SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

Slides:

Advertisements

Similar presentations

NRL Security Architecture: A Web Services-Based Solution

Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Data Segmentation Model 17 Jan 2012 John (Mike) Davis HL7 Security Co-Chair.

Attribute-Based Access Control Models and Beyond

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Web services security I

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

Requirements for Epidemic Information Management Farrukh Najmi XML Standards Architect Sun Microsystems

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Identity Management Report By Jean Carreon and Marlon Gonzales.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

® Hosted and Sponsored by Access Management Federation for Spatial Data and Services in Germany 80th OGC Technical Committee Austin, Texas (USA) Jan Grohmann.

Tom Clarke VP, Research & Technology National Center for State Courts.

OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.

DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

OASIS XACML TC and Rights Language TC Hal Lockhart

XML Profile of the FEA DRM Michael C. Daconta Metadata Program Manager November 4, 2004.

Karyn Higa-Smith, DHS S&T Program Manager, Identity & Privacy Anil John, JHU/APL Technical Lead, DHS S&T IdM Testbed September 29, 2009 OASIS Identity.

Overview of the DON XML Vision, Policy, and Governance Bob Green & Stephanie Gernert Office of the Dept. of Navy Chief Information Officer (DON CIO)

Access Control for Health Applications EHI Connecting Communities Forum April 11, 2006 Don Grodecki Browsersoft, Inc.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

An XML based Security Assertion Markup Language

UNCLASSIFIED 1 Authorization and Attribute Service Tiger Team (AATT) Update & Status January 13, 2008

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.

Shibboleth: An Introduction

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Authorization in Trust Management Conditional Delegation and Attribute-Based Role Assignment using XACML and RBAC Brian Garback © Brian Garback 2005.

Timothy Putprush Baltimore, MD September 30, 2009 Federal Emergency Management Agency (FEMA) Integrated Public Alert and Warning System Presentation to.

Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

19 October 2004Enterprise Architecture in WSRP Portal 1 Foreword: Building Enterprise Architecture Through WSRP in Sample EPA Regional Portal FEA Goals:

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Implementing the FEA DRM Michael C. Daconta Metadata Program Manager March 15, 2004.

Interconnecting Autonomous Medical Domains Gritzalis, S.Gritzalis, S. ; Belsis, P. ; Katsikas, S.K. ; Univ. of the Aegean, Samos Belsis, P.Katsikas, S.K.

OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Universal Core Task Force Connecting People With Information

What’s changed in the Shibboleth 1.2 Origin

Attribute-Based Access Control (ABAC)

Security & .NET 12/1/2018.

Tim Bornholtz Director of Technology Services

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program Manager for IT Information Sharing DHS CIO Office

2/16/20052 The Information-Sharing Environment: Vision of EO EO 13356, Aug 27, 2004, called for “ establishment of an interoperable terrorism information sharing environment to facilitate automated sharing of terrorism information ” Interagency group in homeland-security mission space (OMB Chair, DHS, IC, DOD, DOJ, others) delivered recommendations to President 12/24/2004 Vision was a National shared information-sharing “environment”, based on SOA “Environment”, not “network”: boundary defined by flexible access control

2/16/20053 Access-Control Requirements “Federated” to support common pool of credentials, roles, permissions with distributed maintenance –“harvest” existing trust relationships at Federal, regional and local levels Fine-grained: for this application, need accountability to individual person and individual transaction –sharing requires control –comprehensive audit capability Beyond RBAC, to ABAC and PBAC

Implication: look to converging Liberty Alliance/SAML architecture Source: Liberty Identity System Role in securing Web Services Slava Kavsan, Chief Technologist RSA Security Inc.

2/16/20055 Key XML Standard: Security Assertion Markup Language (SAML) Basis for exchanging detailed info (credentials, attributes, preferences) to support access decisions Architecture includes federation capability Standardization status - - –02-Sept-2003: SAML V1.1 approved as an OASIS Standard. –16-Feb-2005: Voting begins on approval of SAML V2.0 specifications and schemas as OASIS Standard. Ballot closes 28-Feb-2005 –SAML V1.1 not backwardly compatible with V1.0

Policy-based Access Control Metadata on the Content Environment (Threat Level = Orange) Metadata on the User Policy Authority (Rules Engine) Directory Policy Authority Business Rules: If Data:classification <= User:clearance And User:duty = “Intelligence Analyst” And ( Data:us_citizen = “No” OR User:employer NOT= “CIA” OR Env:Threat_Level = “Red”) Then Grant Access classification = “Secret” us_citizen = “Yes” Access Decision

More on PBAC Framework to determine appropriate distribution (mandatory access control and need-to-know), required to automate access decisions –Three sources of data (about the content; about the requestor; about the environment or situation) plus policy rule-set –Key assertion: the distribution decision is not made by the data custodian –“Separation of concerns”: originator is expert on the content; directory holds user credentials and roles; policy is created by management Benefits of implementing the model for the sharing environment –Order-of-magnitude gain in speed, cost & consistency of decisions –Instant, consistent response to changes in environment or in policy –Can be implemented gradually, via “refer to human decision” option –Superior alternative to originator control, can be enforced via digital rights management technologies –Automated process can provide full audit, data for process improvement

Key XML Standard: Extensible Access- Control Markup Language (XACML) Supports greatly increased complexity of access-control decisions: capable of applying “business rules” and not just roles –“provide a method for basing an authorization decision on attributes of the subject and resource.” –designed to be used by “policy decision points” in Liberty/SAML architecture Not the only policy language, but leading contender for access-control application –access control ~= digital rights management Standardization status - - – XACML 2.0 and all the associated profiles approved as OASIS Standards on 1 February 2005 – eXtensible Access Control Markup Language (XACML) Version 1.0 OASIS Standard, 18 February 2003