Location and Authorization
Dave Kearns recently mused on the use of location in access control:
I could see [the user’s location] being used in a graded authentication scheme to reduce or deny access based on a possibly adverse location (e.g., someone trying to access a Pentagon database from Uzbekistan).
and Kim Cameron responded, mapping this into his identity metasystem vision:
In the identity metasystem, the relying party could indicate in its policy that it requires several sets of identity claims- one indicating who the user is, and another indicating where the user is. The claims might come from different authorities (e.g. an enterprise and a trusted location provider). These would be implemented as two Security Token Services (claims transformers). Both sets of claims, taken together, would identify the user from the point of view of the relying party.
Now, first, I have to agree with Dave’s 2002 article - this does indeed seem more like authorization than authentication. Now to the question of geo-location… Liberty defined the ID-SIS Geolocation Service earlier this year. An access control system (like, say, Sun Java System Access Manager) can implement policy based on location (or any other attribute or ‘claim’). So, an application (or, more likely, some agent protecting that app - in access control jargon a ‘policy enforcement point’ or PEP) can provide access to a given resource depending on policy constraints such as “Is the user within 100m of location X”. When a user attempts to access the resource, the PEP sends a policy query for that constraint to the access control system’s ‘policy decision point’ (PDP). The PDP queries the geolocation service for the user’s current location and responds ‘true’ or ‘false’ to the PEP accordingly, which then grants or denies access to the resource as appropriate.
The elegance of this approach is that only one component of the system (the PDP) need be trusted with the user’s identity (this might also be possible in Kim’s identity metasystem). The information available to other components around the network is limited to exactly what they need to know - i.e. does the user’s identity meet a given constraint. And, of course, you could deploy such a system right now using products from a number of vendors, since all of the above is defined by Liberty and is shipping today.
Comments
Jaime Cardoso
How is it that expression of yours, been there, done that :)
Location is one of the main basis of ISP auth here in Portugal. Of course that, for an ISP “location” is defined has being inside our outside the ISP’s Network. I can certify that this feature not only is possible but is in prodution for some monthes now. When we deploy AM in GSM Operators, Location will be defined by the cel they’re connected to (like what’s the nearest sushy bar ranking 3 stars or more).
I believe that the term “identity” if limited to the user’s name (or even to an user) is comming short of the actual potential of this solutions. Identity can (and should) be applied to any and to all factors that will be used to discriminate services (Identity applied to ILM).
tkudo's weblog
[Trackback] Some of Identity Bloggers have recently posted thoughts on location as an attribute of identity information. The Virtual Quill: The WHERE in IdM Superpatterns: Location and Authorization Kim …
Leave a Comment
Your email address will not be published. Required fields are marked *