Federate Locally, Federate Globally RL “Bob” Morgan University of Washington and Internet2 European Advanced CAMP Málaga, Spain October 2006 RL “Bob” Morgan.

Slides:

Advertisements

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Advertisements

NRL Security Architecture: A Web Services-Based Solution

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

4/27/2015Slide 1 Rethinking the design of the Internet: The end to end arguments vs. the brave new world Marjory S. Blumenthal Computer Science and Telecomms.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

The OSI Model A layered framework for the design of network systems that allows communication across all types of computer systems regardless of their.

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Single Sign-On -Mayuresh Pardeshi M.Tech CSE - I.

NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.

Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

CS CS 5150 Software Engineering Lecture 18 Security.

1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Building Secure, Flexible and Scalable Environments using LDAP - SANS Orlando Sacha Faust PricewaterhouseCoopers

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.

Access Control for Federation of Emulab-based Network Testbeds Ted Faber, John Wroclawski 28 July 2008

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

October 2, 2001 Middleware: Pieces and Processes RL "Bob" Morgan, University of Washington.

Claims-based security with Windows Identity Foundation.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Secure Connected Infrastructure

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

Course Content Oracle E-Business Fundamentals

Module Overview Installing and Configuring a Network Policy Server

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

Understanding the OSI Reference Model

AARC2 JRA1 Nicolas Liampotis

Mobile Computing.

Doug Bellows – Inteliquent 3/18/2019

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Federate Locally, Federate Globally RL “Bob” Morgan University of Washington and Internet2 European Advanced CAMP Málaga, Spain October 2006 RL “Bob” Morgan University of Washington and Internet2 European Advanced CAMP Málaga, Spain October 2006

2 Topics ● Federation, micro and macro ● End to end ● Interoperability and flexibility ● Inter/confederation and federation services

3 Federation at the micro level 3 parties interacting requesting party (aka user) asserting party (aka IdP), relying party (aka service) “federation” at micro level happens when asserting party gives requesting party a token, requesting party gives it to relying party, relying party uses it to establish security properties of requesting party asserting party and relying party are under separate administration (note useful case when requesting party and asserting party are the same, ie user asserts about itself)

4 Fundamental infrastructure Federation (at micro level) is a fundamental building-block computing structure like “file”, “network”, “GUI”, “database”, etc hence not product- or technology-specific permits specialization in management of security information asserting party can be good at user proofing, authentication, roles, etc relying party can be good at stuff specific to its application area

5 Federation (micro) barriers 3-party federation requires many agreements what can be asserted about user, both syntactically and semantically (ie, what kinds of things is a particular asserter permitted to assert, in eyes of RP) information flows at signon time protection/validation methods for transmitted data responsibilities of asserting and relying parties capabilities of requesting party (ie client) elements specific to parties: integration, usability, error handling, etc

6 Federation at the macro level Micro-federation is good, so we want to do it a lot ala many files, GUI windows, inter-networks, etc Federation at macro-level supports interests of many parties in doing micro-level federation, by creating community to reduce barriers Hence naming of parties, discovery/listing of parties, defining use of options, organizing into sets by characteristics, establishment/removal processes, etc primarily about parties benefiting from shared management

7 End-to-end in federation 2 kinds of people in the world those who cling to end-to-end principle, those who don't End-to-end argument says elements interacting via infrastructure are responsible for their own semantics; infra services support/optimize but do not alter following this principle in macro-federation federation infra supports parties in management of info needed for their micro-federation interaction, but doesn't take active part in interaction itself parties can micro-federate outside of macro-federation

8 Interoperation and diversity An instance of micro-federation uses more or less static feature set: user identifiers, encryption, flow, attributes, etc A macro-federation supports constrained option set in order to support diversity of business purposes key issue is expectation (or assurance) of full NxN interoperation most federations have assumed/mandated this, but it is unlikely to persist going forward (SAML 1 vs 2, WS-Fed, WS-Trust) managing option evolution is key technical role of fed

9 Examples Logout to some, federated login implies federated logout eg federation services tracking/ending sessions really supportable? role of PKI in supporting SAML interaction SAML sends signed assertions, TLS-protected services should these operations rely on classic PKI (certs, CAs, cross- certification, name constraints, key purposes, etc) or handle public key operations via SAML-specific structures?

10 Inter/Confederation Interconnection among (macro)federations depends on agreement about (macro)federation function can federation-mediated and end-to-end models interoperate? we'll find out...