HMA Identity Management Status

Slides:



Advertisements
Similar presentations
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Advertisements

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Peoplesoft: Building and Consuming Web Services
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
SWITCHaai Team Introduction to Shibboleth.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
HMA January 2011 – Slide 1 Daniele Marchionni TELESPAZIO HMA Follow On Task 4 - Order AR January 2011.
HMA Sep 2009 – Slide 1 Daniele Marchionni Elsag Datamat HMA Follow On – Task 4 - Workplan.
HMA 5-6 July 2010 – Slide 1 Daniele Marchionni Elsag Datamat Stefania Pappagallo Elsag Datamat HMA Follow On Task 4 - Order MTR 5-6 July 2010.
ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Unity Connection Provisioning API Matt Penning Unity.
1 HMA Follow-on – Negotiation Meeting - Task 4 ESRIN – 24/06/2009 Issue: 1.0.
Slide’s title Subtitle (if there is one) Date and location Speakers:Name and Last Name.
ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs.
Hoeilaart, 19 February 2009 Slide 1 CITE tests for and HMA-T Phase 2 Progress Meeting 19 February 2009, Hoeilaart Nicolas Lesage, IGN.
HMA-T Progress Meeting 26 November 2008 Slide 1 IMAA-CNR activity report HMA-T Progress Meeting 26 November 2008 S. Nativi, E. Boldrini, F. Papeschi IMAA-CNR.
HMA-T Phase 2 KO, 2-3 July 2008 Slide 1 HMA-Testbed Phase 2 Negotiation and KO Meeting 2-3 July 2008, Frascati Yves Coene, SPACEBEL.
HMA AWG, 6 November 2013 Slide 1 HMA for Science - Status HMA AWG Meeting 6 November 2013, ESRIN Frascati Yves Coene, Spacebel s.a. Claudio Gizzi, Astrium.
Frascati, December 2009 Slide 1 Identity Management in ESA Grid on-Demand Infrastructure HMA-T Final Presentation 14 December 2009, Frascati Fabrice.
Spacebel - Hoeilaart, February 2009 SPS Mandatory I/F Development Slide 1 HMA SPS Mandatory I/F Development HMA-T Phase 2 Acceptance Review 1 18.
HMA 23 Feb 2011 – Slide 1 Daniele Marchionni TELESPAZIO HMA Follow On Task 4 - Order 23 February 2011.
ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.
Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.
HMA-T User Management (07-118) Abstract Test Suite Dr Andrew Woolf STFC Rutherford Appleton Lab.
Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford.
Frascati, 2-3 July 2008 SPS Mandatory I/F Development Slide 1 HMA SPS Mandatory I/F Development HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Ricardo.
HMA-S Project User Management for EO Services OGC r9
Access Policy - Federation March 23, 2016
Training for developers of X-Road interfaces
HMA Follow On Task 4 - Order Final Presentation June 2011
CEN 202 “Space Standardisation”
HMA AWG Configuration Management Status 1 December 2008
SAML New Features and Standardization Status
Ordering Services for EO Products SWG ATS / ETS
HMA Identity Management Status
HMA Follow On Task 4 - Order Final Presentation June 2011
HMA SPS Mandatory I/F Development
Identity Management in ESA Grid on-Demand Infrastructure
Identity Federations - Installation and operation
Ordering Services for EO Products SWG ATS / ETS
Overview of Progress HMA Standardisation Work
HMA-Testbed Phase 2 AR-2 Meeting July 2009, Frascati
Contributions to Testing and Reference Data
Tim Bornholtz Director of Technology Services
Web Service Security support in the SSE Toolbox
HMA Follow On Task 4 - Order Final Presentation 21 June 2011
Ordering Services for EO Products Abstract Test Suite (ATS)
HMA Follow-on Kickoff Meeting
HMA Follow On Task 4 - Order Final Presentation 21 June 2011
InfiNET Solutions 5/21/
HMA for Science Task 1 – Project Management
Web Service Security support in the SSE Toolbox
DAIL RIDS are posted to SSE wiki
Presentation transcript:

HMA Identity Management Status HMA AWG Meeting, 30 September 2009 Y. Coene, SPACEBEL S. Gianfranceschi, Intecs P. Denis, SPACEBEL Slide 1

Overview Specification Conformance tests Implementations Deployments 2 Slide 2 2

Specification OGC 07-118 version 0.0.4, 30/06/2009 OGC 07-118 draft version 0.0.5 (28/09/09) being prepared: Adding ATS prepared in HMA-T (Intecs, Terradue) Adding authorisation with XACML Adding WSDL files with WS-policy More consistent terminology (independent from DAIL, HMA etc.) Fixing errors Resolving issue with non-standard <Assertion> tag. User attributes (minimal profile) as example in annex.

Specification Issues solved in current draft 0.0.5: Remaining issues: MRE-001, MRE-008, MRE-014, MRE-016, MRE-017. Remaining issues: See RIDs on HMA Forum by con terra and EUMETSAT with additional use cases not originally foreseen Examples: MRE-002: Scenario with multiple "Federating Entities" MRE-009: Clients known on beforehand and limited number. Consolidating use of geoXACML

Overview Specification Conformance tests Implementations Slide 5 5

Conformance Tests (1) Common ATS for OGC 07-118 version 0.0.3 delivered in July (Terradue, Intecs). Two different ETS delivered Harmonization started beginning of September ATS for version 0.0.4 war produced by Intecs and reviewed by Terradue Merge of libraries from Intecs and Terradue ETS (merge of the work done by Intecs and Terradue) Some issues related to non standard tags have been discussed. A new version of the spec is going to be delivered. The ATS does not have to be changed.

Conformance Tests CTL scripts being finalised for OGC 07-118 version 0.0.5 in HMA-T. Expected to be available on http://montgomery.esrin.esa.int by 09/10/2009.

Overview Specification Conformance tests Implementations Authentication Service Authorisation Service (Policy Enforcement Point) Slide 8 8

Authentication Service Open-source Available on http://wiki.services.eoportal.org/tiki- index.php?page=HMA+Authentication+Service

Authentication Service Static architecture: Java Naming package to authenticate the given user in the LDAP user registry and to retrieve his attributes, OpenSAML package to build the SAML token from user attributes, Apache XML Security package to sign and encrypt the SAML token, Java Security package to retrieve private and public keys from the keystore, used in signature and encryption steps.

Authentication Service Sequence diagram successful authentication

Authentication Service Configurable Which user attributes from LDAP to be included in SAML assertions using which name (configuration file) Independent of "minimal profile" Associated documents: Software Requirements Document Architectural Design Document Acceptance Test Plan Installation procedure (part of software package).

Authorization service (PEP) Open-source It will be available on the SSE Toolbox

Application Security Layer Toolbox Architecture WS-Policy WS-Security Layer SOAP layer Application layer XACML Policy Application Security Layer Service Gateway Operation Operation Asynchronous Operation Synchronous Operation Asynchronous Operation Synchronous Operation

Toolbox Security Architecture Axis2 as basic SOAP engine Axis2 module Rampart (Apache Software Foundation) for WS-Security layer: its behaviour has been extended to cover the HMAT security requirements (HMAT- SRD-1200-INT_1.1) ToolboxSecurityWrapper: Axis2 service with link to the Policy Enforcement Point (PEP, Application Security Layer) and Toolbox Application Layer Axis2 ToolboxPEP ToolboxSecurityWrapper (Axis2 service) SOAP XACML Policies Service Description RAMPART 4HMAT Toolbox Application Layer WS-Policy

Toolbox Security Architecture: Main Activities Allocation Security Layer 1 2 Check encrypted SAML existence, decrypt it. WS-Security signed-encrypted SOAP request 3 Enforce enterprise policies Toolbox Serve request (Application layer) 4 5 Fault Soap response verify SAML token Decrypted SAML, SOAP request/action 6 Get SAML assertion Identity Provider Client ToolboxPEP XACML Policies RAMPART 4HMAT WS-Policy Slide 16

Toolbox Security Wrapper: Service Description Axis2 Responsabilities: deploys ToolboxSecurityWrapper into Axis2, holds the list of the wrapped services to be secured, for each wrapped service, holds the WS-Security policy, Its artifact is the service.xml file of the Axis2 ToolboxSecurity deployment located at: ToolboxSecurityWrapper (Axis2 service) RAMPART 4HMAT Service Description Service Configuration WS-Policy <TOMCAT_ROOT>/webapps/Axis2/Web-INF/services/ToolboxSecurityWrapper/META-INF/services.xml

Toolbox Security Architecture: ToolboxPEP ToolboxPEP: invoked by the ToolboxSecurityWrapper when WS-Security check is successful; enforces XACML policies check XACML policies are stored in dedicated XML files Each policy owns information about the wrapped service and (optionally) SOAP action for which the policy applies Owns a list of policy rules; each rule can refer SAML token and/or SOAP (body) attributes values. ToolboxPEP XACML Policies

XACML example for EO EbRim profile (1/3) The target wrapped service for which this policy applies: wrs (Web Registry Service)

XACML example for EOLI (2/3) If an owned condition evaluates to true than the effect of the rule is “deny” The target of this rule: commercial client SAML attribute reference Condition about the collection

XACML example for EO EbRim profile (3/3) SOAP action for registry update

Next Steps Planning: Authentication Service software (as per 0.0.4): available already. 09/10/2009: OGC 07-118 version 0.0.5 09/10/2009: Authentication Service software 0.0.5 09/10/2009: CTL scripts version 0.0.5 25/10/2009: SSE Toolbox including Authorisation Service Software (Policy Enforcement Point)