Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Privilege Management and Spocp Presentation at Advance CAMP Authority Architecture – Broomfield, Colorado July 2, 2004 by Roland Hedberg.

WSO2 Identity Server Road Map

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Widely Distributed Access Management Tom Barton University of Chicago.

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Process-oriented System Automation Executable Process Modeling & Process Automation.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Penn Groups PennGroups Central Authorization System June 2009.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

Intro to Grouper There’s nothing fishy about Identity Management with Grouper.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Signet and Grouper A Use Case Study for Central Authorization at Cornell University March 2006.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

NYCDOE Division of Instructional and Information Technology Oren Hamami Chief Information Security Officer New York City Department of Education.

Kuali Identity Management Overview. Why did we write KIM? Common Interface for Kuali Applications Provide a Fully-Functional Product A Single API for:

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington.

Windows Role-Based Access Control Longhorn Update

Internet2 Member Meeting, Arlington VA, April 2004 I2MI Authorization Agenda, RL "Bob" Morgan, University of Washington.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Inventory & Monitoring Program SharePoint Permissions Who has access? What can they do with the access? What is the easiest way to manage the permissions?

Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.

Satisfy Your Technical Curiosity 27, 28 & 29 March 2007 International Convention Center (ICC) Ghent, Belgium.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

What’s new with Grouper 26-April-2010, Spring Member Meeting Chris Hyzer, Grouper developer.

Authorization: Welcome to the Funhouse RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.

Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.

1 Copyright © 2008, Oracle. All rights reserved. Repository Basics.

Oracle Virtual Directory

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

Module Overview Installing and Configuring a Network Policy Server

I2/NMI Update: Signet, Grouper, & GridShib

Power BI Security Best Practices

What’s changed in the Shibboleth 1.2 Origin

Privilege Management: the Big Picture

O. Otenko PERMIS Project Salford University © 2002

BACHELOR’S THESIS DEFENSE

Presentation transcript:

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004

2 The Authorization Space As everyone knows by now: ● “Authentication says who you are, authorization says what you can do.” OK as a tag line, but not for architecture... A higher-level definition: ● configuration and operation of systems so actions in support of organizational goals are permitted and other actions are prohibited... or: ● representation and enforcement of organizational policy in software systems ● covers all scales from macro-level policy (“comply with HIPAA”) to micro-level (“user X can access file Y”)

3 The Infrastructure Portfolio Today's common core infrastructure components: ● Base identity management (for persons/subjects) ● Authentication service ● Directory/attribute service The coming generation: ● Organization and group management ● Privilege/authority management ● Authorization service ● Provisioning service ● Event service (aka message-oriented middleware) ● Workflow...

4 Core Middleware

5 The Basic Access-control Scenario client-server access, session-based ● server controls access to resource ● client (or peer) connects to server, authenticates as some subject ● result of authentication is “security context” ● and a session associated with that context ● further operations in session take place in that context ● security attributes of subject are obtained, added to context ● for example, group memberships ● “userid” (or subject name) is one among many possible attributes ● client requests operation on a resource ● server must answer the access-control question: ● is this operation on this resource by this subject permitted?

6 The Access-control Decision Inputs are ● the session security context ● the policy applicable to the resource ● any other relevant security attributes of the subject ● environment (time of day, load, etc) Output is: yes or no ● there are more complicated policy scenarios too ● e.g., output is “how much” or “yes, and also do X” Where do all these policies and attributes come from? ● this is “authorization (or policy) management” ● many components support server's ability to make its decision

7 Outsourced App Example (Signet + Shibboleth) Classic outsourcing hard on both ASP and campus ASP must provide admin interface, campus must enter data Shibboleth provides campus-based SSO to ASP use of campus-managed attributes negotiable With Shib + Signet campus, ASP decide on attributes sent via SAML atomic attribute-value pairs, or full XML documents campus manages these with Signet infrastructure-rich services delegation, proxy, auditing, common UI, org structure, conditions ASP gets user attributes at sign-on no batch delays, but app must be dynamic

8 Signet + Grouper Group and privilege management: why separate? groups not just about authorization privilege management useful without groups campus may have existing group or privilege service defining interaction via API is good discipline Why together? seamless user experience potentially complicated interactions between them Signet manages permissions on Grouper directories show “what can this user do” in Signet, including group-based perms generate per-user permissions for provisioning including group-based

9 Signet + Provisioning Provisioning refers to setup of user accounts, etc, in application systems if all apps were fully dynamic and infra-service-reliant, provisioning might not be necessary... Signet-managed privileges typically are provisioned e.g., conditions evaluated, rules checked, translations done before the priv info is pushed into the app how much to “cook” in Signet is per-application issue Signet may also feed directory, accessed dynamically by app

10 Signet + Authorization Service “authorization decision service or “policy decision point” app sends request-for-decision, including context, etc “decision engine” accesses policy, attributes, etc, produces and returns yes/no decision examples: Spocp, XACML no one can or should write authz expressions manually Signet can export “permission document” transformable into native expression format supplemented by other decision-time info Signet->Spocp translator available

11 PEP-PDP Model Policy Enforcement Point Policy Decision Point Request Resource Decision Request Decision Response Policy Store(s) Attribute Store(s) Context

12 Signet + Workflow Popular current admin-space requirement define business processes route work items through processes assign people to roles in processes integrate processes into app systems If workflow is mostly about privilege management... good privilege management system may fill the need instead Privilege-management can provision workflow role in business process assigned in PM system Event/MOM services may be part of solution also

13 Conclusion Many powerful tools available More than one right way to do it Architecture more important than ever Best-practices sharing of experience is crucial Common infra components promote sharing at higher levels