Presentation is loading. Please wait.

Presentation is loading. Please wait.

HMA Identity Management Status

Published bySherilyn Stanley Modified over 6 years ago

Similar presentations

Presentation on theme: "HMA Identity Management Status"— Presentation transcript:

1 HMA Identity Management Status
HMA AWG Meeting, 30 September 2009 Y. Coene, SPACEBEL S. Gianfranceschi, Intecs P. Denis, SPACEBEL Slide 1

2 Overview Specification Conformance tests Implementations Deployments 2
Slide 2 2

3 Specification OGC 07-118 version 0.0.4, 30/06/2009
OGC draft version (28/09/09) being prepared: Adding ATS prepared in HMA-T (Intecs, Terradue) Adding authorisation with XACML Adding WSDL files with WS-policy More consistent terminology (independent from DAIL, HMA etc.) Fixing errors Resolving issue with non-standard <Assertion> tag. User attributes (minimal profile) as example in annex.

4 Specification Issues solved in current draft 0.0.5: Remaining issues:
MRE-001, MRE-008, MRE-014, MRE-016, MRE-017. Remaining issues: See RIDs on HMA Forum by con terra and EUMETSAT with additional use cases not originally foreseen Examples: MRE-002: Scenario with multiple "Federating Entities" MRE-009: Clients known on beforehand and limited number. Consolidating use of geoXACML

5 Overview Specification Conformance tests Implementations Slide 5 5

6 Conformance Tests (1) Common ATS for OGC version delivered in July (Terradue, Intecs). Two different ETS delivered Harmonization started beginning of September ATS for version war produced by Intecs and reviewed by Terradue Merge of libraries from Intecs and Terradue ETS (merge of the work done by Intecs and Terradue) Some issues related to non standard tags have been discussed. A new version of the spec is going to be delivered. The ATS does not have to be changed.

7 Conformance Tests CTL scripts being finalised for OGC version in HMA-T. Expected to be available on by 09/10/2009.

8 Overview Specification Conformance tests Implementations
Authentication Service Authorisation Service (Policy Enforcement Point) Slide 8 8

9 Authentication Service
Open-source Available on index.php?page=HMA+Authentication+Service

10 Authentication Service
Static architecture: Java Naming package to authenticate the given user in the LDAP user registry and to retrieve his attributes, OpenSAML package to build the SAML token from user attributes, Apache XML Security package to sign and encrypt the SAML token, Java Security package to retrieve private and public keys from the keystore, used in signature and encryption steps.

11 Authentication Service
Sequence diagram successful authentication

12 Authentication Service
Configurable Which user attributes from LDAP to be included in SAML assertions using which name (configuration file) Independent of "minimal profile" Associated documents: Software Requirements Document Architectural Design Document Acceptance Test Plan Installation procedure (part of software package).

13 Authorization service (PEP)
Open-source It will be available on the SSE Toolbox

14 Application Security Layer
Toolbox Architecture WS-Policy WS-Security Layer SOAP layer Application layer XACML Policy Application Security Layer Service Gateway Operation Operation Asynchronous Operation Synchronous Operation Asynchronous Operation Synchronous Operation

15 Toolbox Security Architecture
Axis2 as basic SOAP engine Axis2 module Rampart (Apache Software Foundation) for WS-Security layer: its behaviour has been extended to cover the HMAT security requirements (HMAT- SRD-1200-INT_1.1) ToolboxSecurityWrapper: Axis2 service with link to the Policy Enforcement Point (PEP, Application Security Layer) and Toolbox Application Layer Axis2 ToolboxPEP ToolboxSecurityWrapper (Axis2 service) SOAP XACML Policies Service Description RAMPART 4HMAT Toolbox Application Layer WS-Policy

16 Toolbox Security Architecture: Main Activities Allocation
Security Layer 1 2 Check encrypted SAML existence, decrypt it. WS-Security signed-encrypted SOAP request 3 Enforce enterprise policies Toolbox Serve request (Application layer) 4 5 Fault Soap response verify SAML token Decrypted SAML, SOAP request/action 6 Get SAML assertion Identity Provider Client ToolboxPEP XACML Policies RAMPART 4HMAT WS-Policy Slide 16

17 Toolbox Security Wrapper: Service Description
Axis2 Responsabilities: deploys ToolboxSecurityWrapper into Axis2, holds the list of the wrapped services to be secured, for each wrapped service, holds the WS-Security policy, Its artifact is the service.xml file of the Axis2 ToolboxSecurity deployment located at: ToolboxSecurityWrapper (Axis2 service) RAMPART 4HMAT Service Description Service Configuration WS-Policy <TOMCAT_ROOT>/webapps/Axis2/Web-INF/services/ToolboxSecurityWrapper/META-INF/services.xml

18 Toolbox Security Architecture: ToolboxPEP
ToolboxPEP: invoked by the ToolboxSecurityWrapper when WS-Security check is successful; enforces XACML policies check XACML policies are stored in dedicated XML files Each policy owns information about the wrapped service and (optionally) SOAP action for which the policy applies Owns a list of policy rules; each rule can refer SAML token and/or SOAP (body) attributes values. ToolboxPEP XACML Policies

19 XACML example for EO EbRim profile (1/3)
The target wrapped service for which this policy applies: wrs (Web Registry Service)

20 XACML example for EOLI (2/3)
If an owned condition evaluates to true than the effect of the rule is “deny” The target of this rule: commercial client SAML attribute reference Condition about the collection

21 XACML example for EO EbRim profile (3/3)
SOAP action for registry update

22 Next Steps Planning: Authentication Service software (as per 0.0.4): available already. 09/10/2009: OGC version 0.0.5 09/10/2009: Authentication Service software 0.0.5 09/10/2009: CTL scripts version 0.0.5 25/10/2009: SSE Toolbox including Authorisation Service Software (Policy Enforcement Point)

Download ppt "HMA Identity Management Status"

Similar presentations

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Shibboleth Akylbek Zhumabayev September 2008. Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.

Navigating the Standards Landscape Andrew Owen SEARCH.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Similar presentations

Ads by Google