Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth."— Presentation transcript:

1

2 1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth and Apache Server Wensheng Xu, David Chadwick, Sassa Otenko Computing Laboratory, University of Kent, Canterbury, UK

3 1 July 2005© 2005 University of Kent2 Outline  What Shibboleth is proud of  Why Shibboleth need to be further improved  How we integrate Shibboleth and PERMIS  What we have achieved

4 1 July 2005© 2005 University of Kent3 Shibboleth  An architecture to link resource web sites and authentication systems (http://shibboleth.internet2.edu)http://shibboleth.internet2.edu  Based on PKI, multiple parties form a federation in Shibboleth  Can securely transfer attributes between home sites and resource sites (SAML 1.1)

5 1 July 2005© 2005 University of Kent4 Shibboleth  Authentication is the responsibility of the user's home site  Requests to authenticate the user will be routed back to the home site and take place there  Authorisation is the responsibility of the resource target site  Based on attributes supplied by the home site

6 1 July 2005© 2005 University of Kent5 Shibboleth

7 1 July 2005© 2005 University of Kent6 Shibboleth is proud of:  Web resources and Web services can be shared  Single sign-on is achieved  User privacy is well protected

8 1 July 2005© 2005 University of Kent7 Weaknesses in Shibboleth -- Simple trust model in Shibboleth  The target site relies on the origin site to return the correct attributes  Plain attributes are relatively easy to be tampered with  Only one attribute authority is supported

9 1 July 2005© 2005 University of Kent8 Weaknesses in Shibboleth -- Only basic access control capability  Access control rules are defined in the Apache configuration file  Complex access control rules (RBAC, Dynamic separation of duty, delegation of authority, combination of rules, etc.) are not supported  The Apache administrator has to manage the access control rules, the resource owner can ’ t directly specify the rules

10 1 July 2005© 2005 University of Kent9 PERMIS  A PMI software system:  A privilege allocation (PA) component  A policy management GUI  A privilege verification (PV) component  A policy decision point (PDP)

11 1 July 2005© 2005 University of Kent10 PERMIS  Policy-based RBAC is supported  Policy expressed in XML (compliance with the OASIS XACML standard planned)  Role Allocation Policy (RAP)  Target Access Policy (TAP)  Subject sub-policy  Role hierarchy sub-policy  Source of Authority sub-policy  Target sub-policy  Action sub-policy  Complex access control policies supported

12 1 July 2005© 2005 University of Kent11 PERMIS  Decisions are based on roles or attributes  Attributes are stored in X.509 attribute certificates  Supports multiple sources of authority

13 1 July 2005© 2005 University of Kent12 Shibboleth and PERMIS SAAM User User Home Site Resource Target Site SHIRE WAYF Handle Service SHAR Attribute Authority Attributes and ACs Authentication System Attributes and ACs ShibAuthz JNI connector PV/PDP sub system Policy LDAP mod_permis PERMIS PV PERMIS PDP Policy management sub system SoA Policy management GUI PERMIS RBAC policy Retrieving ACs (pull mode) AC LDAP Privilege Allocator PERMIS PA sub system SoA AC Storage Site ACs (in push mode) SoA ACs Retrieving attributes and PERMIS PA sub system Attribute certificate manager Origin LDAP

14 1 July 2005© 2005 University of Kent13 Shibboleth and Apache authentication and authorisation

15 1 July 2005© 2005 University of Kent14 PERMIS SAAM in push mode with X.509 ACs  The origin site stores digitally signed attribute certificates in its LDAP repository  The target site is willing to trust different attribute authorities at the origin site  So the origin site can to distribute attribute assignments to different managers Shibboleth Origin Domain Shibboleth Target Domain TransferACs RAP/TAP

16 1 July 2005© 2005 University of Kent15 PERMIS SAAM in push mode with plain attributes  The target site trusts the origin ’ s attribute repository and the origin as a single AA  The origin can store plain attributes in its repository  --- standard Shibboleth Shibboleth Origin Domain Shibboleth Target Domain Transfer attributes TAP

17 1 July 2005© 2005 University of Kent16 PERMIS SAAM in pull mode  The target trusts different attribute authorities elsewhere  PERMIS SAAM should work in pull mode to fetch the ACs itself  An example might be: an engineer is issued with a “certified MS engineer” by a Microsoft accredited agency  Various distributed LDAP repositories may sit in various places and should be accessible by the PERMIS PV component

18 1 July 2005© 2005 University of Kent17 PERMIS SAAM in pull mode Shibboleth Origin Domain Shibboleth Target Domain Transfer DN RAP/TAP

19 1 July 2005© 2005 University of Kent18 PERMIS SAAM with Apache and without Shibboleth

20 1 July 2005© 2005 University of Kent19 User Privacy issues in PERMIS SAAM  When plain attributes are adopted  Standard Shibboleth + PERMIS PDP  When ACs are adopted  DN must be provided to target site to match X.509 ACs  But DN can be a pseudonym or a group name

21 1 July 2005© 2005 University of Kent20 The PERMIS SAAM Apache Directives  Directives in the Apache configuration file:  PermisPolicyIdentifier  PermisPolicyIssuer  PermisPolicyLocation  PermisAuthorisation  PermisPullMode (optional)  PermisACLocation (optional)

22 1 July 2005© 2005 University of Kent21 Conclusions:  PERMIS SAAM can work fine with Shibboleth + Apache  No Shibboleth source code needs to be modified  More fine-grained access control can be achieved  More flexibility for resource managers  PERMIS SAAM can work fine with Apache server  Potentially PERMIS can work any authentication systems (providing user DN is released for ACs)

23 1 July 2005© 2005 University of Kent22 Thank you! Question?

Download ppt "1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth."

Similar presentations

4 June 2002© 2001-2 TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford

4 June 2002© TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Page: 1 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Deploying a distributed access control architecture within.

Page: October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Deploying a distributed access control architecture within.
21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Similar presentations

Ads by Google