Www.jrc.ec.europa.eu Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Slides:

Advertisements

Similar presentations

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Advertisements

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

The EC PERMIS Project David Chadwick

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Web services security I

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

AAI with simpleSAMLphp

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

SWITCHaai Team Introduction to Shibboleth.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

® Hosted and Sponsored by Access Management Federation for Spatial Data and Services in Germany 80th OGC Technical Committee Austin, Texas (USA) Jan Grohmann.

Standards Categories February 24, 2006 HITSP Inventory of Standards Inventories Committee Edits.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Security and Information Assurance UC San Diego CSE 294 Winter Quarter 2008 Barry Demchak.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Navigating the Standards Landscape Andrew Owen SEARCH.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

F5 APM & Security Assertion Markup Language ‘sam-el’

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

The FederID project The First Identity Management and Federation Free Software.

Access Policy - Federation March 23, 2016

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

HMA Identity Management Status

Identity Federations - Overview

Data and Applications Security Developments and Directions

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Presentation transcript:

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for INSPIRE Standards & technologies

Outline Background & context Defining AAA and AMF Overview of relevant standards Overview of technologies AMF: how it works...

Outline Background & context Defining AAA and AMF Overview of relevant standards Overview of technologies AMF: how it works...

Background and context INSPIRE Directive entered into force 15 May 2007  Cross-border and cross-sector sharing of interoperable spatial data resources  SOA based architecture  data sets –> 1316 providers  services –> 1546 providers

Background & context Public access to the spatial data through services  The goal is to have as few access barriers as possible (direct access, free,...) Public access can be limited for particular reasons  Discovery service –“such access would adversely affect international relations, public security or national defence”  Viewing, download,... services and e-commerce –Because of IPR, privacy, protection of particular habitats,... –E.g. Downloading data can be set-up through a controlled access mechanism and payment scheme  Need for secure access...

Outline Background & context Defining AAA and AMF Overview of relevant standards Overview of technologies AMF: how it works...

AAA and AMF Defining AAA  Authentication –Verification that a potential partner in a conversation is capable of representing a person or organisation  Authorisation –Determination whether a subject is allowed to have the specified type of access to a particular resource  Accounting or rights management –Tracking and controlling the use of content, rights, licences and associated information

AAA and AMF Defining Access Management Federation  Federated authentication and local authorization Identity providers Service providers Coordination Center

AAA and AMF AMF is a dynamic concept  An organization can join the federation –by applying to the coordination centre as a service provider, an identity provider or both  It becomes a trusted party –the CC checks technical compliance according to the policies and procedures of the federation  The CC will add the organization’s credentials to the federation metadata –is an XML file hosted online by the CC that defines the circle of trust of the federation  Single Sign-On –ensures that the user gets a session established with all service providers of the federation

Outline Background & context Defining AAA and AMF Overview of relevant standards Overview of technologies AMF: how it works...

Standards There are many (related) standards  General ICT with few exceptions  Communication  Authentication  Authorization

Standards Secure communication  HTTP protocol (IETF RFC 2616) with an encription protocol such as TLS (Transport Security Layer – IEF RFC 6176) –HTTPS (IETF RFC 2818) Authentication  Redirection to IdP, login, forward attributes to SP  Security Assertion Markup Language (SAML) –Protocol for communicating user authentication, entitlement and attribute information –Metadata – trusted SP & IdP, SAML endpoints, public keys,...  OpenID exist as alternative protocol

Standards Higgins et al., 2014; Chadwick, 2008

Standards Authorization  Managed at the SP side based on access rights to a resource –Based on attributes – e.g. User ID, role,...  eXtensible Access Control Markup Language (XACML) –GeoXACML allows geographical functions  OAuth as an alternative but...

Outline Background & context Defining AAA and AMF Overview of relevant standards Overview of technologies AMF: how it works...

Technologies Authentication information can be stored and managed in different ways  E.g. LDAP, Kerberos, PKI,... For implementing SAML many tools exist (OSS and proprietary)  Extensive list with supported protocols and roles in report  Shibboleth (Internet2) –Supports IdP, SP, discovery –Supports additional encryption capacity –Attributes described in Java or from databases –Additional attributes can be defined

Outline Background & context Defining AAA and AMF Overview of relevant standards Overview of technologies AMF: how it works...

THANK YOU ! QUESTIONS ?