enterprise & web based federated identity management & data access controls
DESCRIPTION
This presentation breaks down issues associated with federated identity management and protected resource access controls (policies). Specifically, it uses Virtuoso and RDF to demonstrate how this longstanding issue has been addressed using the combination of RDF based entity relationship semantics and Linked Open Data.TRANSCRIPT
![Page 1: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/1.jpg)
Federated Identity & Attribute Based Resource
Access ControlsBy Kingsley Idehen
Founder & CEO, OpenLink Software
![Page 2: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/2.jpg)
SITUATION ANALYSIS
License CC-BY-SA 4.0 (International).
![Page 3: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/3.jpg)
Presentation Goals
License CC-BY-SA 4.0 (International).
Deconstruct:
Identity
Identifiers
Identification
![Page 4: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/4.jpg)
Identity
License CC-BY-SA 4.0 (International).
EVERY DAY WE HEAR
IDENTITY IS PROBLEMATIC
IDENTITY IS COMPLEX
IDENTITY ISIMPORTANT
![Page 5: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/5.jpg)
Identity
WE ALMOST NEVER HEAR ABOUT
License CC-BY-SA 4.0 (International).
WHAT IDENTITY ACTUALLY IS
HOW IDENTITY IS CREATED
HOW IDENTITY ISREPRESENTED
![Page 6: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/6.jpg)
Identity Basics
License CC-BY-SA 4.0 (International).
![Page 7: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/7.jpg)
What is an Entity?
An Entity is a Distinctly Identifiable Thing
License CC-BY-SA 4.0 (International).
![Page 8: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/8.jpg)
How is an Entity Identified (Named) ? An Entity is Identified (or named) through the combined effects of Identifier based denotation (signification) and document content
based connotation (description).
License CC-BY-SA 4.0 (International).
![Page 9: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/9.jpg)
How is an Entity Denoted?
An Entity is Denoted (Signified) through the use of an Identifier.
License CC-BY-SA 4.0 (International).
![Page 10: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/10.jpg)
What is an Identifier?
An Identifier is a Sign (or Token) that Signifies (Denotes, or “Stands For”) an Entity
License CC-BY-SA 4.0 (International).
![Page 11: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/11.jpg)
Identifier Types?
Quoted Literals such as:“Kingsley Idehen” or ‘Kingsley Idehen’
Relative Reference:<#KingsleyIdehen>
Absolute HTTP URI based Reference: <http://kingsley.idehen.net/dataspace/person/kidehen#this>
LDAP URI based Reference: <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen
%2Cou=Accounts%2Co=OpenLink%20Software%2Cc=US>
License CC-BY-SA 4.0 (International).
![Page 12: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/12.jpg)
What is a WebID?
License CC-BY-SA 4.0 (International).
An HTTP Uniform Resource Identifier (URI) that identifies (names) an Agent.
Example:<http://kingsley.idehen.net/dataspace/
person/kidehen#this>
![Page 13: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/13.jpg)
What is a NetID?
License CC-BY-SA 4.0 (International).
A Resolvable Uniform Resource Identifier (URI) that identifies (names) an Agent.
Example:<ldap://mail.openlinksw.com/cn=Kingsley
%20Idehen%2Cou=Accounts%2Co=OpenLink%20Software%2Cc=US>
![Page 14: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/14.jpg)
What is an Identity Card?
A Document comprised of content in the form of identity claims that coalesce around an identifier that names the Identity Card’s subject.Basically, a document comprised of content that connotes (describes) its subject.
License CC-BY-SA 4.0 (International).
![Page 15: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/15.jpg)
WebID-Profile Document -- Front
A Document comprised of RDF statement based identity claims that coalesce around an identifier that names the Identity Card’s subject.
Identity Card subject name MUST be in the form of an HTTP URI.
License CC-BY-SA 4.0 (International).
![Page 16: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/16.jpg)
WebID-Profile Document -- Inside A Document comprised of RDF statement based identity claims that coalesce around an identifier that names the Identity Card’s subject. Identity Card subject identifiers MUST be in the form of an HTTP URI.
License CC-BY-SA 4.0 (International).
![Page 17: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/17.jpg)
NetID-Profile Document -- Front
A Document comprised of RDF statement based identity claims that coalesce around an identifier that names the Identity Card’s subject.
Identity Card subject identifiers MUST be in the form of Resolvable URIs, so LDAP scheme identifiers can apply.
License CC-BY-SA 4.0 (International).
![Page 18: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/18.jpg)
NetID-Profile Document -- Inside A Document comprised of RDF statement based identity claims that coalesce around an identifier that names the Identity Card’s subject. Identity Card subject identifiers MUST be in the form of Resolvable URIs, so LDAP scheme identifiers can apply.
License CC-BY-SA 4.0 (International).
![Page 19: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/19.jpg)
What Your Digital Identity Card Enables
• Identification for 3rd Party Use – e.g., protected resource access controls and data access policies --scoped specifically to your identity
• Signing Statements (Endorsements), Messages (e.g., Email) that are cryptographically verifiable
• Receipt of Encrypted Messages that are only readable by you – since the entire message or shared-secret is encrypted using data (Public Key) from your Digital Identity Card
• All of the items above using existing open standards.
License CC-BY-SA 4.0 (International).
![Page 20: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/20.jpg)
Attributed Based Access Controls (ABAC)
License CC-BY-SA 4.0 (International).
![Page 21: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/21.jpg)
What is ABAC About?
Fine-grained access to protected resources driven
by attributes (characteristics, features, properties,
predicates, relations etc.) of the resource
requestor (an Identity Principal).
License CC-BY-SA 4.0 (International).
![Page 22: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/22.jpg)
RDF based Attributed based Access Controls
License CC-BY-SA 4.0 (International).
1. Identity Principal Requests
Access to Protected Resource
2. Protected Resource Server
Assesses: Identity (RDF based
Identity Claims) Access Control Rules
(RDF based Protected
Resource Access
Policies)
3. Protected Resource Access is
Granted or Rejected.
![Page 23: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/23.jpg)
ABAC Challenges?
• Identifier Types – NetID vs WebID Issues
• Data Access Protocols – LDAP vs HTTP issues
• Data Representation – Data Virtualization issues
• Data Integration – RDF based Linked Open Data
• Data Access Performance & Scalability –
Virtuoso!
License CC-BY-SA 4.0 (International).
![Page 24: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/24.jpg)
Identity Card Generation
License CC-BY-SA 4.0 (International).
![Page 25: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/25.jpg)
WebID Identity Card Generation
License CC-BY-SA 4.0 (International).
![Page 26: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/26.jpg)
Digital Identity Card Generation – PdP Selection
Select from a vast collection of Profile Data Providers (PdPs)
License CC-BY-SA 4.0 (International)
![Page 27: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/27.jpg)
Digital Identity Card Generation – IdP Selection
Select from a vast collection of Identity Card Storage Providers (IdPs)
License CC-BY-SA 4.0 (International)
![Page 28: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/28.jpg)
Generated Public Identity Card
A Document comprised of content in the form of identity claims that coalesce around an identifier (e.g., HTTP URI) that names the Identity Card’s subject.Basically, a document comprised of content that connotes (describes) its subject.
License CC-BY-SA 4.0 (International).
![Page 29: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/29.jpg)
Local Identity Card (X.509 Cert.) View - 1
License CC-BY-SA 4.0 (International).
![Page 30: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/30.jpg)
Local Identity Card (X.509 Cert.) View - 2
License CC-BY-SA 4.0 (International).
![Page 31: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/31.jpg)
Local Identity Card (X.509 Cert.) View - 3
License CC-BY-SA 4.0 (International).
![Page 32: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/32.jpg)
Authentication Protocols(WebID-TLS and NetID-TLS)
License CC-BY-SA 4.0 (International).
![Page 33: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/33.jpg)
Critical Proof of Work
Fundamentally, NetID-TLS and WebID-TLS authentication protocols combine shared-secret knowledge (PKI) with proof-of-work. This includes:
• Private & Public Keypair Possession
• Private (X.509 Cert.) and Public (Profile Document) Identity Card
Creation & Storage Capability
• Ability to Express Entity Identity Claims using Entity Relationship
Semantics that are comprehensible to both Humans and
Machines.
License CC-BY-SA 4.0 (International).
![Page 34: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/34.jpg)
What is WebID-TLS?TLS based authentication protocol where identity claims are verified as follows:
1. User Agent initiates a TLS connection
2. Presents a locally stored Identity Card (X.509 Certificate) comprised of a WebID as its SubjectAlternativeName (SAN) value
3. Following successful TLS-handshake, a protected resource server performs these additional tests: Checks that WebID successfully resolves to a profile document
comprised of RDF statements Checks existence of an RDF statement that associates WebID with the
Public Key of the local X.509 certificate used to complete the successful TLS-handshake.
License CC-BY-SA 4.0 (International).
![Page 35: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/35.jpg)
WebID-TLS Authentication ProtocolExample
License CC-BY-SA 4.0 (International).
![Page 36: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/36.jpg)
WebID-TLS Authentication – Step 1
License CC-BY-SA 4.0 (International).
![Page 37: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/37.jpg)
WebID-TLS Authentication – Step 2
License CC-BY-SA 4.0 (International).
![Page 38: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/38.jpg)
WebID-TLS Authentication – Step 3
License CC-BY-SA 4.0 (International).
![Page 39: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/39.jpg)
WebID-TLS Authentication – Step 4
License CC-BY-SA 4.0 (International).
![Page 40: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/40.jpg)
What is NetID-TLS?TLS based authentication protocols where identity claims are verified as follows:
1. User Agent initiates a TLS connection
2. Presents a locally stored Identity Card (X.509 Certificate) comprised of a NetID as its SubjectAlternativeName (SAN) value
3. Following successful TLS-handshake, a protected resource server performs these additional tests: Check that NetID is successfully resolved to a profile document Checks that profile document is comprised of replica claims matching
those in the local X.509 certificate – achieved by comparing the SHA1 fingerprints of both documents.
License CC-BY-SA 4.0 (International).
![Page 41: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/41.jpg)
NetID Identity Card Generation
License CC-BY-SA 4.0 (International).
![Page 42: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/42.jpg)
YouID Identity Card Creation – Step 1
License CC-BY-SA 4.0 (International).
![Page 43: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/43.jpg)
YouID Identity Card Creation – Step 2
License CC-BY-SA 4.0 (International).
![Page 44: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/44.jpg)
Local Identity Card (X.509 Cert.) View - 1
License CC-BY-SA 4.0 (International).
![Page 45: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/45.jpg)
Local Identity Card (X.509 Cert.) View - 2
License CC-BY-SA 4.0 (International).
![Page 46: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/46.jpg)
Local Identity Card (X.509 Cert.) View - 3
License CC-BY-SA 4.0 (International).
![Page 47: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/47.jpg)
NetID-TLS Authentication ProtocolExample
(LDAP Directory Services)
License CC-BY-SA 4.0 (International).
![Page 48: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/48.jpg)
Identity Card Export for LDAP Directory Use
License CC-BY-SA 4.0 (International).
![Page 49: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/49.jpg)
LDAP Directory Profile Edit Page
License CC-BY-SA 4.0 (International).
![Page 50: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/50.jpg)
LDAP Directory Profile Edit – Certificate Binding
License CC-BY-SA 4.0 (International).
Associate certificate exported from keystore / keychain with LDAP Directory record
![Page 51: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/51.jpg)
NetID-TLS Authentication(using an Identity Card with LDAP URI in it SAN)
License CC-BY-SA 4.0 (International).
![Page 52: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/52.jpg)
NetID-TLS Authentication – Step 1
License CC-BY-SA 4.0 (International).
![Page 53: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/53.jpg)
NetID-TLS Authentication – Step 2
License CC-BY-SA 4.0 (International).
![Page 54: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/54.jpg)
NetID-TLS Authentication – Step 3
License CC-BY-SA 4.0 (International).
![Page 55: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/55.jpg)
NetID-TLS Authentication – Step 4
License CC-BY-SA 4.0 (International).
![Page 56: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/56.jpg)
NetID-TLS Authentication – Step 5
License CC-BY-SA 4.0 (International).
![Page 57: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/57.jpg)
Attributed Based Access Controls (ABAC) via
NetID-TLS & WebID-TLS Authentication Protocols
License CC-BY-SA 4.0 (International).
![Page 58: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/58.jpg)
Controlling Access to an HTTP-Accessible Document
License CC-BY-SA 4.0 (International).
![Page 59: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/59.jpg)
Resource Protection – Step 1
License CC-BY-SA 4.0 (International).
![Page 60: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/60.jpg)
Resource Protection – Step 2
License CC-BY-SA 4.0 (International).
![Page 61: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/61.jpg)
Resource Protection – Step 3
License CC-BY-SA 4.0 (International).
![Page 62: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/62.jpg)
Actual Attribute Based Access Control
License CC-BY-SA 4.0 (International).
![Page 63: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/63.jpg)
Protected Resource Access Challenge – Step 1
License CC-BY-SA 4.0 (International).
![Page 64: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/64.jpg)
Protected Resource Access Challenge – Step 2
License CC-BY-SA 4.0 (International).
![Page 65: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/65.jpg)
Protected Resource Access Challenge – Step 3
License CC-BY-SA 4.0 (International).
![Page 66: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/66.jpg)
Protected Resource Access Challenge – Step 3
License CC-BY-SA 4.0 (International).
![Page 67: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/67.jpg)
Controlling Access to a SPARQL Endpoint
Example
License CC-BY-SA 4.0 (International).
![Page 68: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/68.jpg)
RDF based ACL scoped to a Named Graph -- Template
## Protected (Private) Resource Authorization denoted by <{ACL-IRI}> ;
## created by the Identity Principal denoted by <{Rule-Creator-WEBID}> ;
## granting Read/Write privileges to the Named Graph denoted by <{Target-Named-GRAPH-IRI}> ;
## to identity principals denoted by the following <{GROUP-or-AGENT-IRI-1}>,
## <{GROUP-or-AGENT-IRI-N}>
PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#>
PREFIX acl: <http://www.w3.org/ns/auth/acl#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
<{ACL-IRI}>
a acl:Authorization ;
foaf:maker <http://kingsley.idehen.net/dataspace/person/kidehen#this> ;
oplacl:hasAccessMode oplacl:Write ;
acl:accessTo <urn:private:rdf:data:source> ;
acl:agent <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen,ou=Accounts,o=OpenLink
%20Software,c=US>, <http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this> ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:DefaultRealm .
License CC-BY-SA 4.0 (International).
![Page 69: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/69.jpg)
Controlling Access to a SPARQL-accessible
Named Graph
License CC-BY-SA 4.0 (International).
![Page 70: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/70.jpg)
RDF based ACL scoped to a Named Graph -- Example
## Grant access to the Named Graph denoted by the IRI <urn:private:rdf:data:source>
## to identity principals denoted by the following IRIs
## <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen,ou=Accounts,o=OpenLink%20Software,c=US>,
## <http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this>
PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#>
PREFIX acl: <http://www.w3.org/ns/auth/acl#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
<#AccessPolicy1>
a acl:Authorization ;
foaf:maker <http://kingsley.idehen.net/dataspace/person/kidehen#this> ;
oplacl:hasAccessMode oplacl:Write ;
acl:accessTo <urn:private:rdf:data:source> ;
acl:agent <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen,ou=Accounts,o=OpenLink
%20Software,c=US>, <http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this> ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:DefaultRealm .
License CC-BY-SA 4.0 (International).
![Page 71: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/71.jpg)
Controlling Access to an HTTP (Web) Service
License CC-BY-SA 4.0 (International).
![Page 72: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/72.jpg)
RDF based ACL scoped to a YouID Instance
PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#>
PREFIX acl: <http://www.w3.org/ns/auth/acl#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
<#YouIDUsagePolicy1>
a acl:Authorization ;
rdfs:comment ""”Machine-to-Machine ACL that controls access to an instance of the YouID
Identity Card Generator.""” ;
foaf:maker <{PERSON-WEBID}> ;
oplacl:hasAccessMode oplacl:Write ;
acl:accessTo <http://{HOST-CNAME}/youid> ;
acl:agent {Agent-WebID} ;
oplacl:hasScope <urn:virtuoso:val:scopes:youid> ;
oplacl:hasRealm oplacl:DefaultRealm .
License CC-BY-SA 4.0 (International).
![Page 73: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/73.jpg)
Live Additional Information Links
An Glossary of terms, in Linked Data form:
• WebID
• WebID-TLS
• NetID
• NetID-TLS
• Linked Data
• Linked Open Data
• Semantic Web
• Resource Description Framework (RDF)
License CC-BY-SA 4.0 (International).
![Page 74: Enterprise & Web based Federated Identity Management & Data Access Controls](https://reader033.vdocument.in/reader033/viewer/2022061201/547a45efb4af9ff1318b47f4/html5/thumbnails/74.jpg)
Additional InformationWeb Sites
OpenLink Software
YouID – Digital Identity Card (Certificate) Generator
OpenLink Data Spaces – Semantically enhanced Personal & Enterprise Data Spaces & Collaboration Platform
OpenLink Virtuoso - Hybrid Data Management, Integration, Application, and Identity Server
Universal Data Access Drivers - High-Performance ODBC, JDBC, ADO.NET, and OLE-DB Drivers
LDAP and NetID-TLS – How to use LDAP scheme URIs with NetID-TLS Authentication
Social Media Data spaces
http://kidehen.blogspot.com (weblog)
http://www.openlinksw.com/blog/~kidehen/ (weblog)
https://plus.google.com/112399767740508618350/posts (Google+)
https://twitter.com/#!/kidehen (Twitter)
Hashtag: #LinkedData (Anywhere).
License CC-BY-SA 4.0 (International).