Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

NRL Security Architecture: A Web Services-Based Solution

 Jan Alexander Program Manager Microsoft Corporation BB43.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.

WebFTS as a first WLCG/HEP FIM pilot

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

SWITCHaai Team Federated Identity Management.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Identity Management Report By Jean Carreon and Marlon Gonzales.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Kalmar Union, a Conferedation of Nordic Identity Federations TNC2009 Mikael Linden, CSC Andreas Solberg, UNINETT.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.

Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Chapter 3 Object Oriented Systems and Open GIS. Objectives of the Chapter Establish place of O-O in OpenGIS cover basics of O-O emphasise design issues.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.

OAI Overview DLESE OAI Workshop April 29-30, 2002 John Weatherley

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Grid Authorization Landscape and Futures Von Welch NCSA

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Introduction to Active Directory

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Federate Locally, Federate Globally RL “Bob” Morgan University of Washington and Internet2 European Advanced CAMP Málaga, Spain October 2006 RL “Bob” Morgan.

Cross-sector and user-centric AAI

Mechanisms of Interfederation

Federation made simple

Shibboleth Roadmap

Federation Systems, ADFS, & Shibboleth 2.0

Module Overview Installing and Configuring a Network Policy Server

Application Layer Security Mike Pajevski (NASA/JPL) April 2009

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Limiting GAS State-1 Query Response Length

Brokering as a Core Element of EarthCube’s Cyberinfrastructure

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006

2 Topics Federation, micro and macro End to end Interoperability and flexibility Inter/confederation and federation services

3 Federation at the micro level 3 parties interacting requesting party (aka user) asserting party (aka IdP), relying party (aka service) federation at “micro” level happens when asserting party gives requesting party a token, requesting party gives it to relying party, relying party uses it to establish security properties of requesting party asserting party and relying party are under separate administration (note useful case when requesting party and asserting party are the same, ie user asserts about itself)

4 Fundamental infrastructure Federation (at micro level) is a fundamental building-block computing structure like “file”, “network”, “GUI”, “database”, etc hence not product- or technology-specific permits specialization in management of security information asserting party can be good at user proofing, authentication, roles, etc relying party can be good at stuff specific to its application area

5 Federation (micro) barriers 3-party federation requires many agreements signon protocol/profile participant (i.e. server) naming protection/validation methods for transmitted data responsibilities of asserting and relying parties what can be asserted about subjects, syntactically and semantically capabilities of requesting party (ie client) elements specific to parties: integration, usability, error handling, etc

6 Federation at the macro level Micro-federation is good, so we want to do it a lot ala filesystems, GUI windows, inter-networks, etc Federation at “macro” level supports interests of many parties in doing micro-level federation, by creating community to reduce barriers Hence: naming of parties, discovery/listing of parties, defining use of options, organizing into sets by characteristics, establishment/removal processes, etc primarily about parties benefiting from shared management

7 End-to-end in federation 2 kinds of people in the world those who cling to end-to-end principle, those who don't End-to-end argument says elements interacting via infrastructure are responsible for their own semantics; infra services support/optimize but do not alter following this principle in macro-federation federation infra supports parties in management of info needed for their micro-federation interaction, but doesn't take active part in interaction itself parties can micro-federate outside of macro-federation

8 Interoperation and diversity An instance of micro-federation... uses more or less static feature set: user identifiers, encryption, flow, attributes, etc A macro-federation supports constrained option set in order to support diversity of business purposes key issue is expectation (or assurance) of full NxN interoperation across the federation most federations have assumed/mandated this, but it is unlikely to persist going forward (SAML 1 vs 2, WS- Fed, WS-Trust) managing option evolution is key technical role of fed

9 Interfederation? Given multiple federations... SP or IdP can simply participate directly in whatever federations it needs to; this is current state of the art what if policy of federation X prohibits party Y from joining? what does that mean? that as a member of fed X I'm not allow to talk to party Y? if everyone ultimately needs to talk to everyone, doesn't that imply one big federation? don't we want a model where sites join one fed and via that gets access to all others?

10 Interfederation Interfed services from a federation: metadata federation A could have arrangement with federation B to incorporate all/some of its members, and provide that to its members along with local fed metadata, perhaps re-signed or mapped this would remove the burden of explicit joining from fed members, but sites would end up with same combined metadata dynamic metadata acquisition? orthogonal, i.e. could be performed by members or by federation service

11 Interfederation Interfed services for IdP discovery run a multi-fed WAYF? promote scenarios that don't require discovery... potential new Shib/SAML discovery protocol might help...

12 Interfederation Interfed services for mapping attributes and policies... mapping info could be provided to IdPs/SPs for inclusion in attribute/policy handling or this could be done by in-line proxy protocols... requires multiple protocol support at IdPs/SPs