Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Published byRalph Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential."— Presentation transcript:

1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 1 © 2010 Cisco and/or its affiliates. All rights reserved. Josh Howlett, Sam Hartman, Hannes Tschofenig, Eliot Lear

2 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Introduction Design Goals Major components RADIUS/Diameter GSS/GS2 EAP SAML Discovery Trust Privacy Considerations Deployment Considerations Future Work

3 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Each party of a transaction will be authenticated, and the principal will be authorized for access to a specific resource. Means of authentication is to be decoupled so as to allow for multiple authentication methods. No sharing of long term private keys. Scale to large numbers of identity providers. Focus on non-web-based authentication. Stand on the shoulders of others (and not their backs).

4 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Federation RP Application Radius Proxy Identity Provider EAP Radius/ Diameter anonymous@example.com SAML

5 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Why GSS-API/SASL? We need a generalized application service interface Both GSS-API and SASL are there Why RADIUS? Need a AAA substrate that builds on existing trust relationships, where possible. Wide successful deployment Why EAP? We need a way to generalize end-to-end authentication mechanisms Lots of work has gone into EAP mechanisms. Why SAML? Need a way to frame and transport attribute assertions. SAML is widely deployed on the web.

6 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Relying Party Client App IdP | (1) | Client App gets NAI (somehow) | | | | | | Mechanism Selection | | | |<-----(3)-----<| | NAI transmitted to RP | | | | | Discovery | | | |>=====(5)====================>| Access request from RP to IdP | | | | |< - - (6) - -<| EAP method to Principal | | | | | | EAP Exchange to authenticate | | | Principal | | | | | (8 & 9) Local Policy Check | | | |<====(10)====================<| IdP Assertion to RP | | | | | | (11) RP Processes results. | | | |>----(12)----->| | Results to client app.

7 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Based on Network Access Identifier (NAI) realm component[RFC4282] Realm = IdP Routing of request to IdP not in scope (right now) Could be statically configured AAA proxies Trust Brokers Global Credential Relying Party determines order of discovery when multiple federations exist IdP is usually billable party

8 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 The individual is represented by the IdP and must trust the IdP The Relying Party wants to maximize revenue. The model allows for the RP to order discovery. The model does NOT allow for the RP to see other than results indications and assertions from the IdP. The Federation wants to maximize revenue. Any discovery through a federation cannot provide the federation to claim it’s the only path. Federation RP Application Radius Proxy Identity Provider

9 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 The principal trusts IdP to authorize and protect privacy trusts the relying party to deliver services The relying party trusts the federation to reach the IdP trusts the IdP to provide accurate authentication and attributes about the principal The IdP trusts the federation to authorize and convey RP communications The federation relies on no claims

10 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Extensive discussion about sharing of principal information Relationship between users and other entities What data about the user is likely needed to be collected? What is the identification protocol layer? Challenges Federation agreements are often not transparent to all parties Limited control available by principal

11 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 3 rd party attribute providers Do we go through AAA infrastructure? Use of HTTP? Interactions with other infrastructure (OAUTH)?

12 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Which EAP mechanisms should be recommended (if any)? Do we have a mandatory-to-implement mechanism? UI issues will impact us. Are they solved here? SAML exchanges need lots of tightening in the document More detail in the swimming lane diagram? Implementation guide needed? Normative language in current version Security Considerations need to be written

13 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 There is an open question here as to the details; today RFC 5554 governs. We could use that and the current draft assumes we will. However in Beijing we became aware of some changes to these details that would make life much better for GSS authentication of HTTP. We should resolve this with kitten and replace this note with a reference to the spec we're actually following.

14 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Your turn: please read the draft WG draft? Split normative text out?

Download ppt "© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential."

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman

Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google