Survey of Identity Repository Security Models JSR 351, Sep 2012.

Slides:

Advertisements

Similar presentations

Lesson 17: Configuring Security Policies

Advertisements

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

WSO2 Identity Server Road Map

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Introduction To Windows NT ® Server And Internet Information Server.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Lesson 19: Configuring Windows Firewall

Lecture 7 Access Control

Understanding Active Directory

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

G53SEC 1 Access Control principals, objects and their operations.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Windows Role-Based Access Control Longhorn Update

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.

Building consumer apps with Azure AD B2C

Token TOKEN User Groups Roles Claims Authentication Provider Identities STSUser Authentication Method UserGroup Role Assignment Permission Level FD.

Computer Security: Principles and Practice

8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. BI Publisher Server: Administration and Security.

Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.

The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.

6 Copyright © 2007, Oracle. All rights reserved. Managing Security and Metadata.

Secure Mobile Development with NetIQ Access Manager

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.

Secure Connected Infrastructure

Ask the Experts – Building Login-Based Sites in AEM

Azure Active Directory - Business 2 Consumer

Lesson 6: Configuring Servers for Remote Management

CollegeSource Security Application &

Identity Management (IdM)

WMarket For Developers API && Authorization.

SECURITY PLANNING AND ADMINISTRATIVE DELEGATION

Data Virtualization Tutorial… LDAP Domains in CIS

Migrating SharePoint Add-ins from Azure ACS to Azure AD

ACTIVE DIRECTORY ADMINISTRATION

ACTIVE DIRECTORY ADMINISTRATION

CompTIA Security+ Study Guide (SY0-401)

Azure AD Line Of Business Application Integration

KMIP Entity Object and Client Registration

Microsoft Graph- Permissions and Consent

Intermediate Security Topics in SQL SERver

SharePoint Online Authentication Patterns

AD FS Installation Active Directory Federation Services (AD FS) 7.1

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Groups and Permissions

Delegation of Control Manage Active Directory Objects 3.7

Computer Network Information Center, Chinese Academy of Sciences

Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.

API Security: OAuth, OpenID Connect & ABAC

Presentation transcript:

Survey of Identity Repository Security Models JSR 351, Sep 2012

Background JSR 351 Terms – Attribute Repository, Identity Repository, Attribute Service This survey is limited to identity repositories only JSR 351 scope of work includes a security model for the (Identity) Attribute Service Includes access control model for the release of attributes This area needs more definition and use-cases Survey of two popular identity repositories LDAP Directories Facebook

Actors User – entity on behalf-of-whom access to identity data is sought Three sub-cases: no user, absent, present Client – application which interacts with the identity repository Network protocol  LDAP protocol  Facebook Graph API (actually a REST network protocol) Identity Repository

LDAP Security Model Every entry in a LDAP directory has a distinguished name (DN) Both leaf nodes and non-leaf nodes have DNs Clients open connections to directories over server-side TLS/SSL Clients perform a BIND operation to establish an authorization identity Typically a DN BIND operation may include credentials  Anonymous mode also supported

LDAP Authorization Model No standard model But draft-ietf-ldapext-acl-model-08.txt is helpful Servers implement AuthZ model based on Authorization identity Target Operation Access Control Rules use patterns and search strings Anyone can read entries in the “dc=oracle,dc=com” subtree, they can view all attributes except for pwd

AuthZ Model Continued Sophisticated policies can be expressed Delegated administration Group membership Roles or Attributes Default deny vs. default access Also a source of complexity Different products use different models Design and testing of policies requires expert knowledge and effort

Facebook Based on documentation accessed Sep 2012 Certain amount of information is available without client or user authentication This is information that the user has declared public Users can grant secured access to a client application Based on Oauth 2.0 three-legged flow Once authenticated, user gives consent for sharing Clients may request permissions for varying access

Permissions Map directly to Oauth 2.0 scope parameter Categories Basic (default – id, name, picture, gender, locale) User and Friends Permissions (e.g., user_likes)  user_xxx (provides access to xxx data section)  friends_xxx Extended Permissions  Enables administrative privileges Open Graph Permissions, Page Permissions  For more advanced apps?

Facebook Summary User-mediated access model has many strengths But its hard to disentangle principles from Facebook specifics How to discover permissions required for access to attributes? Is the “user absent” case covered by long-lived Oauth access tokens?