Presentation is loading. Please wait.

Presentation is loading. Please wait.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Published byJulie Jones Modified over 8 years ago

Similar presentations

Presentation on theme: "OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions."— Presentation transcript:

1 OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions to be used in the context of the Open Grid Services Architecture (OGSA). A profile for specifying subject attributes using SAML AttributeAssertions is also included. The intention of defining standard formats and meanings for these assertions is to facilitate compatibility between issuers of attribute assertions and the authorization systems that consume them.

2 Standards for Attribute Assertions Enable interoperability between –Attribute authorities (issuers) –Policy writers –Access Control Decision Function (ADF) –Access Control Enforcement Function (AEF) Standardize –Elements, names/identifiers, values –Format (define a profile)

3 Existing Standards X.509 Attribute Certificats (ASN.1) SAML (Assertion Markup Language) XACML (Access Control Markup Language) Shibboleth We want to use and/or learn from these existing standards.

4 X.509 Attribute Certificate Signed certificates –Issuer –Validity period –Subject –Attribute name/value (OID) defines object schema –extensions Attributes set is extensible Pre-defined attributes: –Authentication info, charging identity, access identity, group, role, clearance level, keyInfo,revocation info

5 SAML Attribute Assertion –Issuer, validity dates, conditions, statement(s) Attribute Statement –Subject, condition(s), attribute(s) No specific values defined

6 XACML Defines attribute for use in policy statement or user contexts. Assertions are out of scope Meta-data –Name, issuer, data type Value(s) Some pre-defined attributes –Subject-id, subject-category,key-info,, authentication-time, authentication-method, request-time, start-time, ip-address, dns-name, x.509 inet-org elements.

7 Shiboleth Uses inet-org person elements as does XACML And edu-person elements –eduPersonPrincipalName, eduPersonAffliation, eduPersonExtGroupMembership

8 Points of comparison Number of subjects supported (usually just one) Representing multiple values (all) Predefined attribute identifiers (not SAML) Digital signatures (not XACML) Attribute meta-data (not SAML) Association with a subject or principal (XACML from subject context) Attribute identifier format (each different) Encoding (ASN.1,XML)

9 Proposed elements (normative) Attribute Assertion Issuer Condition (0 or more) Holder/Subject Attribute (1 or more) Name Value (0 or more) Data Type (0 or 1) Condition (0 or more) Signature (optional)

10 Discussion points MRT Should validity be separate from other conditions. Can validity be optional? Do we need to have different validity periods for each attribute. If so can they just be placed in different assertions. Do we need to specify data types for each attribute? [RSL – What about standardizing attribute meta-data definitions, such as issuer identity, attribute value datatype, etc? Are we making assumptions about attribute type here? Is the attribute type an actual datatype or is it tuple of [attribute identifier, attribute datatype)? Are we assuming that the attribute name is the attribute identifier? What about a naming scheme for such identifiers OID, Namespace and Name, AttributeId are three different approaches taken in AC, SAML and XACML which are each noted.] Anne Anderson - Argument in favor of including a data type. An XACML PDP must know not only the syntax of an attribute value, but also the semantics for how to handle it in functions (compare it for greater or less than, add it to another value, etc.). If attribute values were defined as schema instances, then not only would the PDP have to locate and process the schema associated with each attribute, but the PDP would also have to be augmented with code that understands the semantics of the schema-defined information.

11 Standard Attributes “group”, “role”, “account id”, aka. “charging identity”, “project id”, “clearance”, “citizenship”, and “VO membership –Defined in a namespace: /www.gridforum.org/namespaces/2003/06/ ogsa-authz/attributeType Elements of inetOrg-person and eduPerson to be compatible with XACML and Shiboleth

12 Discussion Points Do we need to standardize both names and legal values What about Liberty attributes What values should we define?

13 Conditions Recommend that conditions are kept as simple as possible If a relying party does not understand a condition, it must not use the attribute Single value conditions, e.g. doNotCache Multiple value conditions, audienceRestriction Boolean expressions e.g., time > 8am and time < 5pm

14 Discussion Points RSL – Are we assuming that conditions are expressed as functions? ML: I would recommend to reuse XACML functions here. However, using XACML may be quite verbose, so if we want to be human readable we may want to use the relational operators mentioned above, but I think there may be encoding issues. (,& have to be escaped in XML- mrt) XACML conditions are evaluated by ADF, while the attributes may be extracted from the request context and assembled for submission to the PDP by the PEP who typically would not have the code for evaluating XACML rules. [RSL - What motivates the need for human readability?] I find it hard to determine a useful subset of the standard XACML functions (as all seem useful without a concrete use case) and would almost think that if one uses an XACML library all the functions are available to the PDP. However, a context manager (which has typically no XACML evaluation engine) is the component that would have to evaluate these conditions and determine if the attribute should be honored (provided to the PDP) or not.

15 SAML profile assertion An optional Conditions element specifying the conditions for use of the assertion An optional Advice element specifying advice for use of the element (recommend against) Zero or more AttributeStatements specifying attributes. An optional Signature element allowing the Assertion to be verified The issuer (the attribute authority) The issue instant (date/time)

16 SAML profile attribute statement Subject element One or more attributes consisting of –Attribute name and name space –One or more attribute values

17 Discussion points Do we want to use namespaces? How to define data types or other metadata for attributes

Download ppt "OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Web services security I

Web services security I
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.

XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google