Federated Identity & Attribute Based Resource Access Controls

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

RDF Tutorial.
Semantic Web Introduction
Functional component terminology - thoughts C. Tilton.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Building and Analyzing Social Networks Web Data and Semantics in Social Network Applications Dr. Bhavani Thuraisingham February 15, 2013.
WSO2 Identity Server Road Map
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Principles of Information Security, 2nd edition1 Cryptography.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Cloud based linked data platform for Structural Engineering Experiment Xiaohui Zhang
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Publishing data on the Web (with.
Overview of Access and Information Protection
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 PKI Update September 2002 CSG Meeting Jim Jokl
© 2010 OpenLink Software, All rights reserved. Exploiting Linked Data By Kingsley IdehenKingsley Idehen Founder & CEO, OpenLink SoftwareOpenLink Software.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
The Semantic Web Web Science Systems Development Spring 2015.
Digital Enterprise Research Institute HADA – An Access Controlled Application for Publishing and Discovering Linked Government Data Owen Sacco.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.
Information Interchange on the Semantic Web an interactive talk by Piotr Kaminski, University of Victoria
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
DIGITAL SIGNATURE.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
THE SEMANTIC WEB By Conrad Williams. Contents  What is the Semantic Web?  Technologies  XML  RDF  OWL  Implementations  Social Networking  Scholarly.
EEL 5937 Ontologies EEL 5937 Multi Agent Systems Lotzi Bölöni.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Setting the stage: linked data concepts Moving-Away-From-MARC-a-thon.
Web 2.0: Concepts and Applications 6 Linking Data.
Access Policy - Federation March 23, 2016
Trust Profiling for Adaptive Trust Negotiation
Stop Those Prying Eyes Getting to Your Data
Cloud based linked data platform for Structural Engineering Experiment
Building the Semantic Web
Chapter 5: The Art of Ensuring Integrity
Authentication.
Radius, LDAP, Radius used in Authenticating Users
Module 8: Securing Network Traffic by Using IPSec and Certificates
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
IBM Certified WAS 8.5 Administrator
Analyzing and Securing Social Networks
Message Digest Cryptographic checksum One-way function Relevance
What’s changed in the Shibboleth 1.2 Origin
Public Key Infrastructure from the Most Trusted Name in e-Security
Technical Approach Chris Louden Enspier
IEEE MEDIA INDEPENDENT HANDOVER
Module 8: Securing Network Traffic by Using IPSec and Certificates
Chinese wall model in the internet Environment
Distributed Systems Bina Ramamurthy 4/22/2019 B.Ramamurthy.
September 2002 CSG Meeting Jim Jokl
The Attribute and the ecosystem
Electronic Payment Security Technologies
Instructor Materials Chapter 5: Ensuring Integrity
Presentation transcript:

Federated Identity & Attribute Based Resource Access Controls By Kingsley Idehen Founder & CEO, OpenLink Software

License CC-BY-SA 4.0 (International). SITUATION ANALYSIS License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). Presentation Goals Deconstruct: Identity Identifiers Identification License CC-BY-SA 4.0 (International).

EVERY DAY WE HEAR Identity IDENTITY IS PROBLEMATIC IDENTITY IS COMPLEX IDENTITY IS IMPORTANT License CC-BY-SA 4.0 (International).

WE ALMOST NEVER HEAR ABOUT Identity WE ALMOST NEVER HEAR ABOUT WHAT IDENTITY ACTUALLY IS HOW IDENTITY IS CREATED HOW IDENTITY IS REPRESENTED License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). Identity Basics License CC-BY-SA 4.0 (International).

What is an Entity? An Entity is a Distinctly Identifiable Thing License CC-BY-SA 4.0 (International).

How is an Entity Identified (Named) ? An Entity is Identified (or named) through the combined effects of Identifier based denotation (signification) and document content based connotation (description). License CC-BY-SA 4.0 (International).

How is an Entity Denoted? An Entity is Denoted (Signified) through the use of an Identifier. License CC-BY-SA 4.0 (International).

What is an Identifier? An Identifier is a Sign (or Token) that Signifies (Denotes, or “Stands For”) an Entity License CC-BY-SA 4.0 (International).

Identifier Types? Quoted Literals such as: Relative Reference: “Kingsley Idehen” or ‘Kingsley Idehen’ Relative Reference: <#KingsleyIdehen> Absolute HTTP URI based Reference: <http://kingsley.idehen.net/dataspace/person/kidehen#this> LDAP URI based Reference: <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen%2Cou=Accounts%2Co=OpenLink%20Software%2Cc=US> License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). What is a WebID? An HTTP Uniform Resource Identifier (URI) that identifies (names) an Agent. Example: <http://kingsley.idehen.net/dataspace/person/kidehen#this> License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). What is a NetID? A Resolvable Uniform Resource Identifier (URI) that identifies (names) an Agent. Example: <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen%2Cou=Accounts%2Co=OpenLink%20Software%2Cc=US> License CC-BY-SA 4.0 (International).

What is an Identity Card? A Document comprised of content in the form of identity claims that coalesce around an identifier that names the Identity Card’s subject. Basically, a document comprised of content that connotes (describes) its subject. License CC-BY-SA 4.0 (International).

WebID-Profile Document -- Front A Document comprised of RDF statement based identity claims that coalesce around an identifier that names the Identity Card’s subject. Identity Card subject name MUST be in the form of an HTTP URI. License CC-BY-SA 4.0 (International).

WebID-Profile Document -- Inside A Document comprised of RDF statement based identity claims that coalesce around an identifier that names the Identity Card’s subject. Identity Card subject identifiers MUST be in the form of an HTTP URI. License CC-BY-SA 4.0 (International).

NetID-Profile Document -- Front A Document comprised of RDF statement based identity claims that coalesce around an identifier that names the Identity Card’s subject. Identity Card subject identifiers MUST be in the form of Resolvable URIs, so LDAP scheme identifiers can apply. License CC-BY-SA 4.0 (International).

NetID-Profile Document -- Inside A Document comprised of RDF statement based identity claims that coalesce around an identifier that names the Identity Card’s subject. Identity Card subject identifiers MUST be in the form of Resolvable URIs, so LDAP scheme identifiers can apply. License CC-BY-SA 4.0 (International).

What Your Digital Identity Card Enables Identification for 3rd Party Use – e.g., protected resource access controls and data access policies -- scoped specifically to your identity Signing Statements (Endorsements), Messages (e.g., Email) that are cryptographically verifiable Receipt of Encrypted Messages that are only readable by you – since the entire message or shared-secret is encrypted using data (Public Key) from your Digital Identity Card All of the items above using existing open standards. License CC-BY-SA 4.0 (International).

Attributed Based Access Controls (ABAC) License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). What is ABAC About? Fine-grained access to protected resources driven by attributes (characteristics, features, properties, predicates, relations etc.) of the resource requestor (an Identity Principal). Please check over colour keyed words Deleted: Words play Subject, Predicate, or Object roles in Sentences. License CC-BY-SA 4.0 (International).

RDF based Attributed based Access Controls Identity Principal Requests Access to Protected Resource Protected Resource Server Assesses: Identity (RDF based Identity Claims) Access Control Rules (RDF based Protected Resource Access Policies) Protected Resource Access is Granted or Rejected. License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). ABAC Challenges? Identifier Types – NetID vs WebID Issues Data Access Protocols – LDAP vs HTTP issues Data Representation – Data Virtualization issues Data Integration – RDF based Linked Open Data Data Access Performance & Scalability – Virtuoso! Please check over colour keyed words Deleted: Words play Subject, Predicate, or Object roles in Sentences. License CC-BY-SA 4.0 (International).

Identity Card Generation License CC-BY-SA 4.0 (International).

WebID Identity Card Generation License CC-BY-SA 4.0 (International).

Digital Identity Card Generation – PdP Selection Select from a vast collection of Profile Data Providers (PdPs) License CC-BY-SA 4.0 (International)

Digital Identity Card Generation – IdP Selection Select from a vast collection of Identity Card Storage Providers (IdPs) License CC-BY-SA 4.0 (International)

Generated Public Identity Card A Document comprised of content in the form of identity claims that coalesce around an identifier (e.g., HTTP URI) that names the Identity Card’s subject. Basically, a document comprised of content that connotes (describes) its subject. License CC-BY-SA 4.0 (International).

Local Identity Card (X.509 Cert.) View - 1 License CC-BY-SA 4.0 (International).

Local Identity Card (X.509 Cert.) View - 2 License CC-BY-SA 4.0 (International).

Local Identity Card (X.509 Cert.) View - 3 License CC-BY-SA 4.0 (International).

Authentication Protocols (WebID-TLS and NetID-TLS) License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). Critical Proof of Work Fundamentally, NetID-TLS and WebID-TLS authentication protocols combine shared-secret knowledge (PKI) with proof-of-work. This includes: Private & Public Keypair Possession Private (X.509 Cert.) and Public (Profile Document) Identity Card Creation & Storage Capability Ability to Express Entity Identity Claims using Entity Relationship Semantics that are comprehensible to both Humans and Machines. License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). What is WebID-TLS? TLS based authentication protocol where identity claims are verified as follows: User Agent initiates a TLS connection Presents a locally stored Identity Card (X.509 Certificate) comprised of a WebID as its SubjectAlternativeName (SAN) value Following successful TLS-handshake, a protected resource server performs these additional tests: Checks that WebID successfully resolves to a profile document comprised of RDF statements Checks existence of an RDF statement that associates WebID with the Public Key of the local X.509 certificate used to complete the successful TLS-handshake. License CC-BY-SA 4.0 (International).

WebID-TLS Authentication Protocol Example License CC-BY-SA 4.0 (International).

WebID-TLS Authentication – Step 1 License CC-BY-SA 4.0 (International).

WebID-TLS Authentication – Step 2 License CC-BY-SA 4.0 (International).

WebID-TLS Authentication – Step 3 License CC-BY-SA 4.0 (International).

WebID-TLS Authentication – Step 4 License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). What is NetID-TLS? TLS based authentication protocols where identity claims are verified as follows: User Agent initiates a TLS connection Presents a locally stored Identity Card (X.509 Certificate) comprised of a NetID as its SubjectAlternativeName (SAN) value Following successful TLS-handshake, a protected resource server performs these additional tests: Check that NetID is successfully resolved to a profile document Checks that profile document is comprised of replica claims matching those in the local X.509 certificate – achieved by comparing the SHA1 fingerprints of both documents. License CC-BY-SA 4.0 (International).

NetID Identity Card Generation License CC-BY-SA 4.0 (International).

YouID Identity Card Creation – Step 1 License CC-BY-SA 4.0 (International).

YouID Identity Card Creation – Step 2 License CC-BY-SA 4.0 (International).

Local Identity Card (X.509 Cert.) View - 1 License CC-BY-SA 4.0 (International).

Local Identity Card (X.509 Cert.) View - 2 License CC-BY-SA 4.0 (International).

Local Identity Card (X.509 Cert.) View - 3 License CC-BY-SA 4.0 (International).

NetID-TLS Authentication Protocol Example (LDAP Directory Services) License CC-BY-SA 4.0 (International).

Identity Card Export for LDAP Directory Use License CC-BY-SA 4.0 (International).

LDAP Directory Profile Edit Page License CC-BY-SA 4.0 (International).

LDAP Directory Profile Edit – Certificate Binding Associate certificate exported from keystore / keychain with LDAP Directory record License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). NetID-TLS Authentication (using an Identity Card with LDAP URI in it SAN) License CC-BY-SA 4.0 (International).

NetID-TLS Authentication – Step 1 License CC-BY-SA 4.0 (International).

NetID-TLS Authentication – Step 2 License CC-BY-SA 4.0 (International).

NetID-TLS Authentication – Step 3 License CC-BY-SA 4.0 (International).

NetID-TLS Authentication – Step 4 License CC-BY-SA 4.0 (International).

NetID-TLS Authentication – Step 5 License CC-BY-SA 4.0 (International).

License CC-BY-SA 4.0 (International). Attributed Based Access Controls (ABAC) via NetID-TLS & WebID-TLS Authentication Protocols License CC-BY-SA 4.0 (International).

Controlling Access to an HTTP-Accessible Document License CC-BY-SA 4.0 (International).

Resource Protection – Step 1 License CC-BY-SA 4.0 (International).

Resource Protection – Step 2 License CC-BY-SA 4.0 (International).

Resource Protection – Step 3 License CC-BY-SA 4.0 (International).

Actual Attribute Based Access Control License CC-BY-SA 4.0 (International).

Protected Resource Access Challenge – Step 1 License CC-BY-SA 4.0 (International).

Protected Resource Access Challenge – Step 2 License CC-BY-SA 4.0 (International).

Protected Resource Access Challenge – Step 3 License CC-BY-SA 4.0 (International).

Protected Resource Access Challenge – Step 3 License CC-BY-SA 4.0 (International).

Controlling Access to a SPARQL Endpoint Example License CC-BY-SA 4.0 (International).

RDF based ACL scoped to a Named Graph -- Template ## Protected (Private) Resource Authorization denoted by <{ACL-IRI}> ; ## created by the Identity Principal denoted by <{Rule-Creator-WEBID}> ; ## granting Read/Write privileges to the Named Graph denoted by <{Target-Named-GRAPH-IRI}> ; ## to identity principals denoted by the following <{GROUP-or-AGENT-IRI-1}>, ## <{GROUP-or-AGENT-IRI-N}> PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX acl: <http://www.w3.org/ns/auth/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> <{ACL-IRI}> a acl:Authorization ; foaf:maker <http://kingsley.idehen.net/dataspace/person/kidehen#this> ; oplacl:hasAccessMode oplacl:Write ; acl:accessTo <urn:private:rdf:data:source> ; acl:agent <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen,ou=Accounts,o=OpenLink%20Software,c=US>, <http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this> ; oplacl:hasScope oplacl:PrivateGraphs ; oplacl:hasRealm oplacl:DefaultRealm . License CC-BY-SA 4.0 (International).

Controlling Access to a SPARQL-accessible Named Graph License CC-BY-SA 4.0 (International).

RDF based ACL scoped to a Named Graph -- Example ## Grant access to the Named Graph denoted by the IRI <urn:private:rdf:data:source> ## to identity principals denoted by the following IRIs ## <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen,ou=Accounts,o=OpenLink%20Software,c=US>, ## <http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this> PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX acl: <http://www.w3.org/ns/auth/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> <#AccessPolicy1> a acl:Authorization ; foaf:maker <http://kingsley.idehen.net/dataspace/person/kidehen#this> ; oplacl:hasAccessMode oplacl:Write ; acl:accessTo <urn:private:rdf:data:source> ; acl:agent <ldap://mail.openlinksw.com/cn=Kingsley%20Idehen,ou=Accounts,o=OpenLink%20Software,c=US>, <http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this> ; oplacl:hasScope oplacl:PrivateGraphs ; oplacl:hasRealm oplacl:DefaultRealm . License CC-BY-SA 4.0 (International).

Controlling Access to an HTTP (Web) Service License CC-BY-SA 4.0 (International).

RDF based ACL scoped to a YouID Instance PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX acl: <http://www.w3.org/ns/auth/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> <#YouIDUsagePolicy1> a acl:Authorization ; rdfs:comment ""”Machine-to-Machine ACL that controls access to an instance of the YouID Identity Card Generator.""” ; foaf:maker <{PERSON-WEBID}> ; oplacl:hasAccessMode oplacl:Write ; acl:accessTo <http://{HOST-CNAME}/youid> ; acl:agent {Agent-WebID} ; oplacl:hasScope <urn:virtuoso:val:scopes:youid> ; oplacl:hasRealm oplacl:DefaultRealm . License CC-BY-SA 4.0 (International).

Live Additional Information Links An Glossary of terms, in Linked Data form: WebID WebID-TLS NetID NetID-TLS Linked Data Linked Open Data Semantic Web Resource Description Framework (RDF) License CC-BY-SA 4.0 (International).

Additional Information Web Sites OpenLink Software YouID – Digital Identity Card (Certificate) Generator OpenLink Data Spaces – Semantically enhanced Personal & Enterprise Data Spaces & Collaboration Platform OpenLink Virtuoso - Hybrid Data Management, Integration, Application, and Identity Server Universal Data Access Drivers - High-Performance ODBC, JDBC, ADO.NET, and OLE-DB Drivers LDAP and NetID-TLS – How to use LDAP scheme URIs with NetID-TLS Authentication Social Media Data spaces http://kidehen.blogspot.com (weblog) http://www.openlinksw.com/blog/~kidehen/ (weblog) https://plus.google.com/112399767740508618350/posts (Google+) https://twitter.com/#!/kidehen (Twitter) Hashtag: #LinkedData (Anywhere). License CC-BY-SA 4.0 (International).

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.