step 2: creating tenants</b><br />
Login as admin to the IS instance that simulates Stratos IS in our setup and create two tenants named "wso2.com" and "willpower.com".<br />
<br />
Screen shots of the steps shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUeY8R2jwoX6KT7RW_R8A9hRH4dzlUvPjHnO5jiHtc9hKQrTyYZgwTGSJ-WwqAmsrn1huthSTlKkZkF6o494vhOTbSXgirD9k26s9COaOu4t3lmSjqGuiUoJaetYS2GGK8llyQ9BPHb0w/s1600/MT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUeY8R2jwoX6KT7RW_R8A9hRH4dzlUvPjHnO5jiHtc9hKQrTyYZgwTGSJ-WwqAmsrn1huthSTlKkZkF6o494vhOTbSXgirD9k26s9COaOu4t3lmSjqGuiUoJaetYS2GGK8llyQ9BPHb0w/s320/MT.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxraEdqjVmExLGO0cLqwBYb656cluXzyzrElM04RsBrdOtWHQAyFwJkuTbxkFhyv2orK39Nxtcp7xNrEJzPPfKx73mPNSi-u13-Q2ypI-zHEGRJRzPR6sDOYZzJOFKDJvlpXK6xoNJjY4/s1600/wp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxraEdqjVmExLGO0cLqwBYb656cluXzyzrElM04RsBrdOtWHQAyFwJkuTbxkFhyv2orK39Nxtcp7xNrEJzPPfKx73mPNSi-u13-Q2ypI-zHEGRJRzPR6sDOYZzJOFKDJvlpXK6xoNJjY4/s320/wp.png" width="320" /></a></div>
<br />
<br />
<b>Step3: registering SCIM providers</b><br />
<br />
Now login to IS instances of WSO2 and WillPower organizations as admin user and register SCIM provider configurations pointing to their respective tenant spaces in SLive IS instance.<b></b><br />
For a more detailed<b> </b>guide on how to register SCIM providers, please refer to step3 of <a href="http://hasini-gunasinghe.blogspot.com/2012/11/identity-synchronozation-accross.html">my previous post</a>.<br />
Example configurations shown below:<b></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBQqX4ytbFerLkqSJtHEC5_jyLBHDwCkEjZVb05GagAhlkFP32inPnqlDH2iJdzsQxKqVu5RpPn1LUDlqlyhoH8wNQsETL9cN8K7OWWnqG21l7QMZP7jPYfnciR4lIBRo60ib9Zxy5T-I/s1600/wso2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBQqX4ytbFerLkqSJtHEC5_jyLBHDwCkEjZVb05GagAhlkFP32inPnqlDH2iJdzsQxKqVu5RpPn1LUDlqlyhoH8wNQsETL9cN8K7OWWnqG21l7QMZP7jPYfnciR4lIBRo60ib9Zxy5T-I/s400/wso2.png" width="400" /></a></div>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTUS3XUBx3T-afXWcnr7MQ00_DIY99lpQdTXdQZ2qHRUfNNNgPaEfOQdWGuIL8xVNuP40sPZ4IYtP4-vfR8RfZYVaiH9vgkx1XsVGop-d4di9Yi2dP-thriYlrLhoQq-SkOPymTyKL5qQ/s1600/will.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTUS3XUBx3T-afXWcnr7MQ00_DIY99lpQdTXdQZ2qHRUfNNNgPaEfOQdWGuIL8xVNuP40sPZ4IYtP4-vfR8RfZYVaiH9vgkx1XsVGop-d4di9Yi2dP-thriYlrLhoQq-SkOPymTyKL5qQ/s400/will.png" width="400" /></a></div>
<b><br /></b>
<br />
<b>Step 4: testing provisioning</b><br />
<br />
Now you can test creating/deleting/updating users, groups in organizational IS instances and verify that they are provisioned to particular tenant space of each organization in SLive IS instance.<br />
<br />
That's it... Thanks..!<br />
<br />
<br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-50405912377068356472012-11-03T20:56:00.001-07:002012-12-07T03:16:47.724-08:00Identity Synchronization across Multiple Nodes with SCIM<div dir="ltr" style="text-align: left;" trbidi="on">
We sometimes manage user identities in multiple nodes and we need to synchronize all the nodes when one node gets updated.<br />
<br />
In this post we will look at how we can leverage SCIM - an open standard for identity provisioning, to achieve this requirement of Identity Synchronization.<br />
<br />
As I have mentioned in my previous post, WSO2 Identity Server (IS) supports identity provisioning with SCIM, based on WSO2 Charon which is the implementation of the specification.<br />
<br />
Identity Server can act as both SCIM Consumer and Service Provider.<br />
To achieve the aforementioned requirement, we leverage both those capabilities of IS at once.<br />
<br />
Let me describe a use case and then provides steps how to implement that with WSO2 Identity Server.<br />
<br />
<i><b>Use Case:</b></i><br />
<br />
Lets say we have an organization which has multiple stores distributed across a region. Each store maintains a user store. And there is a central store as well. When one sub store updates its user accounts, that update should be propagated to central node and the central node sends that update to all the other sub stores.<br />
If an update happens in the central node, that should also be propagated to all the sub stores.<br />
<br />
Following diagram depicts this better: The directions that each node's updates propagate, are indicated by arrows with specific colour of each node. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtU6iwPNwWcTow3YBib6LYc4bCTtk773yIXMtmWlVwclDCovppMZvR0x3C8f5bR3YbNJpf_StK6_StABzO7sYbueodgLvsNOCZTKBdnoQ6RA_oYy7EB1ZUlCpQv_qiGcdIw9trB0yJTvc/s1600/Untitled+presentation%281%29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtU6iwPNwWcTow3YBib6LYc4bCTtk773yIXMtmWlVwclDCovppMZvR0x3C8f5bR3YbNJpf_StK6_StABzO7sYbueodgLvsNOCZTKBdnoQ6RA_oYy7EB1ZUlCpQv_qiGcdIw9trB0yJTvc/s640/Untitled+presentation%281%29.png" width="640" /></a></div>
<br />
Aside each node, I have listed a list of 'Provisioning Admins' along with their provider, if they have any.<br />
Let me describe it. We send a provisioning request to a SCIM provider node from a consumer node. Therefore, we need to register providers at the nodes which plays the role of a consumer at a particular time.<br />
<br />
And you need to have an account in the provider node, with proper permission to do provisioning. Because, as I mentioned in the <a href="http://hasini-gunasinghe.blogspot.com/2012/11/wso2-identity-server-as-scim-service.html">previous post</a>, SCIM Service Provider authenticates and authorizes your provisioning request and fulfils it only it is authenticated and authorized.<br />
<br />
Lets implement the above scenario step by step so that you will have a better idea:<br />
<br />
<b>Step 1: Setting up three nodes..</b><br />
<a href="http://wso2.com/products/identity-server/">Download</a> Identity Server 4.0.0 and unzip it into three folders named: 'store1', 'central', 'store2'.<br />
Since we are starting in the same machine, we need to change the port of set of each IS instance.<br />
Go to [IS_Home]/repository/conf and open carbon.xml. In 'central' instance, make Ports->OffSet to 1 and in 'store2' instance, make Ports->OffSet to2.<br />
Start the three instances. <br />
Now our three instances are running in following ports.<br />
<i>store1: 9443</i><br />
<i>central: 9444</i><br />
<i>store2: 9445</i><br />
<br />
<b>Step 2: Registering Provisioning Administrators...</b><br />
Lets now create user accounts in each node which has privileges to register SCIM providers and/or perform provisioning on behalf of each store, as listed in the above image.<br />
<br />
<i>Store1:</i><br />
Got to management console of store1 IS instance by typing url: <i><span style="font-size: x-small;">https://localhost:9443/carbon/ </span></i><span style="font-size: x-small;"><span style="font-size: small;">in a browser, login to management console as admin,admin and go to <i>configure-></i></span></span><i> users and roles</i><br />
Create 'centraladmin', 'store2admin' user accounts.<br />
Also create a role called 'provisioning admin' and assign that role the above two users and the two permissions: 'login' and 'Identity Provisioning' as shown in the following diagram.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwYnJMHIjbVXT6v1gh4Qict1XLdX38APg3tNOTvTuATdQDYwBjVJLif_mzNc4f_rlV76vRBRjdWxhcHqpo_SHbb0OgdZfEt5ITnrGBHP3S2ia0sOsWpVmHyoVxq88ktQK4gJF5QNNFVT8/s1600/permission.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwYnJMHIjbVXT6v1gh4Qict1XLdX38APg3tNOTvTuATdQDYwBjVJLif_mzNc4f_rlV76vRBRjdWxhcHqpo_SHbb0OgdZfEt5ITnrGBHP3S2ia0sOsWpVmHyoVxq88ktQK4gJF5QNNFVT8/s400/permission.png" width="400" /></a></div>
<br />
Now, centraladmin user has the permission to provision user account updates happen in central store, to store1. In this case, central store becomes a SCIM Consumer and store1 becomes a SCIM Service Provider.<br />
<br />
And store2admin user has the permission to send provisioning requests to store 1, via central store in order to propagate updates happen in store 2.<br />
<br />
Default admin account of store1, which has all the permission, provision the updates happen in store1, to central store.<br />
<br />
In this way, please create the relevant provisioning admin user accounts in central store and store2 IS instances as well, as illustrated in the first diagram above and assign them to the provisioning admin role with the two permissions.<br />
<br />
<b>Step3: Registering Providers</b><br />
Identity Server allows consumer nodes to register SCIM providers in two ways:<br />
<br />
1. <i>Registering global providers</i> - any user management operation performed in a particular tenant space will be provisioned to the global providers.<br />
<br />
2. <i>Registering providers specific to particular user account</i> - any user management operation comes through SCIM Service Provider endpoints of a particular node will be further provisioned to the providers registered under the account from which SCIM requests was authenticated and authorized.<br />
<br />
Lets look at how to register SCIM Providers at the <b>central store</b> in our scenario so that both above mechanisms will be clear to you.<br />
<br />
<i>1. Registering global SCIM providers at the central store.</i><br />
According to our requirement, any user management operation performed by users in the admin role of central store should be provisioned to store1 and store2.<br />
- Login as default admin user in central node <span style="font-size: x-small;">(https://localhost:9444/carbon/admin/login.jsp) </span><br />
- Access <i>Main->Manage->SCIM</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqgRNHjzgvDVcjG9vPrAUvAn-C3pzk_3ny-ssw55PUld000__YKNbAGAmCuQZXwlqHqB1zq19IKNMJgN57ZrjRhSu41SsJkEb8CdHFv0LyyMSTbsspccNVD_GABAEPg8Sr4gCSHyutp9U/s1600/SCIM1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqgRNHjzgvDVcjG9vPrAUvAn-C3pzk_3ny-ssw55PUld000__YKNbAGAmCuQZXwlqHqB1zq19IKNMJgN57ZrjRhSu41SsJkEb8CdHFv0LyyMSTbsspccNVD_GABAEPg8Sr4gCSHyutp9U/s400/SCIM1.png" width="400" /></a></div>
- Register New SCIM Provider.<br />
We need to register both store1 and store 2 as global providers.<br />
Following image shows the configuration of store1 SCIM provider.<br />
Here we need to define a provier id, and provide user name and password to authenticated and authorized to SCIM provider node(in this case it is centraladmin account which we registered in both store1 ans store2 in the previous step) and the URLs of the SCIM User & Group endpoints.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdJgXTiI5reMz17-7SubM_wBitSwSvL6WZo5lv7Jrjv9NmfcKDBW_0cKsaNa568641-t_yz2h9GZ3R7lQ84j2bvQNhP4DLvS7tGGfB2CJXvGhv9yBCLdbi5oZnj0nGB67_mmrjz-QmEPw/s1600/addSCIM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdJgXTiI5reMz17-7SubM_wBitSwSvL6WZo5lv7Jrjv9NmfcKDBW_0cKsaNa568641-t_yz2h9GZ3R7lQ84j2bvQNhP4DLvS7tGGfB2CJXvGhv9yBCLdbi5oZnj0nGB67_mmrjz-QmEPw/s640/addSCIM.png" width="640" /></a></div>
<br />
You need to register store2 also as a global provider with relevant configuration.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs7_CZI9qxhOAUHEqfpckVrfgb8md1hd0bdoQx2A8z0UvpgQ67JOujTHeQ7NMTIQbmeNCAxGFp5kV2qYo2yRW-cMxzz8egq6O7v51oocp17buAuv5PHtzJWyv4FY23VHR1kM2o6f9aJfw/s1600/listSCIM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs7_CZI9qxhOAUHEqfpckVrfgb8md1hd0bdoQx2A8z0UvpgQ67JOujTHeQ7NMTIQbmeNCAxGFp5kV2qYo2yRW-cMxzz8egq6O7v51oocp17buAuv5PHtzJWyv4FY23VHR1kM2o6f9aJfw/s640/listSCIM.png" width="640" /></a></div>
<br />
2<i>. Registering SCIM providers specific to user accounts, at the central store.</i><br />
According to our requirement, any provisioning request coming to central store from store1 should be provisioned to all the other sub stores except to store1.<br />
<br />
Therefore, user account of the store1admin in the central store should be able to define to which providers my scim provisioning request should be further provisioned to, from the central node.<br />
<br />
- Login to central node as store1admin.<br />
- Access <i>Main -> My Identity -> My SCIM Providers</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRXScVlvEIlZYCqoq9ldQ4pKX3vFk6PH8803cObt3IYOMz88db-tD4g7-47k3tVbVy9uzqRdGTRpOGaiQ9pqC7rZJkXfkCdYsyB_g6yDFs8NtnImETBENQwJh-b8vrKEn9xa8qdkXBOhs/s1600/myscim.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRXScVlvEIlZYCqoq9ldQ4pKX3vFk6PH8803cObt3IYOMz88db-tD4g7-47k3tVbVy9uzqRdGTRpOGaiQ9pqC7rZJkXfkCdYsyB_g6yDFs8NtnImETBENQwJh-b8vrKEn9xa8qdkXBOhs/s400/myscim.png" width="400" /></a></div>
- Now as the store1admin, you can register store2 as the SCIM Provider by providing relevant configuration as shown below.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1492Bc1DrOnSBCofQy_YBZ45vqDdsSLtvFUKHQJe87j1oh5Fn1mEX_j4BBzGQmX1B0Ja_ZhPQKZeezMAzF5mj3AhVDYDoYHgralhBF3gac7SynhmvuUWZXsrYI1JHfeBEt5dzIGD2mVc/s1600/store1Prov.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1492Bc1DrOnSBCofQy_YBZ45vqDdsSLtvFUKHQJe87j1oh5Fn1mEX_j4BBzGQmX1B0Ja_ZhPQKZeezMAzF5mj3AhVDYDoYHgralhBF3gac7SynhmvuUWZXsrYI1JHfeBEt5dzIGD2mVc/s640/store1Prov.png" width="640" /></a></div>
<br />
- And then login to central node as the store2admin account and register SCIM provider pointing to store1 endpoints.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigzRdVDrTS5MuNslL7oh6RXAlPL8PlMlV8k7ro6oBtNKqKmnBbjkznGxZJhy1lD1sN0uKZzEopO-L10wen8suLyQu-u3Pwk-0-PMP8VPnM93mv70QjMY20vhoQP_p-s4S4wzqNomGX08c/s1600/store1in+central.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigzRdVDrTS5MuNslL7oh6RXAlPL8PlMlV8k7ro6oBtNKqKmnBbjkznGxZJhy1lD1sN0uKZzEopO-L10wen8suLyQu-u3Pwk-0-PMP8VPnM93mv70QjMY20vhoQP_p-s4S4wzqNomGX08c/s320/store1in+central.png" width="320" /></a></div>
<br />
<br />
Now we are done configuring central node for our provisioning scenario.<br />
<br />
Then login to store1 and store2 IS instances as default admin and register central node as the global provider in both store1 and store2 as shown below.<br />
<br />
<i>Store1:</i> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju2h-5VWvBuiCd58Cbx8Fnz4JqieN8mIQgOY3POCybGG3rCPauQrcRiV9YWQhpwlesTZU6L_0uNSpW0c2kFRFGluwB6MSQ4mYEgeihsn5B4jHFPnLTtMZ6qRhfrhzbS2JaBAo7cdeHNZg/s1600/store1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju2h-5VWvBuiCd58Cbx8Fnz4JqieN8mIQgOY3POCybGG3rCPauQrcRiV9YWQhpwlesTZU6L_0uNSpW0c2kFRFGluwB6MSQ4mYEgeihsn5B4jHFPnLTtMZ6qRhfrhzbS2JaBAo7cdeHNZg/s320/store1.png" width="320" /></a></div>
<br />
<i>Store2:</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwO00KQwWhCZHgUinvtJXBHEnomYeDM6UIERQvxqJHYDhejfxKg5cRP16XWsMLeI2eifpzoNm88AHY8zNI2C4Qi8dfHse_rRtZ8ogCxsC-WLGWYtFGh09EqATp8jWS5EbdSrtw-lvdiGM/s1600/store2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwO00KQwWhCZHgUinvtJXBHEnomYeDM6UIERQvxqJHYDhejfxKg5cRP16XWsMLeI2eifpzoNm88AHY8zNI2C4Qi8dfHse_rRtZ8ogCxsC-WLGWYtFGh09EqATp8jWS5EbdSrtw-lvdiGM/s320/store2.png" width="320" /></a></div>
<br />
<br />
Please refer the very first image in this post to make sure that you have created all the relevant provisioning admin user accounts in each IS node, given them proper permission and registered the corresponding SCIM providers as listed in that diagram for each node.<br />
<br />
<b>Step 4: Test Identity Synchronization</b><br />
Now login to store1 as default admin and create a user account. Observe the logs at the backend console of each node. You will observe info logs mentioning that the user created at store1 is also created at central store and store2.<br />
<br />
You can login to management console of central store and store2 and verify that the user created in store1 is listed in other two nodes as well.<br />
<br />
You can perform other user and role management operations as well in each node and verify whether it is synchronized with other nodes as expected in our use case.<br />
<br />
Following are the list of user management operations currently supported in WSO2 Identity Server to be provisioned via SCIM.<br />
1. Create User<br />
2. Delete User<br />
3. Update credential of the user by admin<br />
4. Update the profile of a user by admin<br />
5. Update the profile of a user by the user himself<br />
6. Create Group<br />
7. Delete Group<br />
8. Add users to group by updating group (Update user list of role)<br />
9. Rename Group<br />
<br />
Following are the list of user management operations allowed by WSO2 Identity Server, but not currently supported to be provisioned via SCIM.<br />
1. Update credential of the user by user himself.<br />
2. Add users to group by updating user (Update role list of user) - same outcome can be achieved by the no. 8 operation above.<br />
<br />
I hope now it is clear to you how we can leverage SCIM - open standard for Identity Provisioning to achieve a use case of Identity Synchronization across multiple nodes using the capabilities of WSO2 Identity Server.<br />
<br />
<b>Configuring provisioning through configuration file</b><br />
Identity Server also supports configuring SCIM providers through configuration file, in addition to allowing to register providers through UI which was explained above.<br />
In this case, it is the admin of a particular node who configure providers which is different to individual provisioning admins registering SCIM providers through UI.<br />
<b> </b><br />
The relevant configuration file is: [IS_Home]/repository/conf/provisioning-config.xml<br />
<br />
If you are configuring through configuration file, you need to follow the above steps until <b>step 2</b> is completed.<br />
<br />
Then shut down all the three IS instances. Replace provisioning-config.xml file of each instance with the ones shown below and restart the IS instances.<br />
<br />
<i><u>store1 configuration file:</u></i><br />
<pre class="xml" name="code"><provisioning-config>
<scim-providers>
<scim-provider id="central_store">
<property name="userName">store1admin</property>
<property name="password">store1admin</property>
<property name="userEndpoint">https://localhost:9444/wso2/scim/Users</property>
<property name="groupEndpoint">https://localhost:9444/wso2/scim/Groups</property>
</scim-provider>
</scim-providers>
<scim-consumers>
<scim-consumer id="carbon.super">
<scim-provider id="central_store">
</scim-provider></scim-consumer>
</scim-consumers>
</provisioning-config>
</pre>
<u><i>central store configuration file:</i></u><br />
<pre class="xml" name="code"><provisioning-config>
<scim-providers>
<scim-provider id="store1">
<property name="userName">centraladmin</property>
<property name="password">centraladmin</property>
<property name="userEndpoint">https://localhost:9443/wso2/scim/Users</property>
<property name="groupEndpoint">https://localhost:9443/wso2/scim/Groups</property>
</scim-provider>
<scim-provider id="store2">
<property name="userName">centraladmin</property>
<property name="password">centraladmin</property>
<property name="userEndpoint">https://localhost:9445/wso2/scim/Users</property>
<property name="groupEndpoint">https://localhost:9445/wso2/scim/Groups</property>
</scim-provider>
</scim-providers>
<scim-consumers>
<scim-consumer id="carbon.super">
<scim-provider id="store1">
<scim-provider id="store2">
</scim-provider></scim-provider></scim-consumer>
<scim-consumer id="store1admin@carbon.super">
<scim-provider id="store2">
</scim-provider></scim-consumer>
<scim-consumer id="store2admin@carbon.super">
<scim-provider id="store1">
</scim-provider></scim-consumer>
</scim-consumers>
</provisioning-config>
</pre>
<u><i>store2 configuration file:</i></u><br />
<pre class="xml" name="code"><provisioning-config>
<scim-providers>
<scim-provider id="central_store">
<property name="userName">store2admin</property>
<property name="password">store2admin</property>
<property name="userEndpoint">https://localhost:9444/wso2/scim/Users</property>
<property name="groupEndpoint">https://localhost:9444/wso2/scim/Groups</property>
</scim-provider>
</scim-providers>
<scim-consumers>
<scim-consumer id="carbon.super">
<scim-provider id="central_store">
</scim-provider></scim-consumer>
</scim-consumers>
</provisioning-config>
</pre>
<br /></div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com1tag:blogger.com,1999:blog-6247594794349776721.post-29223222642501655612012-11-03T08:26:00.003-07:002013-01-21T19:47:42.184-08:00WSO2 Identity Server as a SCIM Service Provider<div dir="ltr" style="text-align: left;" trbidi="on">
As I have blogged in my previous <a href="http://hasini-gunasinghe.blogspot.com/2012/03/implementing-scim-with-charon-part-iii.html">posts</a>, we have developped WSO2 Charon as an open source implementation of SCIM protocol which is an open standard for Identity Provisioning.<br />
<br />
It can be used by any one who wants to add SCIM based provisioning support for their applications.<br />
<br />
We have integrated WSO2 Charon with WSO2 Identity Server 4.0.0which is available to be downloaded at http://wso2.com/products/identity-server/<br />
<br />
In this post, I am going to demonstrate how to utilize its SCIM endpoints which expose User and Group resources in Restful way.<br />
<br />
Following is a high level overview of SCIM Service Provider architecture of IS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOIMctqWpS5cga5LVRMUMJRxC5WgrBnixuDoyDM3Bh_2WFldtDKhn7jHb49RSXvRM7TAPjq-WQwS0eWC2bM7F4ttat5VW5QBRRjXhCSY0LYJFnj_ExZJPC9Ug7OL1i_uNkIgobCqyUNv4/s1600/Untitled+presentation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOIMctqWpS5cga5LVRMUMJRxC5WgrBnixuDoyDM3Bh_2WFldtDKhn7jHb49RSXvRM7TAPjq-WQwS0eWC2bM7F4ttat5VW5QBRRjXhCSY0LYJFnj_ExZJPC9Ug7OL1i_uNkIgobCqyUNv4/s400/Untitled+presentation.png" width="400" /></a></div>
For simplicity, I will use curl commands to send CRUD requests to the rest endpoints of Identity Server.<br />
<br />
Download Identity Server from above link, unzip it and start...<br />
<br />
URL of the SCIM User Endpoint is: https://localhost:9443/wso2/scim/Users<br />
URL of the SCIM Group Endpoint is: https://localhost:9443/wso2/scim/Groups<br />
<br />
These endpoints are exposed over https since sensitive information is exchanged and also protected with Basic Auth Authentication.<br />
<br />
<b><i>Create User:</i></b><br />
<span style="font-size: x-small;">curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","password":"hasinitg","emails":[{"primary":true,"value":"hasini_home.com","type":"home"},{"value":"hasini_work.com","type":"work"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users</span><b><i> </i></b><br />
<b><i><br /></i></b>
Here we authenticate with Basic Auth and send the payload in JSON format adhering to the SCIM 1.1 specification.<br />
<br />
You will get a response with 201 CREATED status and pay load as below:<br />
<span style="font-size: x-small;">{"id":"48f7cfe5-f0e3-4a67-af7e-d762aa9ab215","schemas":["urn:scim:schemas:core:1.0"],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","emails":[{"value":"hasini_home.com","type":"home"},{"value":"hasini_work.com","type":"work"}],"meta":{"lastModified":"2012-11-03T18:36:53","location":"https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215","created":"2012-11-03T18:36:53"}}</span><br />
<br />
There, you will notice that it contains some additional attributes such as unique id, created, last modified and location which are READ ONLY attributes and set by the service provider.<br />
<br />
Now access the management console of Identity Server in a browse with URL:<br />
<span style="font-size: x-small;">https://localhost:9443/carbon/admin/login.jsp</span> and login as admin with credential admin.<br />
<br />
You will notice that the above created user is shown under: <br />
<table cellspacing="0"><tbody>
<tr><td class="breadcrumb-link"><span style="font-size: x-small;">Configure</span></td><td class="breadcrumb-link"><span style="font-size: x-small;"> > Users and Roles</span></td><td class="breadcrumb-link"><span style="font-size: x-small;"> > Users</span></td></tr>
</tbody></table>
<br />
You can access user profile of the user and see first name and last name are set properly but not other fields. That is because default claims of Carbon uses a different set of attributes in LDAP than the SCIM specific dialect (will discuss about it in detail later).<br />
<br />
But those attributes are stored in the underlying user store. You can verify that by going a GET request on the User.<br />
<br />
<i><b>GET User:</b></i><br />
You can retrieve a particular user resource using its unique id:<br />
<br />
<span style="font-size: x-small;">curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215</span><br />
<br />
You will notice that all the attributes that were sent are there in the response as well.<br />
<br />
<b><i>List Users:</i></b><br />
Now create some users through the web management console of Identity
Server and fill in their profile details. I created two users called
Umesha and Shyama and filled in their profile details.<br />
<b><i> </i></b><br />
<span style="font-size: x-small;">curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users</span><br />
<br />
Response:<br />
<br />
<span style="font-size: x-small;">{"schemas":["urn:scim:schemas:core:1.0"],</span><br />
<span style="font-size: x-small;">"totalResults":3,</span><br />
<span style="font-size: x-small;">"Resources":</span><br />
<span style="font-size: x-small;">[</span><br />
<span style="font-size: x-small;"> {"id":"48f7cfe5-f0e3-4a67-af7e-d762aa9ab215","name": {"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","emails":[{"value":"hasini_work.com","type":"work"},{"value":"hasini_home.com","type":"home"}],"meta":{"lastModified":"2012-11-03T18:36:53","created":"2012-11-03T18:36:53","location":"https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215"}},</span><br />
<br />
<span style="font-size: x-small;">{"id":"8dd71de9-e2f9-47b7-a5d4-a5f3862950ff","profileUrl":"shyama@blogspot.com","ims":["gmail"],"roles":["everyone"],"name":{"familyName":"shyama","givenName":"Shyama"},"userName":"shyama","emails":["shyama@example.com"],"phoneNumbers":[{"value":"7890","type":"mobile"}],"addresses":[{"value":"Panadura","type":"streetAddress"},{"value":"Sri Lanka","type":"country"}],"meta":{"lastModified":"2012-11-03T18:53:46","created":"2012-11-03T18:52:41"}},</span><br />
<br />
<span style="font-size: x-small;">{"id":"6b14c23d-4811-4bbd-b653-04fcda2df266","profileUrl":"umesha@blogspot.com","ims":["gmail"],"roles":["everyone"],"name":{"familyName":"umesha","givenName":"Umesha"},"userName":"umesha","emails":["umesha@gmail.com"],"phoneNumbers":[{"value":"857657","type":"mobile"}],"addresses":[{"value":"Pannipitiya","type":"streetAddress"},{"value":"Sri Lanka","type":"country"}],"meta":{"lastModified":"2012-11-03T18:51:52","created":"2012-11-03T18:50:26"}}</span><br />
<span style="font-size: x-small;"> ]</span><br />
<span style="font-size: x-small;">}</span><br />
<br />
You can see the three users representation with attributes in JSON format adhering to SCIM Schema.<br />
<br />
<i><b>Update User:</b></i><br />
I am going to update the work and home email of user: hasinitg through following curl command:<br />
<br />
<i>Note</i>: you have to use the correct SCIM ID by taking it either from create user response or from list user response.<br />
<br />
<span style="font-size: x-small;">curl -v -k --user admin:admin -X PUT -d "{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","emails":[{"value":"hasini@wso2.com","type":"work"},{"value":"hasi7786@gmail.com","type":"home"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215</span><br />
<br />
You will get a response with 200 OK response and a payload containing the updated user representation.<br />
<br />
<i><b>Delete User:</b></i><br />
Now I will delete the user with userName 'shyama' which was created through management console of IS:<br />
<br />
<span style="font-size: x-small;">curl -v -k --user admin:admin -X DELETE https://localhost:9443/wso2/scim/Users/8dd71de9-e2f9-47b7-a5d4-a5f3862950ff -H "Accept: application/json"</span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">You will get a response with status 200 OK and the user will be deleted from the user store.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">In the same way, we can manage groups by performing CRUD operations on the Group resource endpoint.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><i><b>Filter User:</b></i> </span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;">Since CRUD operations have to be performed using SCIM ID which is unique to Service Provider, User REST endpoint also supports filter operation. You can filter users with userName which is considered as the unique user attribute in Carbon servers.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users?filter=userNameEqumesha</span></span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;"><br /></span></span>
<span style="font-size: x-small;"><span style="font-size: small;">You will get a response like below from which you can extract the SCIM ID to perform rest of the operations.</span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;"><br /></span></span>
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">{"schemas":["urn:scim:schemas:core:1.0"],"totalResults":1,"Resources":[{"id":"6b14c23d-4811-4bbd-b653-04fcda2df266","profileUrl":"umesha@blogspot.com","ims":["gmail"],"roles":["everyone"],"name":{"familyName":"umesha","givenName":"Umesha"},"userName":"umesha","emails":["umesha@gmail.com"],"phoneNumbers":[{"value":"857657","type":"mobile"}],"addresses":[{"value":"Pannipitiya","type":"streetAddress"},{"value":"Sri Lanka","type":"country"}],"meta":{"lastModified":"2012-11-03T18:51:52","created":"2012-11-03T18:50:26"}}]}</span></span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><i><b>Create Group:</b></i> </span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;">You can create groups either with or without members.</span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;">Following command creates a group with a user.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">Note: when creating a group with users, you need to have that user already existing in the user store and provide its unique id. So lets create a new group named: 'engineer' with user 'umesha' as a member.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">curl -v -k --user admin:admin --data "{"displayName": "engineer","members": [{"value":"6b14c23d-4811-4bbd-b653-04fcda2df266","display": "umesha"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups</span> </span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">You will get a response with payload like below and a response status 201 CREATED:</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">{"id":"e8868723-30b2-4979-ae23-6d1de2e7d841","schemas":["urn:scim:schemas:core:1.0"],"displayName":"engineer","members":[{"value":"6b14c23d-4811-4bbd-b653-04fcda2df266","display":"umesha"}],"meta":{"lastModified":"2012-11-03T20:33:16","created":"2012-11-03T20:33:16","location":"https://localhost:9443/wso2/scim/Groups/e8868723-30b2-4979-ae23-6d1de2e7d841"}}</span> </span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">You can observe in the management console of IS, that the new group is listed under roles and user Umesha is listed under users of that group.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><i><b>List Groups:</b></i> </span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;">Now lets create another role through IS management console and list all the groups. Create a group named: 'manager' without any users added to it.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">Now list the groups: You can see both groups are listed.</span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">{"schemas":["urn:scim:schemas:core:1.0"],</span></span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;"> "totalResults":2,"Resources":[</span></span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">{"id":"e8868723-30b2-4979-ae23-6d1de2e7d841","displayName":"engineer","members":[{"value":"6b14c23d-4811-4bbd-b653-04fcda2df266","display":"umesha"}],"meta":{"lastModified":"2012-11-03T20:33:16","created":"2012-11-03T20:33:16","location":"https://localhost:9443/wso2/scim/Groups/e8868723-30b2-4979-ae23-6d1de2e7d841"}},</span></span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">{"id":"3f26902e-c22b-48bc-ba0a-c197a5710b70","displayName":"manager","meta":{"lastModified":"2012-11-03T20:39:25","created":"2012-11-03T20:39:25","location":"https://localhost:9443/wso2/scim/Groups3f26902e-c22b-48bc-ba0a-c197a5710b70"}}</span></span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">]} </span></span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><i><b>Update Group:</b></i> </span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;">Now lets rename the group 'manager' to executive:</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">curl -v -k --user admin:admin -X PUT -d "{"displayName": "executive"}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups</span></span></span><span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">/3f26902e-c22b-48bc-ba0a-c197a5710b70</span></span></span><span style="font-size: x-small;"><span style="font-size: small;"> </span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">You will get a response with 200 OK status and full JSON representation of the updated group.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><i><b>Delete Group:</b></i> </span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;">You can delete the group using the unique SCIM Id of the group. Following command will delete the group: 'executive'</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">curl -v -k --user admin:admin -X DELETE https://localhost:9443/wso2/scim/Groups/</span></span></span><span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">3f26902e-c22b-48bc-ba0a-c197a5710b70</span></span></span><span style="font-size: x-small;"><span style="font-size: small;"> -H "Accept: application/json" </span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><i><b>Filter Group:</b></i> </span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;">You can filter groups with the group display name. Following command will filter the group with display name: 'engineer'</span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;"><br /></span></span>
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Groups?filter=displayNameEqengineer</span></span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;"><span style="font-size: small;">Response:</span></span></span></span><br />
<span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;"><span style="font-size: small;"><span style="font-size: x-small;">{"schemas":["urn:scim:schemas:core:1.0",null],"totalResults":1,"Resources":[{"id":"e8868723-30b2-4979-ae23-6d1de2e7d841","displayName":"engineer","members":[{"value":"6b14c23d-4811-4bbd-b653-04fcda2df266","display":"umesha"}],"meta":{"lastModified":"2012-11-03T20:33:16","created":"2012-11-03T20:33:16","location":"https://localhost:9443/wso2/scim/Groups/e8868723-30b2-4979-ae23-6d1de2e7d841"}}]}</span> </span> </span></span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;"> </span> </span><br />
<span style="font-size: x-small;"><br /></span>
</div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com14tag:blogger.com,1999:blog-6247594794349776721.post-88791483002905447112012-09-16T14:43:00.002-07:002012-11-14T21:59:18.553-08:00Towards a viable and secure health information system - Part 1<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<i><b>IT for HealthCare - Why it is important..</b></i><br />
<br />
<div style="text-align: justify;">
IT has influenced all most all aspects of human life - from education to communication to transport to banking & trading - for the betterment of the respective fields, and healthcare by no means can have an exception.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Large amount of medical records are generated on a daily basis which include patients' medical history, prescriptions, laboratory results, radiology reports, medications etc.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Generating, storing, maintaining and sharing them as electronic medical records (EMR) has many advantages over paper based medical records.<br />
Making a patient's medical records available as EMRs provides easy and fast access from anywhere a patient goes for treatments which reduces cost and risk of repeating harmful diagnosis tests and treatments . It also avoids missing of any critical information regarding the patient's medical history.<br />
EMRs interfaced with PHR (Personal Health Record) Systems provides patients the better access and control over their medical records. Also, EMRs in turn aid insurance claiming processes and providing statistics for medical research which again contributes to advancement of healthcare.</div>
<br />
<div style="text-align: justify;">
There are many initiatives and lot of research going on to realize the goal of a robust healthcare information system while protecting patients' privacy and security. But no country has yet achieved the ultimate country wide system - AFAIK.</div>
<br />
<b><i>Concerns in adopting EHR..</i></b><br />
<br />
Examples for PHR services that have been emerged over the past years are google health and microsoft health vault, to interface with existing EMR systems. Paper at [1] and the article at [2] talks about the issues encountered and solutions applied wrt above two services in a pilot project.<br />
<br />
<div style="text-align: justify;">
And this <a href="http://www.technologyreview.com/news/424535/how-a-broken-medical-system-killed-google-health/">article</a> [3] discusses how the non-effective healthcare information system caused discontinuation of Google Health.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Therefore, along with all the advantages, there are technical, political and practical issues in implementing a country wide robust health information system, among which security risks and privacy concerns play a major role since a healthcare system is involved with highly sensitive and critical data. </div>
<div style="text-align: justify;">
Better the access more the advantages and more the security and privacy concerns invloved.</div>
<br />
<i><b>Research problems in</b></i><b><i>spired from those concerns & my views</i></b>..<br />
<br />
<div style="text-align: justify;">
I happened to read this <b>interesting paper at [4]</b> which discusses the recommendations made by PCAST (<i>President's Council of Advisor's on Science and Technology</i>) Health Information Technology Report in its chapter 5, based on the identified problems and requirements - in the space of security and privacy - in healthcare IT. </div>
<br />
<div style="text-align: justify;">
While some of the recommended solutions in the above report can be addressed with off the shelf solutions, some opens up research problems for the research community.</div>
<div style="text-align: justify;">
This
paper[1] identifies and expands research problems which are inspired by
the recommendations presented in the PCAST report.<br />
<br />
<u><b>Note:</b></u> At the final stages of the series of blog posts that I have been writting on this, I found that the PCAST report on which the research paper[4] was based, has caused some arguments in the field. For an example, refer document [5]. However, the <b>purpose of my research and these blog posts is solely to</b> identify research problems in the space of security and identity management in healthcare information system which upon realizing, will cause human advancement,<b> and not to</b> advocate the PCAST report.</div>
<br />
The paper[1] is the focus of the <a href="http://hasini-gunasinghe.blogspot.com/search/label/Security%20in%20HealthCare%20IS">series of posts</a> starting with this. There I summarize the main aspects that the paper discusses with regard to security & privacy of healthcare information systems (IS), along with my views and findings on them where applicable.<br />
<br />
Before going into detail, following diagram illustrates the main points to be discussed around a secure healthcare IS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQllbTQA_qFLq_Xvms2k8hTEe_pT8CScCaDzLa9ipffZ7peKAP2RHvhyaXJThWNIK1II-Jq_7WF9KkBmqQj90tG_3NnAWENvY5yYotA-5joUh9N817hlA_HbNvc5zG1Zo2tlpZfbh5pss/s1600/fullImage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQllbTQA_qFLq_Xvms2k8hTEe_pT8CScCaDzLa9ipffZ7peKAP2RHvhyaXJThWNIK1II-Jq_7WF9KkBmqQj90tG_3NnAWENvY5yYotA-5joUh9N817hlA_HbNvc5zG1Zo2tlpZfbh5pss/s640/fullImage.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Lets discuss each of the above aspects in detail..<br />
<b> </b><br />
<b>1. Identity Management and Authentication</b><br />
Lets start with the first aspect which is managing patients' identities and authenticating users in health information systems.<br />
<ul style="text-align: justify;">
<li>Each citizen's EMRs need to be mapped with his/her identity in a robust and accurate manner. This becomes more challenging when EMRs for the same patient is generated by multiple healthcare providers. The report highlights the issue of some countries rejecting to have existing physical identities such as national identity number, social security number to uniquely identifying users and mapping EMRs to user identities which may result in issues such as mapping of one patient's EMRs to multiple identities and multiple patients' EMRs to same identity, when reconciling/merging EMRs from different healthcare providers who have used to store EMRs in different formats in legacy storage.</li>
</ul>
<ul style="text-align: left;">
<li>On the other hand, authenticating users to access EMRs via different mechanisms such as from their PHR applications on the desktops, mobile devices etc is a critical aspect where proper authentication factors needs to be identified to avoid privacy and confidentiality breaches.</li>
</ul>
<div>
<div style="text-align: justify;">
<ul>
<li>The report identifies authentication factors in three categories:
phisycal credentials, biometrics, secrets and suggests that authentication
should happen involving at least two of these factors.</li>
</ul>
</div>
<div style="text-align: justify;">
<ul>
<li>The paper suggests that the obvious solution is to assign a globally unique healthcare identification number to all patients and every healthcare provider, [which of course can have political & technical issues(wrt legacy databases) involved] because without unique id, managing medical records in a large system consisting of multiple providers and many incompatible vendors becomes a problem as discussed above as well.</li>
</ul>
<ul>
<li>As paper identifies, research problems that are inspired by the above discussed requirements and issues include:</li>
</ul>
<div style="text-align: left;">
1. developing/improving existing biometric techniqques to identify individuals </div>
<div style="text-align: left;">
2. developing techniques to reconcile data from different sources</div>
<div style="text-align: left;">
3. developing authentication techniques that are less vulnerable to attacks</div>
<br />
Let me mention my views on the above aspects based on my knowledge of existing solutions in the domain and my findings about ongoing research efforts in the domain:<br />
<ul>
<li>I too strongly agree with the paper's suggestion on assigning a globally unique id to index individual's EMRs.</li>
</ul>
Regarding identity management and authentication:<br />
<ul>
<li>Although different healthcare providers participate in a country wide healthcare information system, citizen's identity should be maintained with a centralized trusted authority which we can identify as the identity provider(IdP) in the entire system. This can be considered as provided by national security infrastructure. Thereby we can avoid having duplicated patients' identities in different systems and also multiple credential anti patterns. Individual healthcare service providers can integrate with the central system and act as relying parties to retrieve a particular user's identity information and to rely on getting the users authenticated from the identity provider.</li>
</ul>
<ul>
<li>With that type of interaction between the systems, existing web based authentication mechanisms such as SAML2 Web browser based Single Sign On and OpenID based decentralized Single Sign On can be used to provide users with seamless access to different portals/web applications in the healthcare information system while managing identity and authentication at a single place.</li>
</ul>
<ul>
<li>And if it is a web service of a third party healthcare service provider that the user needs to authenticate to, brokered authentication mechanisms built on top of WS-Security such as WS-Trust can be used.</li>
</ul>
<ul>
<li>But in this kind of a centralized identity and authentication management system, authentication at the central identity provider should be performed based on strong authentication factors including biometrics (such as fingerprint which can be supported easily than other biometrics based authentication) because an attack at the IdP can lead to attacker gaining access to patient's identity and seamless access to other applications to access EMRs and PHRs.</li>
</ul>
<ul>
<li>An example implementation of XMPP based multifactor authentication to avoid phishing attacks on OpenID provider, can be found <a href="http://thilinamb.wordpress.com/2009/06/04/multi-factor-authentication-with-wso2-identity-server-2-0/">here</a>. Some research projects have analyzed different authentication mechanisms including biometrics. For eg: "<a href="http://www.cerias.purdue.edu/site/projects/detail/human_factors_in_online_security_and_privacy/">Human Factors in Online Security and Privacy</a>" project[6] in <a href="http://www.cerias.purdue.edu/">CERIAS</a> has done such analysis.</li>
</ul>
<ul>
<li>Further, when enforcing authentication at the back-end <b>web services</b> which expose different types of EMRs of a patient and which are usually accessed <b>through</b> different user applications (such as web portals, mobile applications, PHR applications etc) <b>by</b> different principals (such as doctors, laboratory scientists, patients etc), it is better to use mutual authentication based <b>trusted sub system pattern</b> where only the trusted applications are allowed to access BE services on behalf of the users who were authenticated at the front end applications. This avoids users credentials being propagated to BE services which expose sensitive EMRs and thereby reduces the risks that can be caused by individual user credentials breaches. By this way, authentication and authorization of the individual users can be performed at two different layers for which I will give an example in a future post.</li>
</ul>
</div>
<ul style="text-align: left;">
<li>In summary, we discussed identity management and authentication aspect of HealthCare IS in detail in this post and it is clear that there should be an agreed unique identity attribute to map patients' records and while there are number of existing solutions that can be used address the issues in this aspect, there are active research in identifying better and stronger authentication mechanisms.</li>
</ul>
<br />
<i><b>To be continued...</b></i><br />
<br />
In this post, we
only discussed one aspect out of the several aspects illustrated in the
above image, related to a secure healthcare information system. We'll
discuss about the other aspects explored in the paper at [4], in the
coming posts.<br />
<br />
<i><b>Motivation...</b></i><br />
<br />
I am passionate about the research carried out in the area of healthcare information systems - mainly related to the security and privacy aspects of it, being computer security is the area of my preferred specialization.<br />
<br />
And I believe that I have come across a great paper during the research on the $subject.<br />
<br />
The paper[1] has successfully achieved its goal of drawing the attention of the security and privacy research community on the problems in health care IT that needs new solutions, based on the requirements and recommendations highlighted in the PCAST report on health information technology.<br />
<br />
<i><b>References:</b></i> <br />
[1] <a href="http://jamia.bmj.com/content/18/2/118.full.pdf+html">The military health system’s personal health record pilot with Microsoft HealthVault and Google Health</a><br />
[2] <a href="http://www.justmeans.com/Personal-Health-Records-In-Action-Google-Health-Microsoft-HealthVault/46745.html">Personal Health Records In Action: Google Health and Microsoft HealthVault</a><br />
[3] <a href="http://www.technologyreview.com/news/424535/how-a-broken-medical-system-killed-google-health/">How a Broken Medical System Killed Google Health</a><br />
[4] <a href="http://www.google.lk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCAQFjAA&url=http%3A%2F%2Favirubin.com%2FHealthSec.2011.PCAST.pdf&ei=SWA5UOuyGcPNrQf8pYGIAg&usg=AFQjCNHjhUM-LBITAafS4GnDJLY1xkFoTQ"> A Research Roadmap for Healthcare IT Security inspired by the PCAST Health Information Technology Report</a><br />
[5] <a href="http://seclab.illinois.edu/wp-content/uploads/2011/04/PCAST-Workgroup-Letter-111.pdf">PCAST Workgroup Letter to the National Coordinator</a><br />
[6] <a href="http://www.cerias.purdue.edu/site/projects/detail/human_factors_in_online_security_and_privacy/">Human Factors in Online Security and Privacy</a> </div>
</div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com2tag:blogger.com,1999:blog-6247594794349776721.post-39987852523382635372012-09-15T05:43:00.002-07:002012-09-23T21:11:04.951-07:00Security Patterns - Direct Authentication & Role Based Access Control<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Authentication and authorization are vital aspects of any secured system or service which expose business assets to outside. Authentication itself is not sufficient when you want to restrict access to different resources for different types of authenticated users.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
There are different authentication and authorization patterns.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In this post we will look at how to implement direct authentication and
role based access control.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Direct Authentication</b></div>
<div style="text-align: justify;">
In direct authentication, clients share their credentials with server through a trust relationship established prior to the actual service invocation - eg: during user registration.<br />
And when the client accesses the secured service, provided credentials are validated against the ones stored in the user store.<br />
We call this direct authentication since the server itself stores client's credentials and validates them at authentication.<br />
<br />
<b>Role Based Access Control</b><br />
Authorization models have evolved over time. In role based access control, users are assigned to a particular role and the permissions to that role. This is scalable than user-centric permission model where permissions are assigned per user, but coarse grained and coupled with application code as opposed to policy based access control which we'll look at in a future post.<br />
<br /></div>
<div style="text-align: justify;">
Let us secure a service with above security mechanisms using WSO2 open source Enterprise Service Bus (ESB).<br />
<br />
<b>Overview</b> <br />
Before taking you through the steps, following is the architecture diagram of our solution.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDTv_gmqtXw7ngYktpHBSIS-2HhXK8lC9ZEqpLIcZC5HoFJdqkj6j7whN216PdT_ygqWGxZ15WHcARALrXVJ4kq1bnq86eK9x8MonV7S4vANi-goEDl6SyXk-pwSQlkR5-YWj8bXLR-60/s1600/RBAC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDTv_gmqtXw7ngYktpHBSIS-2HhXK8lC9ZEqpLIcZC5HoFJdqkj6j7whN216PdT_ygqWGxZ15WHcARALrXVJ4kq1bnq86eK9x8MonV7S4vANi-goEDl6SyXk-pwSQlkR5-YWj8bXLR-60/s320/RBAC.png" width="320" /></a></div>
<br /></div>
<div style="text-align: justify;">
- <i>BE Service</i> which exposes the actual business logic is fronted by a <i>proxy service</i> in ESB so that BE service is not exposed to out side directly and also we can enforce all the QoS, auditing, necessary transformation at ESB in this way.<br />
<br />
- <i>Proxy service</i> is secured using Web Service Security mechanism to require a UserName Token(containing user name, password of the user) to authenticate the user and RBAC to authorize the user before invoking the BE service.<br />
<br />
- User credentials are stored in Active Directory user store connected to ESB.</div>
<div style="text-align: justify;">
<br />
<b> Steps:</b><br />
1.Download and extract latest ESB pack from <a href="http://wso2.com/products/enterprise-service-bus/">here</a>.<br />
<br />
2.Configure Active Directory as User Store : locate user-mgt.xml file from [ESB_Home]/repository/conf and enable the ActiveDirectoryUserStoreManager element and provide appropriate information to connect to AD in your domain. (WSO2 products can be integrated with heterogeneous user stores and you can connect to any user store that you prefer.)<br />
<br />
3.Start the server and access the management console from the browser: https://localhost:9443/carbon and login with credentials : admin, admin.<br />
<br />
4.BE Service : Echo Service in ESB will serve as the BE service in our above deployment. Obtain its url(http://localhost:8280/services/echo) and wsdl(http://localhost/services/echo?wsdl) which will be used to create the proxy service.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiERW53nJ3qfNVMXSUpwIKQyzOgO75zzj_zYcbZOQWxfnnT_l_YDLgjZRKrfm-f4MNMG_utTYGue0ot9wqDj0qJV-2q8p9nxMtYCMizBHCfP0R3l8bmfMnLZ9av5phzggAM-pU40cDO9e0/s1600/echodashboard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiERW53nJ3qfNVMXSUpwIKQyzOgO75zzj_zYcbZOQWxfnnT_l_YDLgjZRKrfm-f4MNMG_utTYGue0ot9wqDj0qJV-2q8p9nxMtYCMizBHCfP0R3l8bmfMnLZ9av5phzggAM-pU40cDO9e0/s640/echodashboard.png" width="640" /></a></div>
<br />
5. Proxy Service: From left hand panel, select "Services->Add->Proxy Services" and create a pass through proxy with name "SecuredEchoProxy", url and publish wsdl url with the ones obtained in the previous option.<br />
<br />
6. Applying Security: Go to the proxy service's dash board like the one shown in above image and select "Security" under Quality of Service Configuration.<br />
<br />
<i><b>Enforcing Authentication:</b></i><br />
<br />
- select enable security -> yes<br />
- select the WS-Security mechanism we are going to apply -> Username Token<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitSv1KWJ69mvTLqdiQaQoxbj_sF4TBT1qLO7UwlOAc7jx2He4CCdQQPXrVB_rcIqLbMw54nEcrNO-u990cM0cBb4rUxNWvtyUAYWuHUvoYKW_StS84iBUEJewAi__jBMVvaCQtC45-PPc/s1600/secProxy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitSv1KWJ69mvTLqdiQaQoxbj_sF4TBT1qLO7UwlOAc7jx2He4CCdQQPXrVB_rcIqLbMw54nEcrNO-u990cM0cBb4rUxNWvtyUAYWuHUvoYKW_StS84iBUEJewAi__jBMVvaCQtC45-PPc/s640/secProxy.png" width="640" /></a></div>
<br />
<i><b>Enforcing Authorization:</b></i><br />
<br />
- Click Next.<br />
- Select which Roles are authorized to access this resource.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9lOGFvxyzd4Mvn1j-p6u_u2ejQeNN5h5J6vbyW27T1NNcIFmcSu9E3PT3dfVsFGsjwpM0YsLkz934zG8jladhoqss6fjQWRN-hW4GOLTtVk8DLiJBEY1vfEiwgD1TnqIpMoFuExMPgX4/s1600/rbac.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9lOGFvxyzd4Mvn1j-p6u_u2ejQeNN5h5J6vbyW27T1NNcIFmcSu9E3PT3dfVsFGsjwpM0YsLkz934zG8jladhoqss6fjQWRN-hW4GOLTtVk8DLiJBEY1vfEiwgD1TnqIpMoFuExMPgX4/s640/rbac.png" width="640" /></a></div>
<br /></div>
<div style="text-align: justify;">
- Finish applying security.<br />
<br />
You can invoke the proxy service from SOAP UI client or a java client with different user names belonging to different roles and test.<br />
<br />
I have attached a maven project <a href="https://sites.google.com/site/securedecentralizedblog/is/UT-Sample.zip?attredirects=0&d=1">here</a> with a java client which can invoke a service secured with UserName Token security policy.<br />
<br />
<b><i>UserName Token Security Policy:</i></b><br />
<pre class="java" name="code"><wsp:policy wsu:id="UTOverTransport" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:exactlyone>
<wsp:all>
<sp:transportbinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:policy>
<sp:transporttoken>
<wsp:policy>
<sp:httpstoken requireclientcertificate="false">
</sp:httpstoken></wsp:policy>
</sp:transporttoken>
<sp:algorithmsuite>
<wsp:policy>
<sp:basic256>
</sp:basic256></wsp:policy>
</sp:algorithmsuite>
<sp:layout>
<wsp:policy>
<sp:lax>
</sp:lax></wsp:policy>
</sp:layout>
<sp:includetimestamp>
</sp:includetimestamp></wsp:policy>
</sp:transportbinding>
<sp:signedsupportingtokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:policy>
<sp:usernametoken sp:includetoken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
</sp:usernametoken></wsp:policy>
</sp:signedsupportingtokens>
<!--<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<!–<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>–>
<rampart:timestampPrecisionInMilliseconds>true
</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<!–<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore
</rampart:tokenStoreClass>–>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
</rampart:RampartConfig>-->
</wsp:all>
</wsp:exactlyone>
</wsp:policy>
</pre>
<br />
<b><i>Message Communication:</i></b><br />
<b><i>Request:</i></b>
<br />
<pre class="java" name="code"><soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:security soapenv:mustunderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:timestamp wsu:id="Timestamp-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:created>2012-09-15T12:21:11.203Z</wsu:created>
<wsu:expires>2012-09-15T12:26:11.203Z</wsu:expires>
</wsu:timestamp>
<wsse:usernametoken wsu:id="UsernameToken-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:username>admin</wsse:username>
<wsse:password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:password>
</wsse:usernametoken>
</wsse:security>
<wsa:to>https://localhost:8243/services/SecuredEchoProxy </wsa:to>
<wsa:messageid>urn:uuid:a205c52e-0d22-465b-87c4-8192de4e3cbc</wsa:messageid>
<wsa:action>urn:echoInt</wsa:action>
</soapenv:header>
<soapenv:body>
<p:echoint xmlns:p="http://echo.services.core.carbon.wso2.org">
<p:in>1</p:in>
</p:echoint>
</soapenv:body>
</soapenv:envelope>
</pre>
<br />
<b><i>Response: </i></b>
<br />
<pre class="java" name="code"> <soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:security soapenv:mustunderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:timestamp wsu:id="Timestamp-3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:created>2012-09-15T12:21:11.824Z</wsu:created>
<wsu:expires>2012-09-15T12:26:11.824Z</wsu:expires>
</wsu:timestamp>
</wsse:security>
<wsa:messageid>urn:uuid:6ece26cd-e349-4246-9481-7b05f6d928c1</wsa:messageid>
<wsa:action>urn:echoIntResponse</wsa:action>
<wsa:relatesto>urn:uuid:a205c52e-0d22-465b-87c4-8192de4e3cbc</wsa:relatesto>
</soapenv:header>
<soapenv:body>
<ns:echointresponse xmlns:ns="http://echo.services.core.carbon.wso2.org">
<return>1</return>
</ns:echointresponse>
</soapenv:body>
</soapenv:envelope>
</pre>
</div>
<b>Remarks: </b><br />
1. Request message contains user name and password of the user according to the UserName Token profile of WS-Security. Since password is sent in plain text, the security policy enforces a transport binding which requires HTTPS to be used in message communication to provide confidentiality at transport level.<br />
<br />
2. As security policy requires, both request and response contains timestamp values to avoid replay attacks.<br />
<br />
3. Rampart is used as the underlying SOAP security processing module. In the security policy shown above, rampart specific configuration is commented out for the purpose of clarity.</div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com1tag:blogger.com,1999:blog-6247594794349776721.post-49001875696608336982012-08-12T10:41:00.000-07:002012-08-12T10:43:18.523-07:00Digital Signature by Example<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
We use digital signature for two main purposes in message communication:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
1. To guarantee the integrity of the content (i.e to ensure that message has not been changed during transmission from sender to receiver)</div>
<div style="text-align: justify;">
2. To authenticate the message origination (i.e to verify that the message was sent from the party that we think it is sent from)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
We use cryptographic mechanisms to generate and verify digital signature. </div>
<div style="text-align: justify;">
Before going into the code level, let me briefly mention the steps involved in creating and verifying the digital signature.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Pre-requisites:</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Have your keystore created with private key and public key. You can refer to the posts at <a href="http://blog.facilelogin.com/2008/03/keystore-management-part-i.html">here</a> and <a href="http://hasini-gunasinghe.blogspot.com/2011/12/installing-new-keystore-into-wso2.html">here</a> for the steps in creating a keystore with private/public key pair using java keytool. </div>
<br />
<b>Creating digital signature at the sender: </b><br />
<br />
<i>1. Computing the hash value of the content to be signed</i>...<br />
<br />
<div style="text-align: justify;">
Here we use hash functions in cryptography to create a fixed length hash value such that it is impossible to calculate the original content or the length of the content from the hash value. This is called <i>message digest</i> or <i>one-way encryption</i>. Hence hash functions provide a digital fingerprint of the content to be signed.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<i>2. Encrypting the hash value with his/her private key...</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Here<i> </i>we use asymmetric key cryptography to encrypt the hash value computed from the message content.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Verifying digital signature at the receiver:</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<i>1. Decrypting the signature and obtaining the message digest..</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Receiver once again applies asymmetric key cryptography to decrypt the message signature using sender's public key.<i> </i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
How does the receiver obtain sender's public key?</div>
<div style="text-align: justify;">
It can happen in different ways according to the message communication protocol that you use. Usually communicating parties can exchange keys before the message communication, in a trusted way or the sender can send the certificate containing the public key along with the signed content and the signature. It is not recommended to send the public key itself since it is susceptible to MIM attacks. You can read more about it from <a href="http://docs.oracle.com/javase/tutorial/security/apisign/enhancements.html">here</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
At this step, message origin authentication happens. Since only the one who owns the private key related to the public key used to decrypt the signature, can sign the message - we can identify who has sent the message.</div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<i>2. Comparing the hash values to verify message integrity...</i><br />
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Receiver computes the hash value on the original message and compares it with the hash value sent by the sender, which was obtained in the above step after decrypting the digital signature. If the two values are identical, receiver can verify that the message integrity is protected during the transmission.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now let us see how we can create and verify digital signature over some text content with an existing private/public key pair in the keystore named 'mykeystore.jks', using <b>Java Security API</b>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I hope the comments in the following source code will help you understand each step performed in doing this.</div>
<div style="text-align: justify;">
<pre class="java" name="code">package org.digital.signature.sample;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.*;
import java.security.cert.*;
import java.security.cert.Certificate;
public class Sample {
//keystore related constants
private static String keyStoreFile = "/home/hasini/Digital-Signature/sample/src/main/resources/mykeystore.jks";
private static String password = "mypassword";
private static String alias = "mycert";
public static void main(String[] args) {
try {
KeyStore keystore = KeyStore.getInstance("JKS");
char[] storePass = password.toCharArray();
//load the key store from file system
FileInputStream fileInputStream = new FileInputStream(keyStoreFile);
keystore.load(fileInputStream, storePass);
fileInputStream.close();
/***************************signing********************************/
//read the private key
KeyStore.ProtectionParameter keyPass = new KeyStore.PasswordProtection(storePass);
KeyStore.PrivateKeyEntry privKeyEntry = (KeyStore.PrivateKeyEntry) keystore.getEntry(alias, keyPass);
PrivateKey privateKey = privKeyEntry.getPrivateKey();
//initialize the signature with signature algorithm and private key
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initSign(privateKey);
//Read the string into a buffer
String data = "{\n" +
" \"schemas\":[\"urn:scim:schemas:core:1.0\"],\n" +
" \"userName\":\"bjensen\",\n" +
" \"externalId\":\"bjensen\",\n" +
" \"name\":{\n" +
" \"formatted\":\"Ms. Barbara J Jensen III\",\n" +
" \"familyName\":\"Jensen\",\n" +
" \"givenName\":\"Barbara\"\n" +
" }\n" +
"}";
byte[] dataInBytes = data.getBytes();
//update signature with data to be signed
signature.update(dataInBytes);
//sign the data
byte[] signedInfo = signature.sign();
System.out.println(signedInfo.toString());
/**************************verify the signature****************************/
Certificate publicCert = keystore.getCertificate(alias);
//create signature instance with signature algorithm and public cert, to verify the signature.
Signature verifySig = Signature.getInstance("SHA256withRSA");
verifySig.initVerify(publicCert);
//update signature with signature data.
verifySig.update(dataInBytes);
//verify signature
boolean isVerified = verifySig.verify(signedInfo);
if (isVerified) {
System.out.println("Signature verified successfully");
}
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
e.printStackTrace();
} catch (UnrecoverableEntryException e) {
e.printStackTrace();
} catch (InvalidKeyException e) {
e.printStackTrace();
} catch (SignatureException e) {
e.printStackTrace();
}
}
}
</pre>
<br /></div>
<div style="text-align: justify;">
<b>References:</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
[1] <a href="http://docs.oracle.com/javase/tutorial/security/apisign/index.html">http://docs.oracle.com/javase/tutorial/security/apisign/index.html</a></div>
<div style="text-align: justify;">
[2] http://www.garykessler.net/library/crypto.html#intro</div>
</div>Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com5tag:blogger.com,1999:blog-6247594794349776721.post-44572924823490192782012-04-18T12:59:00.000-07:002012-04-18T13:06:15.243-07:00Notes from IETF 83rd Meeting<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
As you may know, IETF 83rd meeting was held in Palais des Congres, Paris from 25th-30th March. I too got the opportunity to attend the IETF 83rd Meeting and <a href="http://hasini-gunasinghe.blogspot.com/2012/03/scim-interop-event-at-ietf-83rd-meeting.html">SCIM Interop Event</a> which was held in parallel to it.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It was an interesting, novel and great experience to see how people who form technology standards-(that we implement and that become buzzwords in the industry), get together in IETF meetings as working groups (WG) and present new ideas, discuss and argue on them, conduct consensus and agree upon things which is a part of the whole long process of publishing a standard as a IETF RFC.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>New comers orientation:</b></div>
<div style="text-align: justify;">
<br /></div>
OK, first let me mention what is IETF, its purpose and how it operates as I learned from this session which was held on Sunday 25th March. Scott Bradner - Secretary of Internet Society explained the the what & the how of IETF to all new comers. <br />
<ul style="text-align: left;">
<li>IETF (Internet Engineering Task Force) is the organization that develops and maintains the standards related to how the internet operates today. It meets 3 times a year.</li>
<li>It is an open organization that any one can join through mailing lists and contribute to the development of standards of your interested area.</li>
<li>There are 8 main areas of focus: <i>Application, General, Internet, Operations & Management, Real-time Applications & Infrastructure, Routing, Security, Transport</i>.</li>
<li>There are 131 Working Groups under the above areas - it is in a working group that the standards are developed. Each working group has a mailing list where the work happens.</li>
<li>IETF Management consists of : IETF Chair,Area Directors (AD), Internet Engineering Steering Group (IESG), Internet Architecture Board (IAB).</li>
<li>IETF management are all volunteers. People are company or self supported.</li>
<li>RFC are the final document published by IETF. Although earlier it referred to as 'Request for Comments', no changes made after RFC is published. So now RFC is not an acronym.</li>
<li>It usually takes about 2 - 3 years for a draft-00 version of a technical standard be published as a RFC.</li>
</ul>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Tutorial sessions for beginners:</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
First day(Sunday afternoon) was allocated for induction & tutorial sessions. </div>
<div style="text-align: justify;">
- I attended one tutorial session on "Operations, Administration, and Maintenance Tutorial" which was focused on networking side. </div>
<div style="text-align: justify;">
- There was another tutorial on "Tools for Creating Internet-Drafts Tutorial" which I think would have been more useful, but I missed it since the session was held in parallel to orientation session mentioned above.</div>
<div style="text-align: justify;">
- Slides of both these sessions can be found <a href="http://datatracker.ietf.org/meeting/83/materials.html">here</a> under <b>Training</b>.</div>
<div style="text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhegMpBZWbymN4oSn-0tfBLwk4edjuBo5UXuQdMOk7Lbh-6l1uRc_n-pmS_Z1a_s5s53yfz5qQQU3Sp4lzaGy_18UZl_W6B4uNmG4NhAt5AQ6R8-tXeFzmd2dqHylBd5WWvNrGEj9QWorY/s1600/DSC00801.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhegMpBZWbymN4oSn-0tfBLwk4edjuBo5UXuQdMOk7Lbh-6l1uRc_n-pmS_Z1a_s5s53yfz5qQQU3Sp4lzaGy_18UZl_W6B4uNmG4NhAt5AQ6R8-tXeFzmd2dqHylBd5WWvNrGEj9QWorY/s320/DSC00801.JPG" width="320" /></a> </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidV1mSLJvQWOzMAeNz0gTW1oyQIQIg3cCDPmR0er2g-Gslt20b5PCuiiGDBIUh-_X5XuJB_9-VXNdScMrDOV5CFL0MU62xN0vp4_3V2xqh7awL46lbUVOZs0GLzrkGvvzmOB0VIv37kbQ/s1600/DSC00802.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidV1mSLJvQWOzMAeNz0gTW1oyQIQIg3cCDPmR0er2g-Gslt20b5PCuiiGDBIUh-_X5XuJB_9-VXNdScMrDOV5CFL0MU62xN0vp4_3V2xqh7awL46lbUVOZs0GLzrkGvvzmOB0VIv37kbQ/s320/DSC00802.JPG" width="320" /></a></div>
<div style="text-align: justify;">
Above are two pics of Palais Des Congres where IETF 83rd meeting was held.</div>
<div style="text-align: justify;">
<br />
<b>Meetings.. Meetings.. Meetings..</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Mainstream IETF work started from Monday onwards and there were meetings of several types throughout the week as I have categorized below:</div>
<div style="text-align: justify;">
- <b><i>Birds of feathers sessions</i></b> : these sessions are conducted to decide whether a working group should be formed inside IETF to carry on work of a new standard. Only very few sessions of this type are held in one IETF meeting.</div>
<div style="text-align: justify;">
- <b><i>WG meetings</i></b> : Majority of meetings fall under this category. This is where WG members meet and discuss about the issues in current drafts formed by that particular WG and present the new drafts to IETF etc.</div>
<div style="text-align: justify;">
- <b><i>Informal meetings organized by other societies/communities</i></b> : Related organizations and communities like Internet Society and WGs from OASIS etc. take the free slots in IETF agenda (like lunch break) and conduct sessions on the topics of current interest. These are informed through IETF registrants' mailing list and participation is allowed through first come fist served basis.</div>
<div style="text-align: justify;">
- <b>Technical plenary sessions :</b> All most all IETF attendees who attended to different WG meetings of their interests, attend these plenary sessions where reports of different IETF management groups (like IAB, IRTF) are presented and a technical topic of common interest is discussed.</div>
<div style="text-align: justify;">
- <b>Research forums: </b></div>
<div style="text-align: justify;">
These are conducted by research groups chartered under IRTF (Internet Research Task Force) which is an affiliated organization of IETF. It focuses on long term research problems related to internet.<br />
<br />
I happened to attend all types of meetings during the week. Several sessions happen in parallel and sometimes we miss some of the interesting sessions as well.<br />
<ul>
<li><b>SCIM BoF</b> - Simple Cloud Identity Management is an emerging standard for user account and identity provisioning. It was proposed to be chartered under Application Area of IETF as a working group. BoF session went full house even before the session starts. Morteza and Trey explained "the what" & "the how" of SCIM to the IETF community. The session was chaired by two Area Directors.</li>
</ul>
Security is a key aspect discussed in all the above types of IETF meetings and and there is a separate Area (out of 8 focus areas mentioned above) dedicated to security.<br />
<br />
Since my area of focus at WSO2 and also my personal interest and passion lies in the area of security, I decided to attend the Working Group meetings under Security focus area of IETF which I have listed below.<br />
You can find the slides of these sessions <a href="http://datatracker.ietf.org/meeting/83/materials.html">here</a> under Security Area.<br />
<ul>
<li>Web Security WG</li>
<li>Public Key Infrastructure</li>
<li>Kerberos WG + KITTEN</li>
<li>Java Script Object Signing</li>
<li>OAuth</li>
<li>Security Area Open Meeting</li>
</ul>
It is interesting to see the process of how the security related standards that we implement and use are being formed at IETF.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwJpZ5DK04mFv5BPB7bRMylPUNFutPeHOZLBkUo3SeOKYeGbzk1MElonT-uqdj_nCOGwGgoGhQdRPrdaNGx62oPcSE61Z4ijfKDvYbKK-Oqo_GaGwP4EAEyy5zlTtc7-tq1d4NgWXUT3Q/s1600/DSC00799.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwJpZ5DK04mFv5BPB7bRMylPUNFutPeHOZLBkUo3SeOKYeGbzk1MElonT-uqdj_nCOGwGgoGhQdRPrdaNGx62oPcSE61Z4ijfKDvYbKK-Oqo_GaGwP4EAEyy5zlTtc7-tq1d4NgWXUT3Q/s320/DSC00799.JPG" width="320" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPBJVrpBGJkqOeqx0rP6w05Is32WM9wcZA10mvxD6Rltfj5d8Le5NcPceFpKIJcyNctvqIO-obStxqdVW2PXECmDgLWPcvLn0D5f1dAfn7WRktuySLexcuV3thXkpbpGJXwkHs2LHceN0/s1600/DSC00798.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPBJVrpBGJkqOeqx0rP6w05Is32WM9wcZA10mvxD6Rltfj5d8Le5NcPceFpKIJcyNctvqIO-obStxqdVW2PXECmDgLWPcvLn0D5f1dAfn7WRktuySLexcuV3thXkpbpGJXwkHs2LHceN0/s320/DSC00798.JPG" width="320" /></a></div>
Above are pics of IETF crew during the tea break... <br />
<br />
I also attended two informal meetings organized by other organizations/communities.<br />
<ul>
<li><b><a href="http://www.internetsociety.org/events/internet-society-panel-openid-and-oauth-ietf-83">Authentication and Authorization: Next steps for OpenID and OAuth</a></b>: this was organized by Internet Society Trust & Identity Initiatives. The panel discussed about OAuth, building security tokens based on JSON data/JWT, OpenID, ID token, adding identity layer to OAuth & Web cryptography working group. You may find the full audio of the session at the above link.</li>
</ul>
<ul>
<li> <b><a href="http://www.w3.org/wiki/OAuthWebCrypto">Beyond HTTP Authentication: OAuth, OpenID, and BrowserID:</a></b> this session was hosted by W3C and discussed about OpenID Connect, Key differences from OpenID 2.0, Browser ID, use cases of OAuth + Browser ID.</li>
</ul>
Out of the meetings from IRTF, I attended to:<br />
<ul>
<li>Crypto Forum Research Group : this was the last session I attended in IETF meetings. You can find the slides <a href="http://datatracker.ietf.org/meeting/83/materials.html">here</a> under IRTF -> CFRG. </li>
</ul>
Out of the two plenary sessions, I attended the Technical Plenary session which discussed about Implementation Challenges for Browser Security which was a very fruitful discussion with lot of involvement from audience as well.<br />
You may find the slides of this session <a href="http://datatracker.ietf.org/meeting/83/materials.html">here</a> under Plenary Sessions -> Technical Plenary.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr8ZmsRpVQ_v2O2ip55QVZuvWvTDKoYsjMTlPbeNTOTtnzcvwYcuZrPoBESFRLT-UPF78ayXEN0YxR76piSrGm-YUpduxMpc-DSyCdyJL7o13M6F9uq-LPCY4EkIXzX41J0Adu8NrvXlg/s1600/DSC00805.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr8ZmsRpVQ_v2O2ip55QVZuvWvTDKoYsjMTlPbeNTOTtnzcvwYcuZrPoBESFRLT-UPF78ayXEN0YxR76piSrGm-YUpduxMpc-DSyCdyJL7o13M6F9uq-LPCY4EkIXzX41J0Adu8NrvXlg/s320/DSC00805.JPG" width="320" /></a></div>
<br />
Above is a pic taken during the technical plenary session...<br />
<br />
<b>Remarks</b>: <br />
- There were many people involving in developping standards - not only from Universities, but also from different companies.<br />
- There were only 2 other Sri Lankans - one from a German University and the other from Cisco. <br />
<div style="text-align: left;">
- I believe it will be great if there is more involvement/impact from Sri Lankan Universities/Companies also.</div>
<div style="text-align: left;">
- It was a very valuable opportunity have participated in IETF meeting and witness how the standards that we implement are actually formed and which in fact was a great community meet up as well.</div>
</div>
</div>Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0tag:blogger.com,1999:blog-6247594794349776721.post-20222175626156965232012-03-30T08:15:00.000-07:002012-11-18T13:36:57.574-08:00SCIM Interop Event at IETF 83rd Meeting<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<a href="http://code.google.com/p/scim/wiki/FirstInteropEvent">First interop event </a>organized by <a href="http://groups.google.com/group/cloud-directory">SCIM working group</a> (or originally named as Cloud Directory WG), was held in the room: Corot of hotel Concorde La Fayette, Paris on 28th of March from 6-12 CET. </div>
<br />
<div style="text-align: justify;">
<b>Purpose:</b> The purpose of this event was to bring together current working implementations of SCIM and test the level of interoperability between each other which in turn could be used as a valuable input to prove the interoperability of the SCIM spec itself for the Birds of Feathers Session that was held on 29th of March, in order to form a SCIM working group in IETF.</div>
<div style="text-align: justify;">
<br /></div>
<a href="http://www.simplecloud.info/">SCIM (Simple Cloud Identity Management)</a> is an emerging standard that is focused on identity provisioning. You may refer to my previous post to get an overview of SCIM.<b> </b><br />
<br />
<b>Participants: </b><br />
Erik & Samuel from Technology Nexus, <br />
Kelly from Sailpoint, <br />
Chuck from Salesforce, <br />
Trey from UnboundID, <br />
Travis from Ping Identity, <br />
Morteza from Cisco, <br />
Emmanuel from BCPSOFT,<br />
Hasini from WSO2,<br />
participated in person while Michael from Gluu and James from Curion, participated remotely.<br />
<br />
Following are some pics I took during the interop event:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhyphenhyphenkteccfVD5dkQdeProBQNCNd2AlgYKvXfO4f2JfvaL73B2a1O0abrPmWtkxoDv-MP4Ff7pPqw48aiZsOSSr_rtyDcunfg4PdLdSiz-X7TUNgGeILcdCqQT2viC26wo_U1_WTZmQlzcs/s1600/DSC00812.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhyphenhyphenkteccfVD5dkQdeProBQNCNd2AlgYKvXfO4f2JfvaL73B2a1O0abrPmWtkxoDv-MP4Ff7pPqw48aiZsOSSr_rtyDcunfg4PdLdSiz-X7TUNgGeILcdCqQT2viC26wo_U1_WTZmQlzcs/s320/DSC00812.JPG" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipf2HSFwZbrtu2d0tRgTVVhgOZp1D0ByM0eoDePwa_HBzoi2CsQeHqVoRHbd3Sow6JdgJh8VLNku6jqU4tyLZijzeQTtefseFm4HOqttaGusQ9artubOmHedW_IBb_ymkTyr6QAARkhuM/s1600/DSC00813.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipf2HSFwZbrtu2d0tRgTVVhgOZp1D0ByM0eoDePwa_HBzoi2CsQeHqVoRHbd3Sow6JdgJh8VLNku6jqU4tyLZijzeQTtefseFm4HOqttaGusQ9artubOmHedW_IBb_ymkTyr6QAARkhuM/s320/DSC00813.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguw6tPXLuzvONGaEl5LGkU0RN9VuuzwKgqNpfk5MH1F_jm9MJpakxlY-YjmMSsXnfvIwatdIn2djZlgUlwHRBg89P308qR4qzBVp22km2eIkai6EAAV7PL-KvBSTB9KU9FJQGU46lfFuQ/s1600/DSC00815.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguw6tPXLuzvONGaEl5LGkU0RN9VuuzwKgqNpfk5MH1F_jm9MJpakxlY-YjmMSsXnfvIwatdIn2djZlgUlwHRBg89P308qR4qzBVp22km2eIkai6EAAV7PL-KvBSTB9KU9FJQGU46lfFuQ/s320/DSC00815.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div style="text-align: justify;">
Rest of the post is mainly about the interop experiences of WSO2 Charon when it was tested against SCIM service providers and SCIM Clients provided by other implementations.</div>
<br />
<b>WSO2 Charon:</b><br />
<div style="text-align: justify;">
Charon is the open source SCIM implementation offered by WSO2 under Apache 2.0 license. You may refer to my <a href="http://hasini-gunasinghe.blogspot.fr/search/label/Charon">previous blog posts</a> to get an idea about WSO2 Charon. Milestone 1 of WSO2 Charon was released in the time for first interop event. You may refer to a nice <a href="http://blog.facilelogin.com/2012/03/wso2-charon-released-in-time-for-scim.html">blog post</a> written by Prabath on M1 release of Charon. We hosted a public SCIM endpoint for interop testing at people.wso2.com. </div>
<br />
<div style="text-align: justify;">
At the start of the interop event, Every one shared their server credentials with participants and started testing by picking one endpoint at a time and sending requests from their clients. </div>
<br />
<b>WSO2 Charon SCIM Client was tested against the SCIM endpoints provided by following SCIM service provider implementations</b>:<br />
<ul style="text-align: left;">
<li>Technology Nexus</li>
<li>UnboundID</li>
<li>Curion</li>
<li>Salesforce</li>
<li>Ping Identity </li>
</ul>
<div style="text-align: justify;">
This list doesn't contain all in the participants list above, since Sailpoint offers only a SCIM Client implementation and other service provider endpoints were busy with fixing some of the issues encountered during the interop event.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Varying level of successes achieved when Charon client tested with each of the above endpoints among which highest percentage of success was achieved with Unbound Identity(8 out of 10 scenarios passed) and Technology Nexus(6 out of 10 scenarios passed) endpoints. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
WSO2 Charon-Samples module includes sample SCIM clients which cover all the SCIM operations supported by Charon as of its M1 release. These sample SCIM client programs made it easy to cover all the other working SCIM server endpoints during the 6 hours time period of the interop event.</div>
<br />
<div style="text-align: justify;">
<b>Interop issues found</b>: Following are some of the issues found when testing WSO2 Charon client with other server endpoints which caused some operations to fail. We negotiated and discussed about how to align the implementations with the spec in order to overcome those issues.</div>
<div style="text-align: justify;">
<br /></div>
1.Server expects ETag when update and delete requests are sent from client side. While it is a good feature to support resource versioning in server side, it should not be mandatory for client to set it according to the spec. Therefore agreed that server side should also allow handle the requests which doesn't contain ETag header.<br />
<br />
<div style="text-align: justify;">
2. Server returns an error when read-only attributes are contained in the payload of an update request. According to the spec: "Consumers must retrieve the entire Resource and PUT the desired modifications as the operation overwrites all previously stored data." The example payloads in the spec also contains read-only "id" attribute in the update request. Therefore, we agreed that spec needs more clarifications whether it should fail or ignore the read-only attributes in the update request payload and update only other attributes.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
3. Server had an internal requirement to include a group attribute when creating a user and if a group is not provided, create user operation fails. But according to the spec, group attribute in User resource is read-only. Therefore, we agreed that servers should not mandate to expect group attribute in create User request payload, even if they have internal server requirements to do so.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
4. Server replies with dateTime attributes formatted in .NET DateTime strings. WSO2 Charon client expects date time attributes be formatted in XML Schema Datatypes Specification (2008-01-23T04:56:22Z) which is mentioned in SCIM spec. Agreed to follow the same format for dateTime as specified in SCIM spec in order to avoid interop issues even on these minor areas.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
5. Server doesn't add an id attribute rather considers external ID as the id of the resource. Still it is not made mandatory to make it unique which may cause issues in retrieving a particular resource. </div>
<br />
<b>Other SCIM Clients were tested against WSO2 Charon SCIM service provider endpoints:</b><br />
<ul style="text-align: left;">
<li>Curion</li>
<li>Technology Nexus </li>
</ul>
This list too doesn't contain all in the participants list above, because it took participants quite some time to test against one endpoint and the duration of the interop was 6 hours.<br />
<br />
Note: WSO2 Charon endpoint is available for public access and you may carry out interop testing with it anytime and please let us know if you find any issues.<br />
<br />
<b>Interop issues found: </b>Following is the only issue reported by the ones who tested against WSO2 Charon endpoint:<br />
<br />
1. List user operation returning "resource not found" error.<br />
This operation returns proper response with the list of resources like below, when List user operation is performed with WSO2 Charon client. :<br />
<pre class="xml" name="code">{
"schemas":["urn:scim:schemas:core:1.0"],
"totalResults":2,
"Resources":
[
{
"id":"0f6fd995-38fb-4240-a5ce-961a7032427f",
"externalId":"umesha",
"meta"{
"lastModified":"2012-03-28T05:56:32",
"created":"2012-03-28T05:56:32",
"location":"http://localhost:8080/charonDemoApp/scim/Users/0f6fd995-38fb-4240-a5ce-961a7032427f"
}
},
{
"id":"e942ac6d-476c-4c7a-add3-f4ecb068a2f6",
"externalId":"hasini@gmail.com",
"meta":{
"lastModified":"2012-03-28T05:53:27",
"created":"2012-03-28T05:53:27",
"location":"http://localhost:8080/charonDemoApp/scim/Users/e942ac6d-476c-4c7a-add3-f4ecb068a2f6"
}
}
]
}
</pre>
But due to an interop issue when the same was performed with other clients, it shows an unexpected behavior which needs to be reproduced and identified with that particular client.<br />
<br />
<b>Overall Comments:</b><br />
<div style="text-align: justify;">
I consider the whole interop event was an effective session where we were able to discuss and agree on interpretation of certain points of the spec wrt implementation aspects and identify areas of the spec which needs more clarification in order to overcome some of the interop issues mentioned above. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It was also a good community meetup where the people who are communicating remotely over the mailing list could get together and meet in person and make their implementations communicate with each other. </div>
<div style="text-align: justify;">
I would like to Thank all participants for collaborating effectively during the session to make the interop event a success.</div>
<div style="text-align: justify;">
<br /></div>
Now the SCIM spec has a new beginning at IETF after the successful BOF session which was held 29th of March 2012, and the standard will have a long journey to go till it is published as a RFC in IETF.<br />
<br />
<b>WSO2 Charon road map in brief:</b><br />
<div style="text-align: justify;">
WSO2 Charon will be feature completed with its 1.0 release and will be integrated into WSO2 Identity Server 4.0.0 so that WSO2 product stack and WSO2 Stratos will be equipped with the standardized identity provisioning feacture based on SCIM.</div>
</div>
Hasinihttp://www.blogger.com/profile/06687717716325742229noreply@blogger.com0