Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Slides:

Advertisements

Similar presentations

Authentication Authorization Accounting and Auditing

Advertisements

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Lousy Introduction into SWITCHaai

Supply Models What are publishers offering and how can libraries access electronic journals and scholarly databases?

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

GT 4 Security Goals & Plans Sam Meder

Joint Information Systems Committee Supporting UK Further and Higher Education JISC Information Environment and Architecture, part 1 Alicia Wise and Andy.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

OpenAthens LA 2.0 implementation Matt Durant. Outline Bath Spa University Why single sign-on? –Improving the user experience The project / decision making.

1 ROADS to ATHENS Manjula Patel UKOLN University of Bath Bath, BA2 7AY UKOLN is funded by the British Library Research and Innovation.

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Introduction to Shibboleth and the IAMSECT Project.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Lecture 23 Internet Authentication Applications

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

Norman Wiseman JISC Head of Programmes Presentation to CNI Seattle, December 1998 ATHENS ATHENS One Year On Joint Information Systems Committee.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

The EC PERMIS Project David Chadwick

03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.

Introduction To Windows NT ® Server And Internet Information Server.

Shibboleth: EBSCOhost implementation Lech Wojtowicz Director of Software Development EBSCO Publishing Access 2003 October 3, 2003.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

E-journals: opportunities and challenges Bharati Banerjee.

Developments in Access and Identity Management Phil Leahy – Athens Product Manager.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Athens Building Communities Ed Zedlewski & Lyn Norris UKSG, Warwick, April 2002.

Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.

Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.

New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Supporting further and higher education UK Middleware Update TF-EMC2 Meeting, 4 November 2004 Alan Robiette, JISC Development Group.

PAPI Points of Access to Providers of Information.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Shibboleth: An Introduction

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Federated Access Management The Motherwell Experience Carole Gray.

Athens – integrated AMS services Ed Zedlewski JISC/CNI Conference Edinburgh, June 2002.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

PAPI-PERMIS Integration Project Proposal David Chadwick

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

PAPI 2 Distributed trust model and AA interoperability.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Cryptography and Network Security

e-Infrastructure Workshop 28th March 2006, University of Leeds

Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.

The JISC Core Middleware Call

Presentation transcript:

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

4 June 2002 TERENA Conference, Limerick 2 Outline The authorisation problem History JISC national services in the UK Athens – present and future Other emerging architectures Conclusions

4 June 2002 TERENA Conference, Limerick 3 The Authorisation Problem Assume the user is known i.e. has successfully authenticated in his/her own security domain The user has attributes determining what he/she is allowed to do The resource has use conditions set by the resource owner To make the access decision requires mapping one to the other

4 June 2002 TERENA Conference, Limerick 4 JISC Content Services National-scale contracts are negotiated for all of UK higher and further education ~180 HE and ~450 FE institutions ~5 million people (staff & students combined) Individual institutions decide whether or not to subscribe to each deal Suppliers currently required to implement two methods of access control: either IP address checking or Athens

4 June 2002 TERENA Conference, Limerick 5 Athens: History Developed at University of Bath, to unify ID/password across range of local services Extended to cover JISC data centres at 3 locations (Bath, Manchester, Edinburgh) Subsequently extended to a range of commercial information suppliers Now owned and operated by EduServ (

4 June 2002 TERENA Conference, Limerick 6 Athens: Original Technology Centralised store of userID/password pairs with associated authorisation vectors Devolved administration for each institutions users Software plug-ins for data suppliers servers Authentication dialogue always encrypted Central database replicated for resilience

4 June 2002 TERENA Conference, Limerick 7 Athens: Scale Over 400 HE/FE institutions use Athens Plus a growing number of sites in the National Health Service (National Electronic Library for Health) Over 1 million user accounts in database Over 150 information resources controlled by Athens Publishers include Beilstein, EBSCO, ISI, OCLC, Ovid, OUP, Proquest, Silver Platter

4 June 2002 TERENA Conference, Limerick 8 Athens: Perceived Problems Athens username space is distinct from campus username space Leads to problems with data quality and data maintenance Trusted third party model not suitable for local authentication Protocols and software proprietary to EduServ

4 June 2002 TERENA Conference, Limerick 9 Athens: New Developments 2002 Single sign-on implemented Spring 2002 Session-key/token stored as cookie All access requests traverse auth.athensams.net Athens Distributed Authentication: first pilot planned for Summer 2002 Interface to on-campus authentication service Maps local ID to Athens permission set Also proposal for authentication via X.509 certificate

4 June 2002 TERENA Conference, Limerick 10 Athens Distributed Authentication DSP = Data Service Provider (may be local or remote) XAP = Extensible Authentication Point (Athens specified, may be locally tailored) UAS = User Authority Service (maps ID to permission set)

4 June 2002 TERENA Conference, Limerick 11 Component Summary At local site: –Authentication service –Mapping to permission set (Athens format) At central (Athens) domain: –Session state maintenance –History, logging and statistics At data supplier: –Software responder for Athens management server (essentially still trusted 3 rd party model)

4 June 2002 TERENA Conference, Limerick 12 Other Schemes PAPI (RedIRIS) Distributed architecture: authentication and authorisation both carried out at campus (i.e. campuses have to be trusted by resource owners) But in latest version, Group Point of Access (GPoA) federates management of access to multiple PoAs – starts to look more like an Athens model PAPI is open source and in use in a number of sites/consortia in Spain: how can it be scaled up to a national model?

4 June 2002 TERENA Conference, Limerick 13 PAPI Architecture Basic PAPI architecture with PoA only

4 June 2002 TERENA Conference, Limerick 14 Other schemes (cont) Shibboleth (Internet2) Devolves authentication and attribute assertion to campuses Resource owner requests attributes from campus and makes decisions based on the response Model allows both campus and user control over attribute release (strong emphasis on privacy) At first sight contains no central elements: but Shibboleth Clubs are needed to agree policy etc.

4 June 2002 TERENA Conference, Limerick 15 Conclusions (1) Athens began with a strongly centralised model – but is now devolving more and more functions and starting to resemble a PAPI-like model PAPI and Shibboleth began as designs for models based on bilateral agreements between host institutions and resource providers – but are thinking more and more about policy for larger consortia

4 June 2002 TERENA Conference, Limerick 16 Conclusions (2) As services expand to a national scale, policy issues become very important If not absolutely essential, some central management framework is extremely useful e.g. in dealing with commercial publishers Although superficially very different, close comparison of AthensNG, Shibboleth and PAPI reveals many components in common