Obligations in the OGSA SAML Authorization Service Interface

Slides:

Advertisements

Similar presentations

IPP Notification and Notification Services White Paper Hugo Parra; Novell, Inc. October 6, 1999 The intent of this paper is to supplement the discussions.

Advertisements

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.

1 Authorization XACML – a language for expressing policies and rules.

Asap:// jury-rigged. ClientPEP PDP PolicySet Rule 1 Rule 2 etc Rule 1 Rule 2 etc Rule 1 Rule 2 etc Policy 1 Policy 2 Policy 3.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Authz work in GGF David Chadwick

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

MyGrid/Taverna Provenance Daniele Turi University of Manchester OMII f2f Meeting, London, 19-20/4/06.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

RSVP Policy Control using XACML Pontifícia Universidade Católica do Paraná PUC-PR, Brazil Presented by: Emir Toktar Emir Toktar Edgard.

Andrew McNabGESA/Authz, GGF9, 7 Oct 2003Slide 1 Authorization status Andrew McNab High Energy Physics University of Manchester

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart

INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain.

XACML Contributions Hal Lockhart, Oracle Corp. 2 Topics Authorization API Finding Input Attributes.

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

© 2007 Open Grid Forum Status Reviews and Plans Production Grid Infrastructure (PGI) - WG Morris Riedel et al. Juelich Supercomputing Centre PGI Co-Chair.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.

1 Team Skill 3 Defining the System Part 1: Use Case Modeling Noureddine Abbadeni Al-Ain University of Science and Technology College of Engineering and.

Security Chapter – Architecture & Focus on Authorization PDP Cyril Dangerville (TS), Chapter Architect, Authorization PDP GE owner 7 July 2016.

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

Trygve Aspelien and Yuri Demchenko

Models for Resources and Management

Chapter 4: Business Process and Functional Modeling, continued

OGF PGI – EDGI Security Use Case and Requirements

OGSA-WG Basic Profile Session #1 Security

Use Cases Discuss the what and how of use cases: Basics Benefits

Introduction to Operating Systems

A gLite Authorization Framework

OGSA-WG Session #2 Program Execution Services

Interaction between Scheduling Instances

University of Virginia, USA GGF9, Chicago, Illinois, US

Distributed Mobility Management (DMM) WG DMM Work Item: Forwarding Path & Signaling Management (FPSM) draft-ietf-dmm-fpc-cpdp-01.txt IETF93, Prague.

OGF 21 Seattle Washington

Setting Up Firewall using Netfilter and Iptables

ETSI TC MTS TDL SC meeting Reports

ETSI TC MTS TDL SC meeting Reports

Groups and Permissions

Chapter 9: Managing Groups, Folders, Files, and Object Security

Routing Considerations

Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi

Presentation transcript:

Obligations in the OGSA SAML Authorization Service Interface Markus Lorch Virginia Tech & Fermilab OGSA AuthZ Meeting @ GGF12

Existing Functionality Through an (Extended-) AuthorizationDecisionQuery a decision point can return a (Simple-) AuthorizationDecisionStatement which tells the requestor if a specific (set of) actions is permissible for the specified subject on the specified resource.

Obligations Obligations allow for the PDP to convey additional instructions to the PEP on how to allow (or deny) the requested access. More general: obligations can be a set of actions to be executed following a trigger event; the obligation subject can be a number of entities including the access requesting subject and the PEP.

Example Use Case To instruct the PEP with what local UID, primary GID, supplemental GIDs, home directory, and root path, a request should be served with. Obligations can also convey e.g. quota, role based elevated file access and firewall settings - I.e. the actions/instructions specified in the obligations configure and define the execution environment.

What is gained? Obligations in this use-case bridge a mismatch in granularity between policy and access request. I.e. the policy may specify access details such as UID, file access rights, where the request typically specifies “I want to run this executable”. A simple yes/no answer cannot convey the necessary information.

Example Obligation in XACML XACML defines an obligation statement as a set of child attribute statements that define the obligation: <Obligation ObligationId=“OpenScienceGrid:authorization:obligations:UserID“ FulfillOn="Permit"> <AttributeAssignment AttributeId=“OpenScienceGrid:authorization:attributes:UserID“ DataType= "http://www.w3.org/2001/XMLSchema#string"> griduser01 </AttributeAssignment> </Obligation>

Advantages of (re-)using XACML Working towards the SAML/XACML integration – when the current XACML over SAML draft is adopted as a standard we can move to this interface without changes in semantics We can leverage existing implementations that produce/understand this obligation format Several people in the grid community have either expressed plans or have started projects that utilize XACML If other representations of obligations were used then we would have to translate between representations if e.g. XACML policies are used for the PDP

More general specification following PONDER semantics (suggested by D More general specification following PONDER semantics (suggested by D. Chadwick) Ponder names each of the important elements that make up an obligation directly: one or more actions to be performed by the subject the subject that must perform the actions (usually the AEF/PEP, but could be the operation initiator) for each action, the target that the action must be performed on an optional exception action (with target) that must be performed if any of the obligated actions fails

Status I propose the use of XACML through an extension that adds an optional XACML obligation field to the AuthorizationDecisionStatement. This would be a small change that’s in line with the XACML and SAML TC efforts at OASIS. At Fermilab a first prototype implementation of this approach has been produced. D. Chadwick proposes a new, more elaborate ObligatedAuthorizationDecisionStatement format which would hold an ObligationStatement based on the PONDER semantics. This suggestion has been included in the latest draft of the document.