Overview of Identity Management for the IoT
Cited from Overview: Identity Management for the Internet of Things by UnboundID
IoT IAM Requirements:
- Adaptive Authentication. 认证的手段会随着人的身份、context、设备、usecase等因素而变化。
- Privacy and Preference Management. IoT IAM可以将来自不同interaction point的用户偏好信息进行汇集,这样可以提高用户的忠诚度和保持用户在不同channel的体验一致性。
- Policy-Based Data Access Goverance. IoT IAM可以提供更细粒度的控制,以及基于环境因素以及上下文的控制。
- High Volume Scale.
User Managed Access (UMA)
User-Managed Access (UMA) is a profile of OAuth 2.0 [RFC6749]. UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policies. Resource owners configure authorization servers with access policies that serve as asynchronous authorization grants. — UMA Working group
Official Website
Spec v1.0.1
Use Case
Implementations
Attribute Based Access Control
Attribute Based Access Control (ABAC): An access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions. – NIST
eXtensible Access Control Markup Language (XACML)
XACML stands for “eXtensible Access Control Markup Language”. The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between access control implementations by multiple vendors. XACML is primarily an Attribute Based Access Control system (ABAC), where attributes (bits of data) associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC. — Wikipedia