Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1.

Published byLizbeth Garrett Modified over 8 years ago

Similar presentations

Presentation on theme: "SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1."— Presentation transcript:

1 SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1

2 Overview Authorization Framework components: – Authentication: The process of verifying the identity of a user trying to get access to some network services. – Authorization: The process of controlling a user access to network services and the level of service provided to the user. 2

3 Authentication Does SIP need an identity provider feature? – And if so, do we need more than one? No shortage of approaches – RFC4474/STIR already has something Authority provides a crypto token Relying parties trust authority, authority vouches for user – RFC4484, draft-ietf-sip-saml (d. 2011) SAML focused on attribute-based authorization – OpenID/OAuth has been proposed – Something like RTCWeb’s IdP? 3

4 Authorization Does SIP need an authorization feature? – And if so, do we need more than one? Possible approaches – RFC4484, draft-ietf-sip-saml (d. 2011) SAML focused on attribute-based authorization – OpenID/OAuth 4

5 Adhoc Audio & Video Conference A Conference Server provides adhoc audio and video services. The server controls who gets access to the service, and the level of service provided to the user: – Audio vs video – Limit on number of participants: per audio conference per video conference 5

6 Adhoc Conference Possible Solutions With a User Directory – The server has a User Directory with the details of services associated with the user. Without a User Directory – The server does not have a User Directory, and the services associated with the user must be specified in the request sent to the server. 6

7 Corporate-wide SSO An enterprise is interested in providing its users with an SSO capability to the corporate various services. The enterprise has an authorization server for controlling the user access to their network and would like to extend that existing authorization server to control the user access to the various services and level of service provided by their SIP network. The user is expected to provide his corporate credentials to login to the corporate network and get different types of services, regardless of the protocol used to provide the service, and without the need to create different accounts for these different types of services. 7

8 User-to-User Authentication Two users with no association between them, want to be able to call each other. Each user should be able to make a call to the other user and should be able to authenticate the identity of the other user. 8

9 WebRTC-based Access to IMS The system allows a WebRTC client to authenticate the user, and then allows that user access to the services provided by the IMS system. 9

10 Backup Slides 10

11 Mobile Client Access to SIP An Application Server that provides Mobile Clients with access to SIP services. The Mobile Client uses a proprietary protocol to communicate with the Application Server that registers and gets service from the SIP network on behalf of the user that is using the Mobile Client. 11

12 SIP SSO An enterprise is interested in providing its users with an SSO capability to the corporate various SIP services. The enterprise wants to control the services provided to their SIP users and the level of service provided to the user by their SIP application servers without the need to create different accounts for these services. The enterprise wants to utilize an existing authentication mechanism provided by SIP, but would like to be able to control who gets access to what service and when. The user is expected to use his SIP credentials to login to the SIP network and get access to the basic services, and to get access to the services provided by the various SIP application servers without being challenged to provide credentials for each type of service. 12

13 Edge Authorization An enterprise is interested in authenticating and authorizing a remote user trying to get access to services provided by the corporate SIP network. The enterprise would like to authenticate and authorize the remote user at the edge of the network using a SIP network element that does not have direct access to the SIP user account, e.g. SBC. The enterprise is also interested in providing the user with an SSO capability to the corporate various SIP services. The user is expected to use his SIP credentials to login to the SIP network and get access to the basic services, and to get access to the services provided by the various SIP application servers without being challenged to provide credentials for each type of service. 13

14 Internet-Wide SSO A user wants to subscribe to sip services the same way he subscribes to web services - using his identity from one of the popular internet-wide authentication services. (E.g., Google+, Facebook, Disqus.) After that, all that is needed to gain access to those services is to log his device in to the chosen authentication service. 14

15 Core features Header (or body) to carry a token – May be an artifact, or a URI: dereferenced to acquire the token – Also possible to carry the token in-band (header or body) – RFC4474: Identity header carries a crypto token Pointer to the identity provider – RFC4474: Identity-Info header, containing a URI Locates the credentials needed to verify the token Possible axis of extensibility Capability negotiation – Reject requests without tokens – Reject requests because the token is broken – RFC4474 defined error codes along these lines 428 “Use Identity”, 438 “Invalid Identity Header”, etc 15

Download ppt "SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1."

Similar presentations

SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
www.dynamicsoft.com dynamicsoft Inc. Proprietary VON Developers Conference 1/19/00 C O N N E C T I N G T H E W O R L D W I T H A P P L I C A T I O N S.

dynamicsoft Inc. Proprietary VON Developers Conference 1/19/00 C O N N E C T I N G T H E W O R L D W I T H A P P L I C A T I O N S.
www.dynamicsoft.com IM 2000 -- May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com Internet Telecom Expo 2000 - September 20, 2000 SIP vs. H.323 SIP vs. H.323 Will the Real IP Telephony Please Stand Up? Jonathan Rosenberg.

Internet Telecom Expo September 20, 2000 SIP vs. H.323 SIP vs. H.323 Will the Real IP Telephony Please Stand Up? Jonathan Rosenberg.
www.dynamicsoft.com VON Europe 2000 -- 06/19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.
www.dynamicsoft.com Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Remote Call/Device Control IETF82, Dispatch WG, Taipei November 15, 2011 1 Rifaat Shekh-Yusef Cullen Jennings Alan Johnston.

Remote Call/Device Control IETF82, Dispatch WG, Taipei November 15, Rifaat Shekh-Yusef Cullen Jennings Alan Johnston.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
1 Extending SIP Speaker: Hsuan-Ming Chen Adviser: Ho-Ting Wu Date: 2005/04/26.

1 Extending SIP Speaker: Hsuan-Ming Chen Adviser: Ho-Ting Wu Date: 2005/04/26.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.

Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.
Single Sign-On -Mayuresh Pardeshi M.Tech CSE - I.

Single Sign-On -Mayuresh Pardeshi M.Tech CSE - I.
1 RTCWEB interim 2011-09-08 Remote recording use case / requirements John Elwell.

1 RTCWEB interim Remote recording use case / requirements John Elwell.
S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

Similar presentations

Ads by Google