Federated Authentication with Web Services Clients

Similar documents
SGS11: Swiss Grid School 2011 Argus The EMI Authorization Service

Argus Authorization Service

Argus: The Simplified Policy Language

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

[GSoC Proposal] Securing Airavata API

PERMIS An Application Independent Authorisation Infrastructure. David Chadwick

Argus Vulnerability Assessment *1

Access Control Service Oriented Architecture

TAS 3 Architecture. Sampo Kellomäki Symlabs , ServiceWave, Stockholm

Configuring Alfresco Cloud with ADFS 3.0

SLCS and VASH Service Interoperability of Shibboleth and glite

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Electronic ID at work: issues and perspective

SAML-Based SSO Solution

GLOBUS TOOLKIT SECURITY

RCauth.eu / MasterPortal update

AAI in EGI Current status

INDIGO AAI An overview and status update!

WP JRA1: Architectures for an integrated and interoperable AAI

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Identity and capability management and federation

LionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine

Configure Unsanctioned Device Access Control

National Identity Exchange Federation. Terminology Reference. Version 1.0

Authorization Survey Results & Use Cases Presentation to Concordia Working Group

Integrating YuJa Active Learning into ADFS via SAML

SAML-Based SSO Solution

INDIGO-Datacloud Identity and Access Management Service

A Guanxi Shibboleth based Security Infrastructure for e-social Science

Grid Computing Middleware. Definitions & functions Middleware components Globus glite

OpenIAM Identity and Access Manager Technical Architecture Overview

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Understanding StoRM: from introduction to internals

Introducing Shibboleth. Sebastian Rieger

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation

EU Phosphorus Project Harmony. (on

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Warm Up to Identity Protocol Soup

Shibboleth Plumbing: Implementation and Architecture

Quick Connection Guide

Access Management and Identity Federation for the Connected World

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Oracle Access Manager Configuration Guide

Deliverable reference number: D.4.1. AAA Architectures for multi-domain optical networking scenario's

From UseCases to Specifications

Attributes used for Authorisation in Network Resource Provisioning

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

Five9 Plus Adapter for Agent Desktop Toolkit

ADFS Setup (SAML Authentication)

Report for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

Single Logout with the SWITCH edu-id IdP

Argus Documentation. Release Andrea Ceccanti, Valery Tschopp, Michel Jouvin, Marco Caberlett

Improving Grid User's Privacy with glite Pseudonymity Service

egov Profile SAML 2.0

CA SiteMinder Federation

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

2. HDF AAI Meeting -- Demo Slides

O365 Solutions. Three Phase Approach. Page 1 34

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Sentinet for BizTalk Server VERSION 2.2

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

Integrating YuJa Active Learning with ADFS (SAML)

The Modern Web Access Management Platform from on-premises to the Cloud

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Strong Authentication for Web Services using Smartcards

Qualys SAML & Microsoft Active Directory Federation Services Integration

International Journal of Computer & Organization Trends Volume 3 Issue 2 March to April 2013

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Federated Web Services with Mobile Devices

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

CA CloudMinder. SSO Partnership Federation Guide 1.51

Identity Provider for SAP Single Sign-On and SAP Identity Management

Integrating YuJa Active Learning into Google Apps via SAML

glite Java Authorisation Framework (gjaf) and Authorisation Policy coordination

SAML-Based SSO Configuration

Przejmij kontrolę nad użytkownikiem, czyli unifikacja dostępu do aplikacji w zróżnicowanym środowisku

CA SiteMinder. Federation Manager Guide: Partnership Federation. r12.5

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

EUROPEAN MIDDLEWARE INITIATIVE

RSA SecurID Access SAML Configuration for StatusPage

Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

April Understanding Federated Single Sign-On (SSO) Process

AARC Blueprint Architecture

EUDAT. Towards a pan-european Collaborative Data Infrastructure

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Set-up of the Testbed for Authentication, Authorization, Accounting

Transcription:

Federated Authentication with Web Services Clients in the context of SAML based AAI federations Thomas Lenggenhager thomas.lenggenhager@switch.ch Mannheim, 8. March 2011

Overview SAML n-tier Delegation with ECP Profile Argus A scalable Authorization Service ECP Enhanced Client or Proxy (ECP) Profile http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf http://saml.xml.org/saml-specifications 2

SAML n-tier Delegation with ECP Profile Allow a Web Portal to make use of delegation to access one or more Web Service Providers (WSP) The Web Portal and each WSP is a SAML SP Configuration changes required at IdP: 1) Download and install delegation plug-in 2) Add a profile handler for LibertyIDWSFSSOS Profile 3) Change profile config to restrict delegation by Portal to its WSPs. 4) Add a new security policy for Liberty SSOS (a static explicit key signature trust engine) 5) Add a new SingleSignOnService endpoint for the Liberty SSOS in the metadata it is not as easy as you would like it to be! 3

SAML n-tier Delegation with ECP Profile (2) A single SAML entity https://spaces.internet2.edu/display/shibuportal/configuring+shibboleth+delegation+for+a+portal 4

Where is AuthN required, where AuthZ? Authentication could be moved to the edges If inner components trust the outer components, no further authentication may be required Outer components with WebSSO support could act as gateways to inner components. Outer components to pass user attributes to inner components for authorization decisions close to the data access. The Authorization Service Argus could play a role in such a scenario 5

Argus A scalable Authorization Service Argus is an authorization service developed by EGEE / EMI Argus answers the question Is user X allowed to perform action Y on resource Z? in the most general way EMI European Middleware Initiative Argus 1.2 was released in Nov 2010 Argus 1.3 to be released for EMI-1 in April 2011 6

Argus Integration & Interoperability 7

Argus Integration & Interoperability (2) Integration with lightweight PEP client API Interoperability with direct XACML authorization request (SOAP) Common XACML Authorization Profile 8

Argus Deployment 9

PAP: Policy Administration Point Manages the XACML policies Tools for administrators to manage policies Simple Policy Language (SPL) hides XACML complexity Hierarchical deployment of PAP servers e.g. for global banning 10

PDP: Policy Decision Point XACML engine Retrieves policies from PAP Receives authorization request from PEP daemon Evaluates authorization requests against the policies 11

PEP daemon: Policy Enforcement Point Client/Server architecture Processes the client requests Applies PIP to incoming requests Extracts data from end-entity certificate Processes the client responses Applies obligation handler to outgoing responses Determines user and group mapping 12

PEP client libraries Lightweight client libraries to communicate with the PEP daemon ANSI C and Java client libraries Hides the complexity of XACML 13

Argus A Grid Example Argus answers the question Is user X allowed to perform action Y on resource Z? in the most general way A Grid example: Is CN=Peter Pan, DC=example,DC=org allowed to submit a job to Computing Element ce.example.com? 14

Argus A Grid Example (2) Authorization rules (policies) are expressed in XACML For most use cases XACML is too abstract Argus CLI supports a simplified policy language e.g.: allow user Peter to perform any action on resource my_resource resource my_resource" {! action ".*" {! rule permit { subject="/dc=org/dc=example/cn=peter Pan" }! }! } Parameterize Policies with attributes, e.g. DN, subject, CA, Manage Policies locally or import from remote repositories Combination possible: e.g. local policy & global black list 15

Argus Summary + Service management on the command line + Pluggable architecture, written in Java + easy to add new features and deploy + Client has simple API in C & Java with virtually no dependencies + easy to integrate into new clients + All Argus components can be deployed on one single host or on distributed hosts Argus Documentation <argus-support@cern.ch> https://twiki.cern.ch/twiki/bin/view/egee/authorizationframework https://twiki.cern.ch/twiki/bin/view/egee/simplifiedpolicylanguage https://twiki.cern.ch/twiki/bin/view/egee/authzpapcli 16

What's missing? A System Security Architect should be tasked to draft a Middleware Architecture for CLARIN 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback