Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Slides:

Advertisements

Similar presentations

Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.

Advertisements

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Web services security I

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SWITCHaai Team Federated Identity Management.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SWITCHaai Team Introduction to Shibboleth.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.

® Hosted and Sponsored by Access Management Federation for Spatial Data and Services in Germany 80th OGC Technical Committee Austin, Texas (USA) Jan Grohmann.

Integrating with UCSF’s Shibboleth system

Security and Information Assurance UC San Diego CSE 294 Winter Quarter 2008 Barry Demchak.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Shibboleth: An Introduction

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Authentication and Authorisation for Research and Collaboration Niels van Dijk AARC General Meeting Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.

Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Secure Mobile Development with NetIQ Access Manager

Tutorial on Science Gateways, Roma, Riccardo Rotondo Introduction on Science Gateway Understanding access and functionalities.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Access Policy - Federation March 23, 2016

Using Your Own Authentication System with ArcGIS Online

Stop Those Prying Eyes Getting to Your Data

Mechanisms of Interfederation

Analyn Policarpio Andrew Jazon Gupaal

Extending Authentication to Members of Social Networks

University of Stuttgart University of Murcia

HMA Identity Management Status

Identity Federations - Overview

Integrated User and Access Management

Géant-TrustBroker Dynamic inter-federation identity management

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Point “h” in the directive

Presentation transcript:

technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same page Agreed to use SAML as base standard – also need to agree on specific profiles, e.g. ECP (enhanced client proxy, for desktop clients), web single sign-on (for browser applications), … – need to identify also the limitations of used profiles in the testbed Approach: – Start with developing internal testbed with a mini-federation with 3 partners – Several iterations – Explain testbed to other interested parties (e.g. IGN France) How can other parties can join? – Set up a testing copy of production services in order to experiment with testbed environment –

Testbed: authentication Recommendation to use same configuration as in COBWEB project and AIP-6  SSO Browser and ECP profiles HTTP Artifact binding (because POST binding cannot be used by OpenLayers e.g.)  implications – additional port in firewall, typically 8443, or (use different certificates for signing and encryption) – additional IP in the same domain, or – all messages need to be signed if the HTTPS port (443) is used  needs refresh of metadata if certificate expires Coordination centre – to check / validate an organisation’s (SP or IdP) metadata when they request to join the federation – to handle the federation metadata – setting up contracts between CC and SP/IdPs – OS Tools – e.g. Shibboleth for verifying metadata for compliance, re-signing etc. – Define rules that work for all products used in the federation Automation of metadata refreshment – done automatically by Shibboleth – manual in OpenAM  add something on top to enable automatic refreshing

Testbed: authorisation Why do we need to agree on a standard? – to inform others about your policies Only candidate: (Geo)XACML (supported by partners in DE and by OpenAM) – to exchange attributes and values STORK: person’s names, age, … (good defintions)  don’t reinvent the wheel eduGAIN Policy Framework Attribute Profile: 5 core attributes plus possible extensions PVP attribute profile: might be useful for application-specific roles Proposed extension to SAML attribute query profile by inter-federation working group BE/Flanders: SSO domains based on “target group” Organisations are important – need for a register for governmental organisations Values of controlled vocabularies need to be clearly defined (in all EU languages) Need to distinguish between natural persons (representing themselves) and natural persons representing a legal person – NOT necessarily for the actual authorisation (enforcing the policy) other means can be used for this (but also XACML) Architectural approaches: – separate module (Apache) to do enforcement in combination with standard OGC web service (recommended for simple policies) – integrate authorisation directly in the OGC web service (recommended for complex policies, which cannot be fulfilled by re-writing the query)