Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Sessions OASIS Security Services Face to Face #3 June 25, 2001.

Published byJoel Dungey Modified over 9 years ago

Similar presentations

Presentation on theme: "Dynamic Sessions OASIS Security Services Face to Face #3 June 25, 2001."— Presentation transcript:

1 Dynamic Sessions OASIS Security Services Face to Face #3 June 25, 2001

2 Motivation The purpose of Dynamic Sessions is to allow the federation of SAML-aware applications into a cooperative ecosystem that presents users and administrators with a single, global login session across all of the participating applications in the ecosystem.

3 Static Sessions User Authentication Authority Application #2 Application #1 1 Authenticate 2 Access 3 Timeout in: TA 2 +  2 4 Re-Access Timeout in: TA 1 +  1 Timeout in: TA 1 ` +  1

4 Dynamic Sessions User Authentication Authority Application #2 1 Authenticate 2 Access 3 Timeout in: TA 2 +  2 4 Re-Access Timeout in: TA 1 +  1 Timeout in: TA 2 +  1 Timeout in: TA 1 ` +  1 Application #1 Timeout in: TA 1 ` +  2

5 Terms Local Session Local Session – A set of state information shared between a client application and the Resource Manager. This information is used for tracking the users activity within the overall system. Example implementation: javax.servlet.http.HttpSession.javax.servlet.http.HttpSession Global Session Global Session – The union of the set of local sessions maintained by various Resource Managers that apply to the same Principal and Authentication Assertion. Resource Manager Resource Manager – An Entity within a distributed system that is responsible for managing resources. A Resource Manager can encapsulate or be closely coupled with a PEP. Session Authority Session Authority – The System Entity responsible for maintaining Global Session state and issuing Session Assertions.

6 Terms (continued) Session Assertion Session Assertion – A SAML Assertion that contains information about the state of a Global Session and (possibly) references to the Authentication Assertion that was used to initiate the session. Session Participant Session Participant – A Resource Manager that normally tracks and maintains Local Sessions which has also chosen to participate in the Global Sessions system.

7 Participation in Dynamic Sessions is... Voluntary Voluntary – Applications can be SAML compliant without participating in Dynamic Sessions. Granular Granular – Applications can choose to participate in the Dynamic Session system to a degree appropriate to their goals.

8 Supported Operations Session Request User Session Termination Admin Session Termination Timeout

9 Session Request User Authentication Authority Application #2 Application #1 Session Authority Session Authority Session Management Client Session Management Client Session Management Client Session Management Client 6 4 5 Re-direct 3 7 1 Authenticate 2 Access

10 User Logout Authentication Authority Application #2 Application #1 Session Authority Session Authority Session Management Client Session Management Client Session Management Client Session Management Client 2 3 1 Logout User

11 Admin Logout User Authentication Authority Application #2 Application #1 Session Authority Session Authority Session Management Client Session Management Client Session Management Client Session Management Client 2 3 1 Logout Administrator

12 Timeout Timeout Decision Timeout Decision – The decision by a Session Authority that a particular Global Session has been inactive for a length of time that exceeds its configured timeout value. Timeout Execution Timeout Execution – The notification by the Session Authority to the Participants of a Global Session that the Global Session has timed out. In practice this would behave very much like the “Admin Logout” scenario.

13 Timeout Decision Algorithm #1 User Authentication Authority Application #2 Application #1 Session Management Client Session Management Client Session Management Client Session Management Client Session Authority Session Authority

14 Timeout Decision Algorithm #2 User Authentication Authority Application #2 Application #1 Session Management Client Session Management Client Session Management Client Session Management Client Session Authority Session Authority

15 Timeout Decision (cont’d) There are two interesting possibilities for the relationship between Global Session Timeouts and Local Session Timeouts: either the Local Session Timeout exceeds the Global Session Timeout, or the Global Session Timeout exceeds the Local Session Timeout.

16 Local Timeout Exceeds Global Timeout 1.Global Session expires. 2.Session Authority terminates Local Sessions.

17 Global Timeout Exceeds Local Timeout 1.Local Session expires. 2.Local session manager may either A.Ignore the status of the Global Session, or B.Query the Session Authority for status of the Global Session and (if the Global Session is alive) either i.Extend Local Session by some grace period, or ii.Mirror status of Global Session (i. e. keep Local Session alive for as long as the Global Session is alive).

18 Session Participation Election Out of band configuration. Dynamic discovery of the Session Authority by inspection of the Authentication Assertion followed by registration of the Local Session with the Session Authority. Resource Managers may elect to participate in Dynamic Sessions by either:

Download ppt "Dynamic Sessions OASIS Security Services Face to Face #3 June 25, 2001."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
ITU-T SG13 futures session – July 25, 2003 - D1 Present document contains informations proprietary to France Telecom. Accepting this document means for.

ITU-T SG13 futures session – July 25, D1 Present document contains informations proprietary to France Telecom. Accepting this document means for.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
1 IBM SanFrancisco Product Evaluation Negotiated Option Presentation By Les Beckford May 2001.

1 IBM SanFrancisco Product Evaluation Negotiated Option Presentation By Les Beckford May 2001.
The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign www.iti.uiuc.edu Goal: A scalable.

The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign Goal: A scalable.
SACMAT02-1 Security Prototype Defining a Signature Constraint.

SACMAT02-1 Security Prototype Defining a Signature Constraint.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
© Copyright 2013 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Basic Administrator Training – Release 4.1.1 Adding Users.

© Copyright 2013 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Basic Administrator Training – Release Adding Users.

Similar presentations

Ads by Google