GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.

Slides:



Advertisements
Similar presentations
This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.
Advertisements

NGT Information Technology Technical Discussion Bob DeHoff Info Tech, Inc.
NIEM, CAM and the 7 “D’s” David Webber - Public Sector NIEM Team, November 2011 NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Peoplesoft: Building and Consuming Web Services
GFIPM Deliverables Overview GFIPM Delivery Team Meeting November 2011.
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Public Key Infrastructure from the Most Trusted Name in e-Security.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Identity Management Report By Jean Carreon and Marlon Gonzales.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GFIPM Metadata Status Update GFIPM Delivery Team Meeting November 2011.
Digital Object Architecture
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
...From Collaboration to Integration... Page: 1 November 2, 2006 Welcome and Introduction James Dyche Systems Manager 5 Technology Park Harrisburg, PA.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.
GRA Implementations using Open Source Technologies Mark Perbix and Yogesh Chawla SEARCH.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Shibboleth for Local Attribute Delivery 21 June 2007.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.
Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
CaGrid 2.0 Security Prototype 1. Goals Prototype some proposed security solutions – Ensure interoperability across programming models – Ensure interoperability.
Cole David Ronnie Julio. Introduction Globus is A community of users and developers who collaborate on the use and development of open source software,
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
DEVELOPING WEB SERVICES WITH JAVA DESIGN WEB SERVICE ENDPOINT.
Secure Mobile Development with NetIQ Access Manager
ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.
Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.
Access Policy - Federation March 23, 2016
HMA Identity Management Status
Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.
OGSA-WG Basic Profile Session #1 Security
Shibboleth Roadmap
Federation Systems, ADFS, & Shibboleth 2.0
HMA Identity Management Status
Integrated User and Access Management
Azure AD Line Of Business Application Integration
Tim Bornholtz Director of Technology Services
Presentation transcript:

GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011

GFIPM Web Services Timeline ~2009: Development of use cases / CONOPS ~2010: 1 st solid draft of spec – version 0.5 – Reviewed by community WS experts – Aligned with GRA via Std. Global Package effort – Aligned with implementation support for standards ~2011: Verified implementability of spec – Goals: 1.Conformance on multiple platforms 2.Interoperability between all platforms – Encountered many impl. challenges – Led to several normative language changes – Now at version 1.0 DRAFT

Conformance and Interoperability: The Scope of the Challenge (Model #1) Java Metro WSC.NET 3.5 WSC.NET 4.0 WSC Java Metro WSP.NET 3.5 WSP.NET 4.0 WSP

Conformance and Interoperability: The Scope of the Challenge (Model #2) Java Metro WSC.NET 3.5 WSC.NET 4.0 WSC Java Metro WSP.NET 3.5 WSP.NET 4.0 WSP Java Metro ADS.NET 3.5 ADS.NET 4.0 ADS

Example Issues Identified Why does this matter?  Required for secure, interoperable handling of user attributes in WS messages

Example Issues Identified Why does this matter?  Required for secure, interoperable handling of user attributes in WS messages

Example Issues Identified Why does this matter?  Required for secure, interoperable handling of user attributes in WS messages

Example Issues Identified Why does this matter?  Required for specification of platform-independent, GFIPM conformant, standards-based security policies within web service definitions

Example Issues Identified Why does this matter?  Required for conformance to GRA Reliable Secure WS SIP (interop.)

Example Issues Identified Why does this matter?  Required for secure, interoperable handling of user attributes in WS messages

Example Issues Identified Why does this matter?  Required for secure, interoperable handling of user attributes in WS messages

Example Issues Identified Why does this matter?  Required for secure, interoperable handling of user attributes in WS messages

Example Issues Identified Why does this matter?  Required for secure, interoperable handling of user attributes in WS messages

Example Issues Identified Why does this matter?  Required to prevent replay attacks using SAML assertions for GFIPM users

Current Status Version 1.0 of spec ready for review – Implementability confirmed on multiple platforms Significant implementation experience – Java Metro,.NET 3.5,.NET 4.0 – Achieved interoperability across platforms Validated all SIPs that have normative language in v. 1.0 of spec Metro and.NET 3.5: close to full interoperability Problem with.NET 4.0 (on hold pending MS patch) Plan to support.NET 4.5 when available Implementer tools in development now – Implementer toolkits and libraries – Reference services in GFIPM Ref. Federation – Implementer documentation

Implementer Integration Points (IIPs) (Conceptual – NOT the Actual APIs) GFIPM User-to-System Use Case IIPs – Single Sign-On IIP (at IDP) – Attribute Repository IIP (at IDP) – Protected Resource IIP (at SP) GFIPM System-to-System Use Case IIPs – Data Payload IIP (at WSC and WSP) – Authorization IIP (at WSP) – SAML ADS IIP (at WSC) – Trust Fabric IIP (at WSC, WSP, and ADS)

Data Payload IIP WSC/WSP implementers must bind the data payload (e.g. NIEM IEPD) to the GFIPM layer Closely tied to WSDL interface – “Contract-First Development” WSC: Provide stubs that map to WSDL ifc. WSP: Provide handler/callback stubs for implementing WSDL ifc. methods The payload itself is out of GFIPM scope

Authorization IIP WSP developer must implement access control logic for exposed services Authz. IIP must provide hooks into attr. sources – User attributes  SAML Assertion – Entity attributes of WSC  Trust Fabric Future work: integrate with XACML framework – Enable WSP to act as XACML PEP

Web Services / XACML Integration Example: GBI JIMnet

SAML Assertion Delegate Service Co-located with IDP Transforms one SAML assertion into another – Changes “Audience Restriction” and “Subject Confirmation Method” – Adds “Delegate” info (preserves delegate chain) Re-signs new assertion with IDP’s private key Does NOT require access to IDP’s attribute data store – Minimal integration with existing IDP – No software changes required / config. only

CJIS Fed. Query Svc. Example of Nesting/Chaining with ADS CISA APP (WSC) FBI CJIS WSP FBI CJIS WSC RISS ADS RISS User RISS IDP Each relying party requires a new SAML assertion CISA FBI CJIS LAC LAC WSP

SAML ADS IIP WSC must acquire the “right” SAML assertion for each WSP – Transform one SAML assertion into another Must contact the “right” ADS for each user – Equivalent to “calling back” to the user’s IDP – Receives SAML assertion from the right IDP, for the right WSP WSC-side processing logic can be transparent to the app developer

Trust Fabric IIP Secure web svcs. typically use a traditional local certificate store GFIPM WS endpoints must use trust fabric – Defines which endpoints are trustworthy – No native support in COTS WS products Trust Fabric IIP provides “glue” between local cert store and trust fabric – Manages TF updates: cert addition, removal Syncs local cert store with latest TF state – Handles entity attribute lookup Used by WSP for authz decisions

More Detail: IIP

GFIPM Trust Fabric

More Detail: IIP Service Contract WS-Policy templates Service Contract WS-Policy templates Service Contract WS-Policy templates Service Contract WS-Policy templates

More Detail: IIP SAML Token Provider sample stub SAML Attribute Provider sample stub SAML Token Provider sample stub SAML Attribute Provider sample stub

More Detail: IIP SAML Assertion validation stub SAML Assertion attribute PEP/PDP stub SAML Assertion handling stubs SAML Assertion validation stub SAML Assertion attribute PEP/PDP stub SAML Assertion handling stubs SAML Assertion validation stub SAML Assertion attribute PEP/PDP stub SAML Assertion handling stubs SAML Assertion validation stub SAML Assertion attribute PEP/PDP stub SAML Assertion handling stubs

More Detail: IIP GFIPM Specific Code Workarounds, bug fixes GFIPM Specific Code Workarounds, bug fixes GFIPM Specific Code Workarounds, bug fixes GFIPM Specific Code Workarounds, bug fixes

Timeline for Implementer Tools Java Metro and.NET 3.5 Toolkits and Documentation for Spec version 1.0 – Spring 2012 GAC Mtg. Reference Services in GFIPM Ref. Federation for Spec version 1.0 – Spring 2012 GAC Mtg..NET 4.0 Toolkit and Documentation for v. 1.0 – TBD / On hold pending MS patch to.NET 4.0.NET 4.5 Toolkit and Documentation for v. 1.0 – TBD / Depends on availability of.NET 4.5

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.