HMA Identity Management Status

Slides:

Advertisements

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

Advertisements

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SWITCHaai Team Introduction to Shibboleth.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.

An XML based Security Assertion Markup Language

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth: An Introduction

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

HMA Sep 2009 – Slide 1 Daniele Marchionni Elsag Datamat HMA Follow On – Task 4 - Workplan.

ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs.

HMA AWG, 6 November 2013 Slide 1 HMA for Science - Status HMA AWG Meeting 6 November 2013, ESRIN Frascati Yves Coene, Spacebel s.a. Claudio Gizzi, Astrium.

PeopleSoft Single Sign-On with SAML 2.0

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

The FederID project The First Identity Management and Federation Free Software.

Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford.

HMA-S Project User Management for EO Services OGC r9

Access Policy - Federation March 23, 2016

HMA Identity Management Status

HMA AWG Configuration Management Status 1 December 2008

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

DREAM High-Level Architecture

Federation made simple

SAML New Features and Standardization Status

WPS updates from ESA Projects

Integrated User and Access Management

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Identity Management in ESA Grid on-Demand Infrastructure

ESA Single Sign On (SSO) and Federated Identity Management

HMA-Testbed Phase 2 AR-2 Meeting July 2009, Frascati

Overview of HMA/DAIL Overview of HMA ICDs HMA implementation at ESA

Put SAML assertion in context

Tim Bornholtz Director of Technology Services

Web Service Security support in the SSE Toolbox

InfiNET Solutions 5/21/

Web Service Security support in the SSE Toolbox

INTEGRATIONS WITH Single Sign-On

Presentation transcript:

HMA Identity Management Status HMA-T Final Presentation, Frascati, 14 December 2009 Y. Coene, SPACEBEL P. Denis, SPACEBEL Slide 1

Overview Updated specification OGC 07-118 version v0.0.5 Planned specification OGC 07-118 version v0.0.6 Single Signon scenario (UM-SSO) Authentication service open-source Next steps Slide 2 2

Specification OGC 07-118 version 0.0.4, 30/06/2009 Adding ATS prepared in HMA-T (Intecs, Terradue) Adding authorisation with XACML (HMA-T - Intecs) More consistent terminology (independent from DAIL, HMA etc.) Fixing errors Resolving issue with non-standard <Assertion> tag. User attributes (minimal profile) as example moved to annex.

Specification Issues solved in version 0.0.5: EUMETSAT and con terra comments: MRE-001 (partly), MRE-002 (partly), MRE-005, MRE-008 (partly), MRE-009, MRE-010, MRE-014, MRE-016, MRE-017. HMA-T actions A88, A89 (partly), A91, A93 Cover and first page aligned with latest version received from OGC (IPR issues).

Overview Updated specification OGC 07-118 version v0.0.5 Planned specification OGC 07-118 version v0.0.6 Authentication service open-source Next steps Slide 5 5

Scenarios To contain revised HMA Identity Management Scenarios Additional scenario from UM-SSO

Specification Future work Version 0.0.6: Signature of the service requests by clients, PEP verifies that the client is trusted (MRE-01, MRE-04) Support for multiple federating entities (MRE-02) Integration with Shibboleth / UM-SSO, standardisation of authentication interface through WS-Trust (STS, RST,...) (MRE-06) List of DAIL SAML token attributes to be updated (MRE-08) Add WS-Policy example from INTECS (A89)

New authentication interface(s) Replace "Authenticate" with STS "RequestSecurityToken" and UsertokenProfile as per ws-trust. Security Token Service (STS) which accepts a "token" for one domain and returns a token for a second domain. Operation RequestSecurityToken Compliant with OASIS ws-trust Interoperability Profile "Username Token Profile" from Switch (TBC)

STS Advantages Standardised "authentication service" interface. OASIS STS Commercial and open-source implementations available of STS. Profiled by SWITCH, OIO - Danish eGovernment 2009 (to be analysed) STS interface can be used for: ESA UM-SSO users: UM-SSO ID -> SAML token Other users: user name + password -> SAML token Evolution patch towards SAML 2.0

Overview Updated specification OGC 07-118 version v0.0.5 Planned specification OGC 07-118 version v0.0.6 Single Signon scenario (UM-SSO) Authentication service open-source Next steps Slide 10 10

Concept Paper Purpose: Describe integration of DAIL Portal and DAIL in ESA UM-Single Signon Environment (UM-SSO) based on Shibboleth. ESA users authenticated by UM-SSO Users authenticated by DAIL IDP Users authenticated by G/S through DAIL Users authenticated by G/S directly (not supported by OGC 07-118 v0.0.5) Slide 11 11

UM-SSO security domain Security Domains UM-SSO security domain UM-SSO IdP UM-SSO artifact DAIL security domain SAML token DAIL DAIL Portal

Use Case 1 EO-DAIL EO-DAIL

Use Case 2 Ground Segment 1 Ground Segment 1

Use Case 2 UM-SSO EO-DAIL EO-DAIL UM-SSO-Enabled, E.g. EOLI-SA, DAIL Portal

Baseline Solution - STS DAIL DAIL Portal Security Gateway STS UM-SSO artifact UM-SSO ID or artifact SAML token UM-SSO IdP CP PEP Web Services SOAP request user registry In OGC 07-118 v0.0.5: user name, password In Concept Paper - Baseline: UM-SSO-ID In Concept Paper – Alternative: UM-SSO Artifact

UM-SSO check & sign-on protocol Baseline Solution DAIL Portal DAIL Client Browser UM-SSO IdP WS DAIL Adapter PEP DAIL User UM-SSO check & sign-on protocol CP User Registry GET request RequestSecurityToken Retrieve UM-SSO-ID from HTTP header Prepare and sign RequestSecurityToken request SAML Token Put SAML token in SOAP header Check signature SOAP request Authorize request process request Get user attributes Build up SAML token Sign & encrypt response 1 2 3 4 5 6 7 8 9 10 11 GET request with assertions in HTTP header STS OGC 07-118 Concept Paper UM-SSO / Shibboleth

Overview Updated specification OGC 07-118 version v0.0.5 Planned specification OGC 07-118 version v0.0.6 Authentication service open-source Next steps Slide 19 19

Authentication Service Open-source Available on http://wiki.services.eoportal.org/tiki- index.php?page=HMA+Authentication+Service

Authentication Service Static architecture: Java Naming package to authenticate the given user in the LDAP user registry and to retrieve his attributes, OpenSAML package to build the SAML token from user attributes, Apache XML Security package to sign and encrypt the SAML token, Java Security package to retrieve private and public keys from the keystore, used in signature and encryption steps.

Authentication Service Sequence diagram successful authentication

Authentication Service Configurable Which user attributes from LDAP to be included in SAML assertions using which name (configuration file) Independent of "minimal profile" Associated documents: Software Requirements Document Architectural Design Document Acceptance Test Plan Installation procedure (part of software package).

Overview Updated specification OGC 07-118 version v0.0.5 Planned specification OGC 07-118 version v0.0.6 Authentication service open-source Next steps Slide 24 24

Next Steps Done: Planned: 23/09/2009: Authentication Service software (as per 0.0.4). 30/10/2009: OGC 07-118 version 0.0.5 11/12/2009: Authentication Service software 0.0.5 Planned: 24/12/2009: Outline OGC 07-118 version 0.0.6. XX/01/2010: OGC 07-118 version 0.0.6.