Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 IBM Corporation Asserting attribute predicates in SAML and XACML Gregory Neven, IBM Research – Zurich XACML TC Confcall, October 21, 2010.

Published byEleanore Walsh Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2010 IBM Corporation Asserting attribute predicates in SAML and XACML Gregory Neven, IBM Research – Zurich XACML TC Confcall, October 21, 2010."— Presentation transcript:

1 © 2010 IBM Corporation Asserting attribute predicates in SAML and XACML Gregory Neven, IBM Research – Zurich XACML TC Confcall, October 21, 2010

2 © 2010 IBM Corporation 2 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 The PrimeLife project Privacy and Identity Management for Life

3 © 2010 IBM Corporation 3 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Specific Policy: over specific resource (e.g. BuyService) Access control policy (ACP): who can access cards to possess (e.g. ID card) personal data to reveal (e.g. nationality) conditions to satisfy (e.g. age>18) Data handling policy (DHP): how revealed personal data will be treated Authorizations (e.g. marketing purposes) Obligations (e.g. delete after 1y) Generic Policy: DHP over implicitly revealed personal data (e.g. IP address, cookies,…) Authorizations (e.g. admin purposes) Obligations (e.g. delete after 1y) The PrimeLife Policy Language Data Subject Data Controller Resources Non-personal content, services,… Collected personal data Personally Identifiable Information (PII) Non-certified Certified: cards Specific Policy: over specific personal data (e.g. birth date) Access control policy (ACP): who can access (e.g. PrivacySeal silver) Data handling preferences (DHPrefs): how is to be treated when revealed Authorizations (e.g. marketing purposes, forwarded to PrivacySeal gold) Obligations (e.g. delete after  2y) Generic Preferences: DHPrefs over implicitly revealed personal data (e.g. IP address, cookies,…) Authorizations (e.g. admin purposes) Obligations (e.g. delete after  2y) XACML SAML request resource request personal data personal data resource PPL Engine

4 © 2010 IBM Corporation 4 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Main features of PPL  Privacy-friendly card-based access control –attributes bundled in cards –technology independence –multi-card claims –support anonymous credentials (Identity Mixer, U-Prove) –reveal attributes vs. prove conditions  Policy sanitization  Integrated data handling –two-sided detailed data handling preferences/policies –automated matching procedure –extensible vocabularies –downstream usage

5 © 2010 IBM Corporation 5 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 What to standardize  Card-based access control –Advanced concepts –Market demand for multi-card claims? –Breaks open XACML schema & data flow  Integrated data handling policies/preferences –Breaks open XACML schema & data flow –Quite orthogonal, could be embedded in any language –See W3C Boston workshop  Suggestion: conditions over attributes in SAML + profile for XACML –allow IDPs to assert predicates over attributes rather than full values (standard signatures if online IDP, anonymous creds if offline) –allow certified predicates to be fed into XACML evaluation process challenge: without breaking XACML schema/architecture

6 © 2010 IBM Corporation 6 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Anonymous credentials e.g., Identity Mixer, U-Prove  unlinkability (no unique public key)  selective attribute disclosure  proving predicates over attributes name = “Alice Doe”, birth date = “1973/10/24”, nym = name = “Alice Doe”, birth date = “1973/10/24” name = “Alice Doe”, birth date > 1992/10/08

7 © 2010 IBM Corporation 7 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Example attribute predicates  birthday < 2010/10/21  frequent flyer status > gold  phone number starts with +4144 (i.e., Zurich landline)  92100 < zip code < 92200 (i.e., address in San Diego)  domain of email address is ibm.com  …

8 © 2010 IBM Corporation 8 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Extending SAML with attribute predicates  saml:Statement is abstract  Profiles can define new statement types e.g., ppl:ConditionStatement  Borrow schema and functions ontology from xacml:Condition  Already in PPL, fairly straightforward to write up proposal  T.B.D. with SAML TC

9 © 2010 IBM Corporation 9 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Attribute predicates in XACML How to feed predicates over attributes into XACML? cfr. SAML profile of XACML Issues: 1.How to communicate certified conditions to PDP? 2.How to determine “missing conditions”? 3.How to evaluate policy, given set of certified conditions? PEP SAML assertion: birthday < 1992/01/01 Context Handler PDP XACML policy: 1992/10/21 > birthday MATCH!

10 © 2010 IBM Corporation 10 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 A simple solution Policy defined in terms of boolean, locally defined attributes PEP knows mapping to predicates over globally meaningful attributes PEP SAML assertion: birthday < 1992/01/01 Context Handler PDP XACML policy: uri:local:overage=true MATCH! XACML request: uri:local:overage=true Local attGlobal att predicate uri:local:overageuri:global:bday < today – 18Y ……

11 © 2010 IBM Corporation 11 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 A more challenging solution Issues: 1.How to communicate certified conditions to PDP? 2.How to determine “missing conditions”? 3.How to evaluate policy, given set of certified conditions? PEP SAML assertion: status = gold birthday < 1992/01/01 Context Handler PDP XACML policy: status > silver ^ 1992/10/21 > birthday XACML request: status = gold birthday < 1992/01/01 Implication Tester MATCH!

12 © 2010 IBM Corporation 12 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Communicating conditions to PDP 1.How to communicate certified conditions to PDP?  Insert into request context → break open xacml:Request schema XACML 3.0: “However a conforming PDP is not required to actually instantiate the context in the form of an XML document.”  Insert into attribute queries/responses – schema?  SAML?  Indeterminate response with missing attributes in status detail?  no schema at all? can introduce our own without breaking schema?

13 © 2010 IBM Corporation 13 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 XACML data flow Policy Decision Point (PDP) Policy Enforcement Point (PEP) Policy Information Point (PIP) Policy Administration Point (PAP)

14 © 2010 IBM Corporation 14 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Missing conditions 2.How to determine “missing conditions”?  Lowest expressions with boolean result  Highest expressions with attributes by same issuer  Entire condition from rule or dateofbirth1992/01/01 ≤ firstdigits phonenr4 = 4144

15 © 2010 IBM Corporation 15 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Evaluating policies 3.How to evaluate policy wrt given set of certified conditions?  String equality  XML tree equivalence  Reasoning engine to test implication e.g., (dateofbirth ≤ 1992/09/10)  (1992/01/01 ≥ dateofbirth) ? How new evaluation mechanism triggered?

16 © 2010 IBM Corporation 16 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Candidate approaches Approach 1: PPL  Certified conditions embedded in request context  Request full condition in rule  Evaluation by string/XML equality + value substitution  Triggered by modied PDP code Very invasive in schema/architecture Approach 2: dedicated attributes  Policy in terms of dedicated, locally defined, boolean attributes  PIP or PEP knows mapping to conditions over globally defined attributes e.g., urn:mypolicy:underage → (urn:unitednations:birthdate ≤ 1992/09/10)  Values of local attributes passed in request context  Missing local attribute → request corresponding condition over global atts Minimal impact on XACML schema/architecture Burden on policy author of determining recurring conditions personal favorite on short term

17 © 2010 IBM Corporation 17 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Candidate approaches (2) Approach 3a: dedicated function per condition  Insert conditions into request context  Function implementation knows mapping to condition over global atts  Fetches directly if missing, returns TRUE iff satisfied Policy author needs to program Java/… for each relevant condition Need to somehow initialize function with certified condition Approach 3b: generic boolean function  Condition to be proved encoded as function argument (string)  Function implementation requests specified condition if missing, returns TRUE iff satisfied No programming required Condition looks ugly (&nbgt;) Need implication reasoner, function initialization

18 © 2010 IBM Corporation 18 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Candidate approaches (3) Approach 4: the full monty  Certified conditions embedded in request context  Request lowest-boolean or highest-same-issuer conditions  Evaluation by implication reasoner  Triggered by modified PDP code Very invasive in schema/architecture Need implication reasoner personal favorite on long term

19 © 2010 IBM Corporation 19 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 Questions  Makes sense to standardize condition assertions in SAML?  Makes sense to standardize feeding condition assertions into XACML?  Preferred approaches?  Alternative approaches?

20 © 2010 IBM Corporation 20 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 PPL policy format Proposed data handling policies for revealed attributes Requested authorizations Promised obligations Preferences how target resource should be treated Agreed-upon sticky policy for target resource Card-based access control for target resource Cards to be presented Required condition over card attributes Actions to be performed, e.g., reveal attribute under referenced DHP, sign statement, limited spending,…

21 © 2010 IBM Corporation 21 Gregory Neven, IBM Research - Zurich XACML TC Confcall, October 21, 2010 PPL claims format One assertion per card, plus cross-card assertion Reference to sticky policy associated to attribute value New statement type to carry sticky policies New statement type to carry conditions over attributes New statement type to carry other (non-XML-signature) types of card evidence

Download ppt "© 2010 IBM Corporation Asserting attribute predicates in SAML and XACML Gregory Neven, IBM Research – Zurich XACML TC Confcall, October 21, 2010."

Similar presentations

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
DC Architecture WG meeting Monday Sept 12 Slot 1: 15.30 - 17.00 Slot 2: 17.30 - 19.00 Location: Seminar Room 4.1.E01.

DC Architecture WG meeting Monday Sept 12 Slot 1: Slot 2: Location: Seminar Room 4.1.E01.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
SOAP.

SOAP.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.

FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

Similar presentations

Ads by Google