Skip to content
Information about the IAM project and issues that do not belong to a specific repository
Branch: master
Clone or download
Latest commit 8771164 Sep 8, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Fix link May 22, 2019
imgs Add technical diagram Jul 25, 2019
CODE_OF_CONDUCT.md Add Mozilla Code of Conduct file Mar 28, 2019
CONTRIBUTING.md clarify that the lifecycle is also for production branch Jul 5, 2018
DECISION-MAKING.md Typos Sep 9, 2019
GLOSSARY.md Fix rules section Jun 29, 2018
GitHub-Security-Settings.md Relax the branch setup for master May 31, 2018
LICENSE Initial commit Oct 18, 2016
Press.md Revamp and sync with mana Sep 27, 2017
README.md Typo Sep 9, 2019

README.md

mozilla-iam

Vision

All Mozillians (paid staff and contributors) have convenient and appropriate access to Mozilla services through a unified, authoritative, integrated identity system that empowers them to build a better Internet

Summary

Mozilla’s Identity and Access Management (IAM) aim to improve the productivity of Mozillians (end-users and operational teams) by streamlining IAM management tasks while providing visibility. Additionally, IAM provides an easier and significantly safer experience for the user and for services in need of authentication.

See also the press statement (this is not a real press-statement, it is an exercise to kick-start projects).

Diagram

Technical and detailed diagrams

Diagram

  • Technical Diagram 2017 (old) High-level technical diagram of the different Mozilla IAM components and their interactions from 2017's IAM implementation.
  • Login flows shows how login and account verification work from a visual, high level point of view.

Concepts

2 Stage Access validation

Mozilla IAM validates identity using one or more factors. It also validates authorization, or access, using one or more authorization stages. The common case is a user account's access being verified by the access provider at a high-level using broad groups or roles. The RP (Relying Party) will then perform the same or/and additional verification, which may allow specific access within the application.

Ex: A reviewer may have a 'Staff' role and is granted access at the first stage verification. The reviewer then gets access to the reviewer features in the application, access which is granted by the 2nd stage verification (i.e. RP verification).

2stages

Automatic expiration of access

Mozilla IAM records a timestamp of the last successful login to any RP (Relying Party) during the user's login. The timestamp is tied to the RP. With this, Mozilla IAM is able to tell the date at which an RP was last accessed by a user. Automatic expiration of access is the method by which Mozilla IAM use the timestamp to decide if the user should retain access, regardless of any other access control mechanism. If the timestamp is older than a certain amount of time (such as 6 month), then the access will be denied and the user will have to ask for the access to be re-enabled.

This method is useful in environments where group-based or role-based access cannot always be well managed, and where keeping track of which group gives access where, what user should have access is difficult. In other word, this method implements a logic of "use it or lose it" automatically.

Note: The access validation occurs as part of the "2 Stage Access validation" concept and is not meant as a replacement for group-based and role-based access control.

expirationofaccess

Links and information

Internal links

Discussion

About the GitHub organization setup

This organization has been created to hold IAM-related public repositories. These repositories are public. This organization follows https://mana.mozilla.org/wiki/display/POLICIES/Standard%3A+GitHub+repositories+and+organizations Access control needs to be tigher than on https://www.github.com/mozilla/ (main Mozilla GitHub organization) warranting it's separation.

About this repository

This repository tracks all issues that do not have a GitHub repository assigned (such as non-code, code without repo, etc.)

Contact

For more information, please contact Mozilla Infosec (https://infosec.mozilla.org/) or the Open Innovation Team (https://wiki.mozilla.org/Innovation).

You can’t perform that action at this time.