22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

Slides:

Advertisements

Similar presentations

The How of OAuth OAuth Hackathon – Six Apart

Advertisements

Secure Single Sign-On Across Security Domains

15 May 2007 IVOA Beijing: Grid & Web Services 21 Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY vs.

20 May 2008IVOA Trieste: Grid & Web Services/AstroRG1 Do we have our heads in the cloud? Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O.

22 May 2008IVOA Trieste: Grid & Web Services1 VOSpace 1.1 Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

1 SensorWebs and Security Experiences Dan Mandl Presented at WGISS Meeting in Toulouse, France May 11, 2009.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

FI-WARE Testbed Access Control temporary solution.

Contrail and Federated Identity Management

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

1 Authentication and Authorization in Web Systems Zhenhua Guo Jun

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

By: Ansuya Chauhan.

Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

WebFTS as a first WLCG/HEP FIM pilot

Single Sign-on Writ Large. What is OpenID?  Open, Decentralized single sign on standard  Allows users to use a single digital identity across multiple.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Identity Management Report By Jean Carreon and Marlon Gonzales.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth: An Introduction

Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Securing Angular Apps Brian Noyes

Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.

Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Secure Mobile Development with NetIQ Access Manager

05/03/2011Pomcor 1 Meeting the Privacy Goals of NSTIC in the Short Term Presentation at the 2011 Internet Identity Workshop Francisco Corella and Karen.

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.

Access Policy - Federation March 23, 2016

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Shibboleth Architecture

Authentication Interact Cloud.

Federation made simple

Migrating SharePoint Add-ins from Azure ACS to Azure AD

Data Virtualization Tutorial… OAuth Example using Google Sheets

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Addressing the Beast: Single Sign-On II

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

WStore Programmer Guide

Azure AD Line Of Business Application Integration

Agenda OAuth Concepts Programming OAuth.

SharePoint Online Authentication Patterns

Office 365 Development.

D Guidance 26-Jun: Would like to see a refresh of this title slide

Presentation transcript:

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY

Security review Users dont care about protocols and standards – they care about better experience with enhanced privacy and security User experience: –why is security necessary? –Certificates?.globus directories? WTF? Developer experience: –Buzkashi Community interests: –Decentralization 22 May 2008IVOA Trieste: Grid & Web Services2

OpenID Single digital identity for use with any web site or service requiring authentication Open, free and decentralized standard Well supported 120 million OpenIDs (July 2007) Microsoft, Google, Yahoo (Jan 2008) 22 May 2008IVOA Trieste: Grid & Web Services3

OpenID: how it works User registers an OpenID identity (URI or XRI) with an OpenID identity provider Relying party (service provider) displays single input box for OpenID identifier Relying party converts OpenID identifier to a canonical URL form and obtains identity service provider URL from there Relying party and identity provider establish shared secret and then user is redirected to identity provider for authentication User is redirected back to relying party along with credentials. Relying party validates that credentials originated from relying party using shared secret. 22 May 2008IVOA Trieste: Grid & Web Services4

OpenID: issues NVO setting up prototype OpenID identity provider service alongside current SSO setup: –use attribute to strengthen OpenID has little provision for web services (SOAP or RESTful): –requires communication between user and relying party and user and identity provider –checkid_immediate? –check_authentication? 22 May 2008IVOA Trieste: Grid & Web Services5

OAuth An API access delegation protocol Well supported User grants access to their protected resources to a consumer using tokens generated by a service provider instead of their credentials Defines three endpoints: –Request token –User authentication - Access token 22 May 2008IVOA Trieste: Grid & Web Services6

Oauth: how it works 22 May 2008IVOA Trieste: Grid & Web Services7

OAuth All done with HTTP GET/POST and headers As with OpenID, requires some level of user interaction: capture credentials or request approval 22 May 2008IVOA Trieste: Grid & Web Services8

Summary Industry embracing decentralised security mechanisms: –web of trust vs hierarchical model Currently well-suited to web apps involving a browser but not to web services (no user) What is the Grid community doing? –Shibboleth/GridShib? 22 May 2008IVOA Trieste: Grid & Web Services9