OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

1 Authorization XACML – a language for expressing policies and rules.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Authz work in GGF David Chadwick

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

Web services security I

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

Profiling Metadata Specifications David Massart, EUN Budapest, Hungary – Nov. 2, 2009.

© 2010 IBM Corporation Asserting attribute predicates in SAML and XACML Gregory Neven, IBM Research – Zurich XACML TC Confcall, October 21, 2010.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

An XML based Security Assertion Markup Language

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University.

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Working with XML Schemas ©NIITeXtensible Markup Language/Lesson 3/Slide 1 of 36 Objectives In this lesson, you will learn to: * Declare attributes in an.

AuEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798]

11 Restricting key use with XACML* for access control * Zack’-a-mul.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

XACML Contributions Hal Lockhart, Oracle Corp. 2 Topics Authorization API Finding Input Attributes.

Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Trygve Aspelien and Yuri Demchenko

Guidelines for attribute translation to X.509

Obligations in the OGSA SAML Authorization Service Interface

OGSA-WG Basic Profile Session #1 Security

Presented By: Prof. D.W.Chadwick Other Author: D.Mundy

What’s changed in the Shibboleth 1.2 Origin

Tim Bornholtz Director of Technology Services

Groups and Permissions

PKI (Public Key Infrastructure)

Presentation transcript:

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions to be used in the context of the Open Grid Services Architecture (OGSA). A profile for specifying subject attributes using SAML AttributeAssertions is also included. The intention of defining standard formats and meanings for these assertions is to facilitate compatibility between issuers of attribute assertions and the authorization systems that consume them.

Standards for Attribute Assertions Enable interoperability between –Attribute authorities (issuers) –Policy writers –Access Control Decision Function (ADF) –Access Control Enforcement Function (AEF) Standardize –Elements, names/identifiers, values –Format (define a profile)

Existing Standards X.509 Attribute Certificats (ASN.1) SAML (Assertion Markup Language) XACML (Access Control Markup Language) Shibboleth We want to use and/or learn from these existing standards.

X.509 Attribute Certificate Signed certificates –Issuer –Validity period –Subject –Attribute name/value (OID) defines object schema –extensions Attributes set is extensible Pre-defined attributes: –Authentication info, charging identity, access identity, group, role, clearance level, keyInfo,revocation info

SAML Attribute Assertion –Issuer, validity dates, conditions, statement(s) Attribute Statement –Subject, condition(s), attribute(s) No specific values defined

XACML Defines attribute for use in policy statement or user contexts. Assertions are out of scope Meta-data –Name, issuer, data type Value(s) Some pre-defined attributes –Subject-id, subject-category,key-info,, authentication-time, authentication-method, request-time, start-time, ip-address, dns-name, x.509 inet-org elements.

Shiboleth Uses inet-org person elements as does XACML And edu-person elements –eduPersonPrincipalName, eduPersonAffliation, eduPersonExtGroupMembership

Points of comparison Number of subjects supported (usually just one) Representing multiple values (all) Predefined attribute identifiers (not SAML) Digital signatures (not XACML) Attribute meta-data (not SAML) Association with a subject or principal (XACML from subject context) Attribute identifier format (each different) Encoding (ASN.1,XML)

Proposed elements (normative) Attribute Assertion Issuer Condition (0 or more) Holder/Subject Attribute (1 or more) Name Value (0 or more) Data Type (0 or 1) Condition (0 or more) Signature (optional)

Discussion points MRT Should validity be separate from other conditions. Can validity be optional? Do we need to have different validity periods for each attribute. If so can they just be placed in different assertions. Do we need to specify data types for each attribute? [RSL – What about standardizing attribute meta-data definitions, such as issuer identity, attribute value datatype, etc? Are we making assumptions about attribute type here? Is the attribute type an actual datatype or is it tuple of [attribute identifier, attribute datatype)? Are we assuming that the attribute name is the attribute identifier? What about a naming scheme for such identifiers OID, Namespace and Name, AttributeId are three different approaches taken in AC, SAML and XACML which are each noted.] Anne Anderson - Argument in favor of including a data type. An XACML PDP must know not only the syntax of an attribute value, but also the semantics for how to handle it in functions (compare it for greater or less than, add it to another value, etc.). If attribute values were defined as schema instances, then not only would the PDP have to locate and process the schema associated with each attribute, but the PDP would also have to be augmented with code that understands the semantics of the schema-defined information.

Standard Attributes “group”, “role”, “account id”, aka. “charging identity”, “project id”, “clearance”, “citizenship”, and “VO membership –Defined in a namespace: / ogsa-authz/attributeType Elements of inetOrg-person and eduPerson to be compatible with XACML and Shiboleth

Discussion Points Do we need to standardize both names and legal values What about Liberty attributes What values should we define?

Conditions Recommend that conditions are kept as simple as possible If a relying party does not understand a condition, it must not use the attribute Single value conditions, e.g. doNotCache Multiple value conditions, audienceRestriction Boolean expressions e.g., time > 8am and time < 5pm

Discussion Points RSL – Are we assuming that conditions are expressed as functions? ML: I would recommend to reuse XACML functions here. However, using XACML may be quite verbose, so if we want to be human readable we may want to use the relational operators mentioned above, but I think there may be encoding issues. (,& have to be escaped in XML- mrt) XACML conditions are evaluated by ADF, while the attributes may be extracted from the request context and assembled for submission to the PDP by the PEP who typically would not have the code for evaluating XACML rules. [RSL - What motivates the need for human readability?] I find it hard to determine a useful subset of the standard XACML functions (as all seem useful without a concrete use case) and would almost think that if one uses an XACML library all the functions are available to the PDP. However, a context manager (which has typically no XACML evaluation engine) is the component that would have to evaluate these conditions and determine if the attribute should be honored (provided to the PDP) or not.

SAML profile assertion An optional Conditions element specifying the conditions for use of the assertion An optional Advice element specifying advice for use of the element (recommend against) Zero or more AttributeStatements specifying attributes. An optional Signature element allowing the Assertion to be verified The issuer (the attribute authority) The issue instant (date/time)

SAML profile attribute statement Subject element One or more attributes consisting of –Attribute name and name space –One or more attribute values

Discussion points Do we want to use namespaces? How to define data types or other metadata for attributes