TAS 3 Architecture. Sampo Kellomäki Symlabs , ServiceWave, Stockholm
|
|
- Gregory Owen
- 5 years ago
- Views:
Transcription
1 TAS 3 Architecture Sampo Kellomäki (sampo@symlabs.com), Symlabs , ServiceWave, Stockholm The research leading to these results has received funding from the European Community s Seventh Framework Programme (FP7/ ) under grant agreement number (TAS3 - Trusted Architecture for Securely Shared Services
2 TAS3 Project (48 months, ) Goals - Trusted Architecture for Securely Shareable Services - Web Services made secure, privacy friendly, and shareable - Dashboard for user s privacy settings and self audit - Full audiability, leverage digital signatures - Advanced Trust and Privacy Negotiation and Trust Scoring - Business and legal model Practical - Standards based (SAML, ID-WSF, XACML) interoperable wirespecs - API (Java, C#, PHP, Perl, C/C++) - eference implementation (zxid.org) - Pilots - Exploitation: buy TAS3 enabled components from vendors such as Symlabs, isaris, Custodix, and Synergetics Sampo Kellomäki: TAS3 Arch 10 2
3 Sampo Kellomäki: TAS3 Arch 10 3
4 TAS3 Trust Network Domains Audit Organization A Domains... Organization B Domains Audit & Monitor Model Modelling & configuration Management Modelling & configuration Management untime & Enforcement Sampo Kellomäki: TAS3 Arch 10 4
5 Front channel and back channel interaction 1 TAS3 TN Model 2, 4 Front Channel, Web GUI Interaction Authentication 3 Modelling untime FE A1 Back Channel Web Services Layer Modelling DashB e B IdP B 6 5 WS B1 IDMap 7, 9 WS A2 10 WS B2 8 Org A Audit & Monitor Audit & Monitor TAS3 TN Compliance, Audit, and Monitor Org B (Context A) (Context B) Sampo Kellomäki: TAS3 Arch 10 5
6 Audit Channel TAS3 TN Model 1 2, 4 Front Channel, Web GUI Interaction Authentication 3 Modelling untime e4 Audit Event Bus FE A1 e5 Back Channel Web Services Layer Modelling DashB 6 e6 e B IdP B e3 5 e10 10 e7, e9 WS B1 e8 8 IDMap 7, 9 WS A2 WS B2 Org A Audit & Monitor Audit & Monitor LogMon TAS3 TN Compliance, Audit, and Monitor Org B (Context A) (Context B) Sampo Kellomäki: TAS3 Arch 10 6
7 Model driven configuration 1 TAS3 TN Model 2, 4 Front Channel, Web GUI Interaction Authentication 3 Modelling Model untime FE A1 Back Channel Web Services Layer Modelling Model DashB e B IdP B 6 5 WS B1 IDMap 7, 9 WS A2 10 WS B2 8 Org A Audit & Monitor Audit & Monitor TAS3 TN Compliance, Audit, and Monitor Org B (Context A) (Context B) Sampo Kellomäki: TAS3 Arch 10 7
8 Model driven audit TAS3 CoT Model Modelling and Configuration Management Domain untime and Enforcement Domain = = IdP Modelling Tool Discover usage & configuration Frontend Services Dashboard * * = = = Disco Models and configurations Automatically push consistent security configuration Middletier Web Services = Backend WS * * = = Use model to drive visualization of workflow and system Auditing & Compliance Tools Operation Monitoring Audit and Monitoring Domain Connectors = outing & aggregation = PEP * = Sampo Kellomäki: TAS3 Arch 10 8
9 Web Browser Client Application Organization Domain Modelling & Configuration Management Infrastructure Payload untime & Enforcement Identity Provider Front End Services Web Services Authorization Dashboard Business process Engine Delegation Trust eputation Discovery Dashboard IDMapper egistry Server Trust Network Process Manager Linking Trust & Privacy Negociator Audit Event Bus Management Audit & Monitor Audit Compliance Validation Operation Monitoring Sampo Kellomäki: TAS3 Arch 10 9
10 XACML SAML profile with TAS3 Trust extensions SAML IdP Discovery Trust PDP 1 7 SP1: Frontend JSESSION ZXSES Payload Servlet ID-WSF 2.0 Discovery with TAS3 Trust extensions ID-WSF 2.0 w/tas3 ext SP2: Web Service CTX Interceptor Interceptor DB 2 S S O A t t r P E P s e s P E P e t c P E P D I C W S C H T T P H WSPout PEP-rs-out T T P WSPin PEP-rs-in e t c P E P User XACML SAML profile Master PDP1 Master PDP Sampo Kellomäki: TAS3 Arch 10 10
11 Prior Art and eference Architectures TAS 3 Architecture draws from and is compatible with - Nessi s NexofA - Master s concept of audit bus and Awareness Cockpit - Access-eGov Platform Architecture - Liberty Alliance s ID Web Services Framework (ID-WSF) - Hafner & Breu s Security Engineering for Service-Oriented Architectures TAS 3 Architecture is not as abstract as a reference architecture - Goal is to drive real interoperable implementations Sampo Kellomäki: TAS3 Arch 10 11
12 Novelty of the Architecture Itself (1/2) TAS 3 Architecture is novel as a blueprint that brings together - Identity management - Attribute based access control - Business process modelling - Dynamic trust - Distributed auditing - Legal & Policy - Support for multiple policies in different languages - Annex A in combination with D2.2, acts as an interoperability profile for standards based protocols covering these areas User transparency features - Dashboard - User accessible audit trail - Automated compliance validation Sampo Kellomäki: TAS3 Arch 10 12
13 Novelty of the Architecture Itself (2/2) Privacy protection using sticky policies Marriage of Trust and Privacy Negotiation with discovery and trust scoring Secure dynamic business processes Built-in first class support for delegation Architecture needs to be instantiated in context of a business model and legal / contractual framework - Leave many decisions to be decided in that context - Many business models are possible (the one currently in annex will become a document of its own) Sampo Kellomäki: TAS3 Arch 10 13
14 Wire interoperability, many software implementations possible Any implementation that speaks wire protocols and flows correctly is valid, irrespective of the software architecture Software architecture of the entities specified by the TAS 3 Architecture is up to implementers of those entities (some of the implementer s are TAS 3 work packages) The architecture includes a legacy integration strategy to illustrate some feasible ways to TAS 3 enable existing applications (but which way is chosen, or if a totally different software architecture is used, is an implementer s choice) Sampo Kellomäki: TAS3 Arch 10 14
15 Trustworthy and Secure (1/2) Operational, legal, and business model to ensure trustworthiness - esponsible entity, Trust Guarantor, ensures "buck stops here" - Legal framework developed hand-in-hand with architecture - Certification of software and deployments - Automated Compliance Validation keeps SPs in line - Manual audits complement automated approaches - Modeling network and its members provide consistent security configuration Legal concerns are built-in from the ground up Threat analysis to understand what we are defending against Sampo Kellomäki: TAS3 Arch 10 15
16 Trustworthy and Secure (2/2) Technical - Fully encrypted, fully digitally signed - Fully pseudonymous design ensures maximum privacy - Fully cross organizational federation model - Explicit tokens based audit trail at all layers - Explicit authorization at all layers - Advanced trust and reputation management - Model and ontology driven to ensure accurate implementation Sampo Kellomäki: TAS3 Arch 10 16
17 Deploying TAS 3 Architecture Set up Trust Network - Draft legal - un some services, like audit bus and compliance validation - Outsource or run other services like discovery and IdP Join a Trust Network - Much of the infrastructure shared or already provided - Application integration - Buy and deploy TAS 3 proxy or connector product, or - Adapt your application using TAS 3 Standard API. - Outsource or buy/run some infrastructure services like IdP or PDP Sampo Kellomäki: TAS3 Arch 10 17
18 Thank You, Questions? Sampo Kellomäki Official dissemination website - eference implementation of TAS 3 Core Security Architecture - ZXID specific TAS 3 news - TAS 3 Architecture Document - evised TAS 3 API and protocol profiles Sampo Kellomäki: TAS3 Arch 10 18
19 Architecture Drilldown TAS3 Trust Network Domains Audit Organization A Domains... Organization B Domains Audit & Monitor Model Modelling & configuration Management Modelling & configuration Management untime & Enforcement Sampo Kellomäki: TAS3 Arch 10 19
20 Web Browser Client Application Organization Domain Modelling & Configuration Management Infrastructure Payload untime & Enforcement Identity Provider Front End Services Web Services Authorization Dashboard Business process Engine Delegation Trust eputation Discovery Dashboard IDMapper egistry Server Trust Network Process Manager Linking Trust & Privacy Negociator Audit Event Bus Management Audit & Monitor Audit Compliance Validation Operation Monitoring Sampo Kellomäki: TAS3 Arch 10 20
21 Web Service Authorization Legend Infrastructure Authorization Front End Service Web Application Web Service Service Application PEP Out PEP In PEP Out PEP In Web GUI (optional) Stack Service equester Stack Service esponder Service equester Sampo Kellomäki: TAS3 Arch 10 21
22 Multi-tier Web Service Call Front End Service Web Service Web Service Web Application Service Application Data Service Web GUI Service equester Service esponder Service equester Service esponder Data storage Sampo Kellomäki: TAS3 Arch 10 22
23 Details of Authorization Dashboard Payload Discovery Infrastructure Authorization Policy Enforcement Point Credential validation service Master Policy Decision Point Policy Information Point Infrastructure Trust Network PDP Organization PDP Policy Decision Point Stack User PDP Trust PDP Policy Store Policy Store Policy Store Trust Store Sampo Kellomäki: TAS3 Arch 10 23
24 Legacy Integration Web Service (e.g. Attribute Authority) Data Service User F E TAS3 SOAP Service esponder Stack AIPEP AIPEP-In (accept req) AIPEP-Out (filter) Application Dependent PEP WP8 SOA Gateway WP8 database WP8 SOA GW Legacy Data Source A B WP8 database Data C XACML (in SOAP envelope) Master PDP Figure 1: Application Integration using ADPEP and (A) WP8 SOA Gateway, (B) WP8 as frontend to WP8 SOA GW, (C) WP8 database Sampo Kellomäki: TAS3 Arch 10 24
25 Web Service (e.g. Attribute Authority) Data Service Service esponder User F E TAS3 SOAP Stack AIPEP AIPEP-In (accept req) AIPEP-Out (filter) ADPEP Application XACML (in SOAP envelope) Master PDP Figure 2: Application Integration: ADPEP implemented in application itself Sampo Kellomäki: TAS3 Arch 10 25
26 Web Service (e.g. Attribute Authority) Data Service Service esponder User F E TAS3 SOAP Stack Application with PEP built in PEP-In (accept req) PEP-Out (filter) XACML (in SOAP envelope) Master PDP Figure 3: Application Integration: PEP implemented directly in application Sampo Kellomäki: TAS3 Arch 10 26
27 Steps of a Web Service Call Sampo Kellomäki: TAS3 Arch 10 27
28 Core Security Architecture Flows A Authentication 123A SSO IDP_1 PDP Web GUI PEP Web Application PID E(123)A Service equestor Front End service A Sampo Kellomäki: TAS3 Arch 10 28
29 1 2 3 A Authentication 123A SSO IM E(789)IM use only: A 8 times IDP_1 PDP Web GUI PEP PID E(123)A PID E(789)IM 7 Web Application Service equestor Front End service A IM E(789)IM use only: A 8 times 4 PDP PEP Service esponder B 6 E(456)B IM E(789)IM use only: B 8 times B E(456)B 5 IM E(789)IM use only: B 8 times PEP Service esponder Identity Mapper IM 789 -> E(456)B Service Provider B PII Sampo Kellomäki: TAS3 Arch 10 29
30 1 2 3 A Authentication 123A SSO IM E(789)IM use only: A 8 times IDP_1 PDP PEP PDP Web GUI PEP PID E(123)A PID E(789)IM PII Service esponder 6 11 Web Application Service equestor IM E(789)IM use only: A 8 times 4 PEP C E(fgh)C IM E(789)IM use only: C 2 times 10 9 Service equestor PII Service B PEP B E(456)B IM E(789)IM use only: B 8 times Front End service A IM E(789)IM use only: B 8 times B E(456)B IM E(789)IM use only: B 8 times Service esponder Identity Mapper IM C E(fgh)C IM E(789)IM use only: C 2 times 789 -> E(456)B 789 -> E(fgh)C fgh -> TAS3 Service esponder ole Authority C Sampo Kellomäki: TAS3 Arch 10 30
31 Acronym Expansion TG Trust Guarantor, the organization that operates TN ("Summit") TN Trust Network IdP Identity Provider (SAML role, aka authentication authority) SP Service Provider: a member organization of TN that operates Frontend and/or Web Services Disco Service discovery, sometimes specifically identity enabled service discovery such as Liberty ID-WSF Discovery Service. DB Dashboard, a web GUI for viewing audit records, work flow status, and/or viewing and editing privacy settings and permissions. FE Frontend, here means web site, i.e. SP WS Web Service, SOAP based machine to machine communication. Sometimes specifically Identity enabled web service, e.g. Liberty ID-WSF based WS Sampo Kellomäki: TAS3 Arch 10 31
32 Summit TAS3 CoT Model SSO sub CoT B SSO sub CoT A Modelling Modelling Core IdP FE FE DB IdP WS layer Disco Model WS... Model WS Disco Audit & Monitor Audit & Monitor Org A TAS3 CoT Audit Org B (Context A) (Context B) Sampo Kellomäki: TAS3 Arch 10 32
33 Trust Network level model untime and Enforcement Domain = = IdP Modelling and Configuration Management Domain Frontend Services Dashboard * * = = WS1 WS2 Disco Modelling Tool Master PDP * PDP Trust Models and configurations Policy Store = Call PIP = Trust Store = Audit and Monitoring Domain Backend WS Connectors * = outing & aggregation = = PEP Sampo Kellomäki: TAS3 Arch 10 33
34 Trust Network level model untime and Enforcement Domain = = IdP Modelling and Configuration Management Domain Discover actual usage Frontend Services Dashboard * * = = WS2 WS1 Disco Modelling Tool PDP Master PDP * Trust Feedback for behavioral trust Models and configurations Policy Store = Call PIP = Trust Store = Audit and Monitoring Domain Backend WS Connectors * = outing & aggregation = = PEP Sampo Kellomäki: TAS3 Arch 10 34
35 Client App Built-in rules of the application Built-in rules of the service Service ules of the operator ules of the operator Alice Org C PDP Org D PDP Bob PEP q Out PEP q In Master PDP Alice PDP TN PDP ules of the TN Trust PDP Bob PDP Master PDP 3 PEP s Out PEP s In Personal rules Personal rules Corp C Firewall or Packet Filter Corp D Firewall or Packet Filter Sampo Kellomäki: TAS3 Arch 10 35
Federated Authentication with Web Services Clients
Federated Authentication with Web Services Clients in the context of SAML based AAI federations Thomas Lenggenhager thomas.lenggenhager@switch.ch Mannheim, 8. March 2011 Overview SAML n-tier Delegation
More informationServices Specifications: Realizing New Business Capabilities
Services Specifications: Realizing New Business Capabilities 1 Liberty Alliance Workshop Santa Clara, CA, March 10, 2008 (sampo@symlabs.com) 1. Introduction and agenda 2 (sampo@symlabs.com) - Speaking
More informationThe Business of Identity: Business Drivers and Use Cases of Identity Web Services
The Business of Identity: Business Drivers and Use Cases of Identity Web Services Roger Sullivan, Vice President, Liberty Alliance Vice President, Oracle Corporation Liberty s Architecture Liberty Identity
More informationNovell Access Manager 3.1
Technical White Paper IDENTITY AND SECURITY www.novell.com Novell Access Manager 3.1 Access Control, Policy Management and Compliance Assurance Novell Access Manager 3.1 Table of Contents: 2..... Complete
More informationWEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices
WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices Chris Steel, Ramesh Nagappan, Ray Lai www.coresecuritypatterns.com February 16, 2005 15:25 16:35
More informationIdentität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist
Identität und Autorisierung als Grundlage für sichere Web-Services Dr. Hannes P. Lubich IT Security Strategist The Web Services Temptation For every $1 spent on software $3 to $5 is spent on integration
More informationMashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity
www.oasis-open.org Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity Eve Maler eve.maler@sun.com 1 A few notes about me and this talk Some relevant affiliations/perspectives:
More informationA RESTful Approach to Identity-based Web Services
A RESTful Approach to Identity-based Web Services Marc J. Hadley Hubert A. Le Van Gong Sun Microsystems, Inc. 1 Outline > Identity-based web services intro > RESTful ID-WSF > OAuth Extensions > Permissioned
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationIdentity Provider for SAP Single Sign-On and SAP Identity Management
Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with
More informationWP JRA1: Architectures for an integrated and interoperable AAI
Authentication and Authorisation for Research and Collaboration WP JRA1: Architectures for an integrated and interoperable AAI Christos Kanellopoulos Agenda Structure and administrative matters Objectives
More informationAdvanced Client Conor P. Cahill Systems Technology Lab Intel Corporation
Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation Disclaimer This presentation discusses work-in-progress within the Liberty Alliance Technology Expert Group. The end result of the
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationEnterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape
Enterprise SOA Experience Workshop Module 8: Operating an enterprise SOA Landscape Agenda 1. Authentication and Authorization 2. Web Services and Security 3. Web Services and Change Management 4. Summary
More informationFederated Web Services with Mobile Devices
Federated Web Services with Mobile Devices Rajeev Angal Architect Sun Microsystems Pat Patterson Architect Sun Microsystems Session TS-6673 Copyright 2006, Sun Microsystems, Inc., All rights reserved.
More informationOpenIAM Identity and Access Manager Technical Architecture Overview
OpenIAM Identity and Access Manager Technical Architecture Overview Overview... 3 Architecture... 3 Common Use Case Description... 3 Identity and Access Middleware... 5 Enterprise Service Bus (ESB)...
More informationPERMIS An Application Independent Authorisation Infrastructure. David Chadwick
PERMIS An Application Independent Authorisation Infrastructure David Chadwick Role/Attribute Based Access Control Model Hierarchical Role based Access Control (RBAC) Permissions are allocated to roles/attributes
More informationISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University
Identity Management and Federated ID (Liberty Alliance) ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Identity Identity is the fundamental concept of uniquely
More informationBusiness White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise
Business White Paper IDENTITY AND SECURITY Novell Access Manager Comprehensive Access Management for the Enterprise Simple, Secure Access to Network Resources Business Driver 1: Cost Novell Access Manager
More informationIdentity and capability management and federation
Identity and capability management and federation The need to manage identities - 1 Increment of digital identity complexity Password, dynamic password, one-time password, based on portable secure devices
More informationb) The progress made beyond commercial Business Process Modeling System solutions should be pointed out.
TAS 3 Deliverable D3.2 - final: Open Source software and documentation implementing the design (final) Accompanying Letter to the Reviewers In the report of the TAS 3 review on March 11, 2011, the project
More informationImplementing a Ground Service- Oriented Architecture (SOA) March 28, 2006
Implementing a Ground Service- Oriented Architecture (SOA) March 28, 2006 John Hohwald Slide 1 Definitions and Terminology What is SOA? SOA is an architectural style whose goal is to achieve loose coupling
More informationInside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1
Inside Symantec O 3 Sergi Isasi Senior Manager, Product Management SR B30 - Inside Symantec O3 1 Agenda 2 Cloud: Opportunity And Challenge Cloud Private Cloud We should embrace the Cloud to respond to
More informationSOA-20: The Role of Policy Enforcement in SOA Management
SOA-20: The Role of Policy Enforcement in SOA Management Phil Walston VP Product Management Layer 7 Technologies Overview Discuss policy in SOA, the role of Policy Enforcement Points and where this fits
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Royal Society of Chemistry Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Fraser & Hoyt Incentives Ltd. Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that
More informationNational Identity Exchange Federation. Terminology Reference. Version 1.0
National Identity Exchange Federation Terminology Reference Version 1.0 August 18, 2014 Table of Contents 1. INTRODUCTION AND PURPOSE... 2 2. REFERENCES... 2 3. BASIC NIEF TERMS AND DEFINITIONS... 5 4.
More informationCIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products
CIAM: Need for Identity Governance & Assurance Yash Prakash VP of Products Key Tenets of CIAM Solution Empower consumers, CSRs & administrators Scale to millions of entities, cloud based service Security
More informationFederated Identity Management and Network Virtualization
Federated Identity Management and Network Virtualization Yang Cui and Kostas Pentikousis 3rd ETSI Future Networks Workshop 10 April 2013 Sophia Antipolis, France The opinions expressed in this presentation
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationMajor SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007
Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: University of Guelph Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationFrom UseCases to Specifications
From UseCases to Specifications Fulup Ar Foll Liberty Technical Expert Group Master Architect, Global Software Practice Sun Microsystems Why Identity Related Services? Identity-enabling: Exposes identity
More informationCAN MICROSOFT HELP MEET THE GDPR
CAN MICROSOFT HELP MEET THE GDPR REQUIREMENTS? Danny Uytgeerts Microsoft 365 TSP / P-Seller Privacy Consultant (certified DPO) Member of DPO-Pro (Professional association of Belgian DPOs) danny.uytgeerts@realdolmen.com
More informationSentinet for Microsoft Azure SENTINET
Sentinet for Microsoft Azure SENTINET Sentinet for Microsoft Azure 1 Contents Introduction... 2 Customer Benefits... 2 Deployment Topologies... 3 Cloud Deployment Model... 3 Hybrid Deployment Model...
More informationRamnish Singh IT Advisor Microsoft Corporation Session Code:
Ramnish Singh IT Advisor Microsoft Corporation Session Code: Agenda Microsoft s Identity and Access Strategy Geneva Claims Based Access User access challenges Identity Metasystem and claims solution Introducing
More informationKerberos for the Web Current State and Leverage Points
Kerberos for the Web Current State and Leverage Points Executive Advisory Board Meeting and Financial Services Security Summit New York, 3-4 November 2008. Towards Kerberizing Web Identity and Services
More informationGlobal Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants
Global Reference Architecture: Overview of National Standards Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants Goals for this Presentation Define the Global Reference Architecture
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Lynda.com Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative
More informationThe Modern Web Access Management Platform from on-premises to the Cloud
The Modern Web Access Management Platform from on-premises to the Cloud Single Sign On, Access Controls, Session Management and how to use Access Management to protect applications both on premises and
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Portage Network 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources
More informationSecurity Assertions Markup Language (SAML)
Security Assertions Markup Language (SAML) The standard XML framework for secure information exchange Netegrity White Paper PUBLISHED: MAY 20, 2001 Copyright 2001 Netegrity, Inc. All Rights Reserved. Netegrity
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Gale_Cengage Learning Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationTivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic
Tivoli Federated Identity Manager Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic svest@dk.ibm.com IBM Software Day Vilnius 2009 Agenda IBM strategy on IAA What is a federation
More informationAttribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent Acknowledgements Project originally funded by UK JISC, called Shintau http://sec.cs.kent.ac.uk/shintau/
More informationThe Identity Web An Overview of XNS and the OASIS XRI TC
The Identity Web An Overview of XNS and the OASIS XRI TC XML WG December 17, 2002 Marc LeMaitre VP Technology Strategy OneName Corporation Goals of this presentation Introduce the idea of the Identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Unversity of Regina Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationGLOBUS TOOLKIT SECURITY
GLOBUS TOOLKIT SECURITY Plamen Alexandrov, ISI Masters Student Softwarepark Hagenberg, January 24, 2009 TABLE OF CONTENTS Introduction (3-5) Grid Security Infrastructure (6-15) Transport & Message-level
More informationSAP Single Sign-On 2.0 Overview Presentation
SAP Single Sign-On 2.0 Overview Presentation June 2014 Public Legal disclaimer This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue
More informationGrid Middleware and Globus Toolkit Architecture
Grid Middleware and Globus Toolkit Architecture Lisa Childers Argonne National Laboratory University of Chicago 2 Overview Grid Middleware The problem: supporting Virtual Organizations equirements Capabilities
More informationSentinet for BizTalk Server SENTINET
Sentinet for BizTalk Server SENTINET Sentinet for BizTalk Server 1 Contents Introduction... 2 Sentinet Benefits... 3 SOA and API Repository... 4 Security... 4 Mediation and Virtualization... 5 Authentication
More informationOracle Application Server 10 g Security. An Oracle White Paper December 2005
Oracle Application Server 10 g Security An Oracle White Paper December 2005 Oracle Application Server 10g Security Introduction... 3 Security Drivers In An Enterprise... 3 Oracle Application Server 10g
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationThe EGI AAI CheckIn Service
The EGI AAI CheckIn Service Kostas Koumantaros- GRNET On behalf of EGI-Engage JRA1.1 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number
More informationExtend your datacenter with the power of Citrix Open Cloud
Extend your datacenter with the power of Citrix Open Cloud Peter Leimgruber Sr. SE Datacenter & Networking, CE Mikael Lindholm Sr. SE XenServer & Cloud, EMEA Sales Dev Agenda Cloud Expectations and reality
More informationISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems
ISACA Silicon Valley APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems Why Should You Care About APIs? Because cloud and mobile computing are built
More informationWSO2 Identity Management
WSO2 Identity Management Panagiotis Kranidiotis panagiotiskranidiotis@gmailcom 4 Νοεμβρίου 2017 Few things about me First engagement with open source technologies in 1995 Open source consultant and systems
More informationEnterSpace Data Sheet
EnterSpace 7.0.4.3 Data Sheet ENTERSPACE BUNDLE COMPONENTS Policy Engine The policy engine is the heart of EnterSpace. It evaluates digital access control policies and makes dynamic, real-time decisions
More informationIntegrating VMware Workspace ONE with Okta. VMware Workspace ONE
Integrating VMware Workspace ONE with Okta VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this
More informationIdentity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014
Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2
More informationAccess Control Service Oriented Architecture
http://www.cse.wustl.edu/~jain/cse571-09/ftp/soa/index.html 1 of 13 Access Control Service Oriented Architecture Security Yoon Jae Kim, yj1dreamer AT gmail.com (A project report written under the guidance
More informationDell One Identity Cloud Access Manager 8.0. Overview
Dell One Identity Cloud Access Manager 8.0 2015 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under
More informationThe challenges of (non-)openness:
The challenges of (non-)openness: Trust and Identity in Research and Education. DEI 2018, Zagreb, April 2018 Ann Harding, SWITCH/GEANT @hardingar Who am I? Why am I here? Medieval History, Computer Science
More informationCA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5
CA SiteMinder Federation Manager Guide: Legacy Federation r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationCloud Access Manager Overview
Cloud Access Manager 8.1.3 Overview Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationIFIP - FIDIS Summer School
IFIP - FIDIS Summer School Privacy-Friendly Identity Management in egovernment Xavier Huysmans K.U.Leuven ICRI Objective of this talk Explaining legal drivers for Privacy-Friendly Identity Management in
More informationzentrale Sicherheitsplattform für WS Web Services Manager in Action: Leitender Systemberater Kersten Mebus
Web Services Manager in Action: zentrale Sicherheitsplattform für WS Kersten Mebus Leitender Systemberater Agenda Web Services Security Oracle Web Service Manager Samples OWSM vs
More informationSAP Security in a Hybrid World. Kiran Kola
SAP Security in a Hybrid World Kiran Kola Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal
More informationBEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE
BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE OUR ORGANISATION AND SPECIALIST SKILLS Focused on delivery, integration and managed services around Identity and Access Management.
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationDeliverable D8.4 Certificate Transparency Log v2.0 Production Service
16-11-2017 Certificate Transparency Log v2.0 Production Contractual Date: 31-10-2017 Actual Date: 16-11-2017 Grant Agreement No.: 731122 Work Package/Activity: 8/JRA2 Task Item: Task 6 Nature of Deliverable:
More informationElectronic ID at work: issues and perspective
Electronic ID at work: issues and perspective Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica Why should I have/use an (e-) ID? to prove my identity to an "authority":
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name Wilfrid Laurier University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Concordia University of Edmonton Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that
More informationSimplifying Federation Management with the Federation Router
Technical White Paper Simplifying Federation Management with the Federation Router HP Select Federation By: Jason L Rouault Introduction... 2 What is federation... 2 How does federation work... 3 Federation
More informationIBM IBM IBM Tivoli Federated Identity Manager V6.1. Practice Test. Version
IBM 000-891 IBM 000-891 IBM Tivoli Federated Identity Manager V6.1 Practice Test Version 1.1 QUESTION NO: 1 IBM 000-891: Practice Exam Which protocol supports only PULL Single Sign-On (SSO)? A. SAML V2.0
More informationIdentity-Enabled Web Services
Identity-Enabled s Standards-based identity for 2.0 today Overview s are emerging as the preeminent method for program-toprogram communication across corporate networks as well as the Internet. Securing
More informationOverview SENTINET 3.1
Overview SENTINET 3.1 Overview 1 Contents Introduction... 2 Customer Benefits... 3 Development and Test... 3 Production and Operations... 4 Architecture... 5 Technology Stack... 7 Features Summary... 7
More informationInCommon Federation: Participant Operational Practices
InCommon Federation: Participant Operational Practices Participation in the InCommon Federation ( Federation ) enables a federation participating organization ( Participant ) to use Shibboleth identity
More informationInteragency Advisory Board Meeting Agenda, August 25, 2009
Interagency Advisory Board Meeting Agenda, August 25, 2009 1. Opening Remarks 2. Policy, process, regulations, technology, and infrastructure to employ HSPD-12 in USDA (Owen Unangst, USDA) 3. Policy and
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationTRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model
TRUST. assured reliance on the character, ability, strength, or truth of someone or something - Merriam-Webster TRUST AND IDENTITY July 2017 Trusted Relationships for Access Management: The InCommon Model
More informationOracle Developer Day
Oracle Developer Day Sponsored by: Track # 1: Session #2 Web Services Speaker 1 Agenda Developing Web services Architecture, development and interoperability Quality of service Security, reliability, management
More informationIntegration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)
Integration Guide PingFederate SAML Integration Guide (SP-Initiated Workflow) Copyright Information 2018. SecureAuth is a registered trademark of SecureAuth Corporation. SecureAuth s IdP software, appliances,
More information1. Federation Participant Information DRAFT
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon
More informationDigital (Virtual) Identities in Daidalos and beyond. Amardeo Sarma NEC Laboratories Europe
Digital (Virtual) Identities in Daidalos and beyond Amardeo Sarma NEC Laboratories Europe Who wants to pay for more Bandwidth? More Access Bandwidth? No one pays extra for volume or time plain usage is
More informationTrusted identities for the cloud using open source technologies where Open ecard App meets SkIDentity
Trusted identities for the cloud using open source technologies where Open ecard App meets SkIDentity Tobias Wich Dr. Detlef Hühnlein Moritz Horsch Johannes Schmölz} Berlin, 23.5.2012 Agenda Introduction
More informationGestión dinámica de configuraciones en dispositivos móviles en un entorno Liberty/OMA-DM
Gestión dinámica de configuraciones en dispositivos móviles en un entorno Liberty/OMA-DM 1 Device Independence Liberty and Identity in a Nutshell The Importance of Identity Principles Liberty Value Proposition
More informationSentinet for Windows Azure VERSION 2.2
Sentinet for Windows Azure VERSION 2.2 Sentinet for Windows Azure 1 Contents Introduction... 2 Customer Benefits... 2 Deployment Topologies... 3 Isolated Deployment Model... 3 Collocated Deployment Model...
More information[GSoC Proposal] Securing Airavata API
[GSoC Proposal] Securing Airavata API TITLE: Securing AIRAVATA API ABSTRACT: The goal of this project is to design and implement the solution for securing AIRAVATA API. Particularly, this includes authenticating
More informationSecurity and Privacy Overview
Security and Privacy Overview Cloud Application Security, Data Security and Privacy, and Password Management 1 Overview Security is a growing concern and should not be taken lightly across an organization.
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants
More informationCipherCloud CASB+ Connector for ServiceNow
ServiceNow CASB+ Connector CipherCloud CASB+ Connector for ServiceNow The CipherCloud CASB+ Connector for ServiceNow enables the full suite of CipherCloud CASB+ capabilities, in addition to field-level
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More information