Survey of Identity Repository Security Models JSR 351, Sep 2012.

Slides:

Advertisements

Similar presentations

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Advertisements

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Lesson 17: Configuring Security Policies

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

WSO2 Identity Server Road Map

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Introduction To Windows NT ® Server And Internet Information Server.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Lesson 19: Configuring Windows Firewall

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Understanding Active Directory

1 Enabling Secure Internet Access with ISA Server.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.

Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.

G53SEC 1 Access Control principals, objects and their operations.

CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.

Windows Role-Based Access Control Longhorn Update

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.

Building consumer apps with Azure AD B2C

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Computer Security: Principles and Practice

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)

M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:

The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.

Secure Mobile Development with NetIQ Access Manager

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

AA207: Designing a Security Policy in Laserfiche 8 Connie Anderson, Technical Writer.

In Vivo Imaging Middleware — Phase 6 Ashish Sharma, Tony Pan, Y. Nadir Saghar.

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.

19 Copyright © 2008, Oracle. All rights reserved. Security.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Secure Connected Infrastructure

Ask the Experts – Building Login-Based Sites in AEM

Azure Active Directory - Business 2 Consumer

CollegeSource Security Application &

Identity Management (IdM)

Identity Federations - Overview

ACTIVE DIRECTORY ADMINISTRATION

(ITI310) SESSIONS 6-7-8: Active Directory.

CompTIA Security+ Study Guide (SY0-401)

Microsoft Graph- Permissions and Consent

SharePoint Online Authentication Patterns

AD FS Installation Active Directory Federation Services (AD FS) 7.1

Groups and Permissions

Delegation of Control Manage Active Directory Objects 3.7

API Security: OAuth, OpenID Connect & ABAC

Presentation transcript:

Survey of Identity Repository Security Models JSR 351, Sep 2012

Background JSR 351 Terms – Attribute Repository, Identity Repository, Attribute Service This survey is limited to identity repositories only JSR 351 scope of work includes a security model for the (Identity) Attribute Service Includes access control model for the release of attributes This area needs more definition and use-cases Survey of two popular identity repositories LDAP Directories Facebook

Actors User – entity on behalf-of-whom access to identity data is sought No user, client is action on its own behalf Present, client acts on behalf of user with active session Absent, clients acts on behalf of user with no active user session Client – application which interacts with the identity repository Network protocol  LDAP protocol  Facebook Graph API (actually a REST network protocol) Identity Repository

LDAP Security Model Every entry in a LDAP directory has a distinguished name (DN) Both leaf nodes and non-leaf nodes have DNs Clients open connections to directories over server-side TLS/SSL Clients perform a FIND and BIND operation to establish an authorization identity Typically a DN BIND operation may include credentials  Anonymous mode also supported

Proxy Authorization Directories can be configured to allow clients to impersonate classes of users “HR application can impersonate all users at employment level 6 or below” Client authenticates to the directory and then selects a different authorization identity No standard mechanism but all directories support some form of proxy auth Policies can use filters based on DN and attributes to limit the class of impersonated users Avoids the “su” problem

LDAP Authorization Model No standard model But draft-ietf-ldapext-acl-model-08.txt is helpful Servers implement AuthZ model based on Authorization identity Target Operation Access Control Rules use patterns and search strings Anyone can read entries in the “dc=oracle,dc=com” subtree, they can view all attributes except for pwd

AuthZ Model Continued Sophisticated policies can be expressed Delegated administration Group membership Roles or Attributes Default deny vs. default access Also a source of complexity Different products use different models Design and testing of policies requires expert knowledge and effort

Facebook Based on documentation accessed Sep 2012 Certain amount of information is available without client or user authentication This is information that the user has declared public Users can grant secured access to a client application Based on Oauth 2.0 three-legged flow Once authenticated, user gives consent for sharing Clients may request permissions for varying access

Permissions Map directly to Oauth 2.0 scope parameter Categories Basic (default – id, name, picture, gender, locale) User and Friends Permissions (e.g., user_likes)  user_xxx (provides access to xxx data section)  friends_xxx Extended Permissions  Enables administrative privileges Open Graph Permissions, Page Permissions  For more advanced apps?

Facebook Summary User-mediated access model has many strengths But its hard to disentangle principles from Facebook specifics How to discover permissions required for access to attributes? Is the “user absent” case covered by long-lived Oauth access tokens?