All Mozillians (paid staff and contributors) have convenient and appropriate access to Mozilla services through a unified, authoritative, integrated identity system that empowers them to build a better Internet
Mozilla’s Identity and Access Management (IAM) aim to improve the productivity of Mozillians (end-users and operational teams) by streamlining IAM management tasks while providing visibility. Additionally, IAM provides an easier and significantly safer experience for the user and for services in need of authentication.
See also the press statement (this is not a real press-statement, it is an exercise to kick-start projects).
- Technical Diagram 2017 (old) High-level technical diagram of the different Mozilla IAM components and their interactions from 2017's IAM implementation.
- Login flows shows how login and account verification work from a visual, high level point of view.
Mozilla IAM validates identity using one or more factors. It also validates authorization, or access, using one or more authorization stages. The common case is a user account's access being verified by the access provider at a high-level using broad groups or roles. The RP (Relying Party) will then perform the same or/and additional verification, which may allow specific access within the application.
Ex: A reviewer may have a 'Staff' role and is granted access at the first stage verification. The reviewer then gets access to the reviewer features in the application, access which is granted by the 2nd stage verification (i.e. RP verification).
Mozilla IAM records a timestamp of the last successful login to any RP (Relying Party) during the user's login. The timestamp is tied to the RP. With this, Mozilla IAM is able to tell the date at which an RP was last accessed by a user. Automatic expiration of access is the method by which Mozilla IAM use the timestamp to decide if the user should retain access, regardless of any other access control mechanism. If the timestamp is older than a certain amount of time (such as 6 month), then the access will be denied and the user will have to ask for the access to be re-enabled.
This method is useful in environments where group-based or role-based access cannot always be well managed, and where keeping track of which group gives access where, what user should have access is difficult. In other word, this method implements a logic of "use it or lose it" automatically.
Note: The access validation occurs as part of the "2 Stage Access validation" concept and is not meant as a replacement for group-based and role-based access control.
Mozilla IAM uses various indicators in order to figure out if a user should have access to a relying party. AAI (Authentication Assurance Indicators) are generated for the user who's authenticating. These could be indicators that a user has used a 2FA device (with different strength of authentication), that their geo-location changed, that their identity provider performed additional authentication checks, that they've logged in before with the same machine, that their machine's software is up to date, etc.
These AAIs are ranked and used to determine an AAL (Authentication Assurance Level) for that iteration of the authencation of the user. The AAL is re-calculated each time a user authenticates as the indicators may have changed. A map of AAI to AAL can be found in our well-known endpoint.
The AALs are ranked using the Mozilla Standard Levels,
i.e. LOW/MEDIUM/HIGH/MAXIMUM
. The AAL is used to determine if a user should be granted access per relying party.
For example, if AAL=LOW
, the user may be able to chat on Discourse, but have no administrative capabilities (which may
require AAL=HIGH
). See also the diagram below illustrating this use case.
NOTE: The default for all relying parties is to require AAL=MEDIUM
. An example of a relying party allowing AAL=LOW
would
be https://discourse.mozilla-community.org/ or https://voice.mozilla.org/
- Core functionality
- Access Provider the glue for everything (Auth0).
- SSO Dashboard Configuration and Access Control Database where access control is set at the IAM level (additionally to the site's own controls).
- New Login Experience (NLX) the login panel to login to websites.
- OpenLDAP staff Identity Provider
- DuoSecurity (2FA) staff 2FA
- Core APIs
- CIS (Change Integration Service)
- IAM User Profile the user profile specification.
- Websites
- SSO Dashboard where you find the websites you can access.
- People.mozilla.org / DinoPark the user profile editor.
- IAM Infrastructure how IAM runs.
Backend which deals with IAM data integration from multiple sources and provides various APIs to CIS (PersonAPI, Change/Person endpoints, well-known endpoint). This includes signing, authorization, profile storage model, publishing code and drivers.
Repositories:
- https://github.com/mozilla-iam/cis
- https://github.com/mozilla-iam/cis_functions
- https://github.com/mozilla-iam/person-api
- https://github.com/mozilla-iam/gsuite-community-drive-driver
- https://github.com/mozilla-iam/slack-driver/
The IAM user profile utilize by CIS and other modules. It also presents the schema and profile rules on the well-known endpoints.
Provides OIDC, SAML, WS-FED, etc. connectivity and IdP shadowing for the purpose of providing identity and access management to relying parties. Currently utilizes Auth0 to perform this function. This includes all auth0 related CI, configuration and rule engine.
- Operator: Third party (Auth0)
Repositories:
- https://github.com/mozilla-iam/auth0-ci/
- https://github.com/mozilla-iam/auth0-deploy
- https://github.com/mozilla-iam/authzerolib
This is the application launcher available at https://sso.mozilla.com.
Repository:
This is the configuration and apps.yml
.
Repository:
This is the login window for Mozilla IAM.
Repository:
This is the new place to edit Mozilla IAM profiles, manage groups, search & discover people. It will be available at https://people.mozilla.org (beta at https://people.allizom.community). Test environment is: https://dinopark.k8s.test.sso.allizom.org/ development environment is: https://dinopark.k8s.dev.sso.allizom.org
Repositories: The full list of repositories and what they contain can be found at https://github.com/mozilla-iam/dino-park/blob/master/Introduction.md#repositories
Site containing old mozillians.org vouches
Repository:
The AWS resources used for running many components of IAM.
This is the Staff user database, credential storage and group system (IdP). It also contains some non-staff contributors.
This is the 2FA/MFA product utilized to augment OpenLDAP with a second-factor.
- Operator: Third party (Duo)
- Mozilla internal "mana" page This contains some internal processes and some legacy documentation.
- GDrive (Team Drive) This contains internal research docs and meeting notes.
- Roadmap
- Decision making Who's responsible for ultimately making decisions and who's accountable for these.
- Decision log A log of past decisions that seemed important.
- CONTRIBUTING A list of principles that we go by when participating to the Mozilla IAM project.
- GitHub Security Settings How our repositories are setup in GitHub, and why.
- GLOSSARY A list of terms that are commonly used in this project, with their definition or explanation.
- Auth0 and IAM metrics dashboard A dashboard with statistics about Auth0 usage and people.mozilla.org engagement. Note that the access is limited to Mozilla employees.
- Discourse public, main board: https://discourse.mozilla-community.org/c/iam (iam@mozilla-community.org)
- Discourse MOZILLA CONFIDENTIAL board: https://discourse.mozilla-community.org/c/iam/internal (iam+internal@mozilla-community.org) - only use when strictly necessary
- Slack: https://mozilla.slack.com/messages/G606LM42Y/
- Slack automated messages/bots/statuses: https://mozilla.slack.com/messages/G92LX4J3T/
This organization has been created to hold IAM-related public repositories. These repositories are public. This organization follows https://mana.mozilla.org/wiki/display/POLICIES/Standard%3A+GitHub+repositories+and+organizations Access control needs to be tigher than on https://www.github.com/mozilla/ (main Mozilla GitHub organization) warranting it's separation.
Response time (triaging issues and PRs) varies between repositories, with the following repositories being identified as "crucial" which means we will do our best to stay on top of:
- mozilla-aws-cli
- federated-aws-rp
- auth0-custom-lock
- sso-dashboard
- sso-dashboard-configuration
- auth0-ci
- auth0-deploy
- cis
This repository tracks all issues that do not have a GitHub repository assigned (such as non-code, code without repo, etc.)
For more information, please contact Mozilla Infosec (https://infosec.mozilla.org/) or the Open Innovation Team (https://wiki.mozilla.org/Innovation).