OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

Future of Identity and Access Management (IAM)

When a business needs a rapid growth or a new technology integrated, partnering and acquiring strategies are commonly put forward. WhatsApp been acquired by Facebook, Skype been acquired by Microsoft are such popular acquisitions done by the giants in the industry. According to the Wall Street Journal “2015 the biggest year ever for mergers and acquisitions” globally[1]. When this is considered from the aspects of enterprise identity management, it means the rapid merge of external users to current enterprise system. While this merge needs to happen rapidly in order to take the competitive advantage, privacy and security aspects cannot be ignored. Quocirca which is a primary research and analysis company also confirms that “many businesses now have more external users than internal ones. Many organisations are putting in place advanced identity and access management tools to facilitate the administration and security issues raised by this.”[2]. 

The impact of these merges and acquisitions are been predicted by the reputed analyst firm Gartner, as “By 2020, 60% of digital identities interacting with the enterprise will come from external identity providers through a competitive marketplace – up from less than 10% today.”[3]. Quocirca further discuss this topic with relation to BYOID concept, where the users may produce these identity via an external identity provider that enterprise would trust. These external identity providers might be using different protocols (legacy, proprietary, standard based) to deal with identities. Hence integrating these with existing systems is a challenge as sometimes full replacement of those legacy systems is often difficult or even impossible and this is dealing with a more sensitive part of enterprise security. As a solution for this foreseen rising requirement for enterprise in IAM arena, industry is investigating on several solutions. While some has been evaluating on the possibility of using an ESB itself for the purpose, a new concept has also been emerged as EIB which is specifically focusing on identity mediation.

Apart from enterprises growing with mergers and acquisition, if a new enterprise is concerned, most of the time, users had to register there, filling a lengthy form. But with the application of BYOID concept, it is opening doors to easily attract a whole user base of social identity providers. For example if a website is concerned which allows to login via Google or Facebook, it is having a possible user base as large as Google users+Facebook users when compared to a website that allows login for own registered users. In order achieve this kind of external identity provider integration, there needs to be a mechanism to securely confirm the user's’ identity and submit the decision in a mutually understandable way. For this there needs to be a transformation happening in between the two parties, which can be identified as the main functionality of an EIB.

With above facts it is evident that identity mediation is a requirement for enterprises in the coming up days, due to high rate of mergers, acquisitions happening and the possible competitive advantage of supporting login via the submission of a social identity. Also with the newly emerging technologies like IoT, many new protocols may be introduced to interact with identities and current protocols might get new version with several modifications. Time is critical factor for the enterprise when adapting new technologies and faster they move, more the benefits. Requirement that is given rise in this situation is an Identity Mediation mechanism that can do the transformation between identity protocols, similar to how ESBs transform messages between different transport protocols.

[1] - M. Farrell, "2015 Becomes the Biggest M&A Year Ever", WSJ, 2016. [Online]. Available: http://www.wsj.com/articles/2015-becomes-the-biggest-m-a-year-ever-1449187101. [Accessed: 24- Jan- 2016].

[2] - Quocirca.com, "Identity, access management and the rise of bring your own identity | quocirca.com", 2013. [Online]. Available: http://quocirca.com/article/identity-access-management-and-rise-bring-your-own-identity. [Accessed: 24- Jan- 2016].

[3] - D. Atkinson, "A Report From Inside the Gartner Identity and Access Management Summit", Top Identity & Access Management Software, Vendors, Products, Solutions, & Services, 2014. [Online]. Available: http://solutions-review.com/identity-management/a-report-from-inside-the-gartner-identity-and-access-management-summit/. [Accessed: 24- Jan- 2016].


  1. Absulutely Brilliant!! It's one of the best blogs I have read on identity and access management. It was an absolute pleasure reading this article. Thanks ton mate for sharing this article with everyone.

  2. As Identity Management solutions providers, we offer 80% of the functionality at 20% of the price compared to the competitors. Start your free trial today!


Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

OPA for HTTP Authorization

How to Write a Custom User Store Manager - WSO2 Identity Server 4.5.0