Security Token Service (STS) Status Update

Slides:



Advertisements
Similar presentations
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Advertisements

Lousy Introduction into SWITCHaai
MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
WSO2 Identity Server Road Map
Enabling Grids for E-sciencE ISSGC’05 XML Schemas (XSD) Richard Hopkins, National e-Science Centre, Edinburgh June 2005.
1 SOAP Simple Object Access Protocol 大葉大學資工系. 2 Purpose of SOAP Developers need to establish a standard transport and data-exchange framework to achieve.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
X.509 Certificate management in.Net By, Vishnu Kamisetty
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
CSE4500 Information Retrieval Systems XML Schema – Part 1.
WSDL Usage Experience with XML Schema 1.0 Jonathan Marsh Chair, WS Description WG.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
XML Schema. Why Validate XML? XML documents can generally have any structure XML grammars define specific document structures Validation is the act of.
WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.
Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
1 SIP Recording Metadata (draft-ietf-siprec-metadata-16) November 2014 IETF 91 meeting Presenter: Paul Kyzivat Authors: Ram Mohan R, R Parthasarathi, Paul.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Conformance Targets for Simple PGI Communication Andrew Grimshaw & Duane Merrill 1.
Access Policy - Federation March 23, 2016
WLCG Update Hannah Short, CERN Computer Security.
ACG 4401 XML Schemas XML Namespaces XLink.
Visual Signature Profile OASIS - DSS-X
OGSA-WG Basic Profile Session #1 Security
SAML New Features and Standardization Status
ACG 4401 XML Schemas XML Namespaces XLink.
HMA Identity Management Status
Grid accounting system
Training for developers of X-Road interfaces
Cisco ISE 1.2 Mobile Device Management Integration
CMP 051 XML Introduction Session IV
Web Service Security Standards Overview
Discussion on XSD open issues
11/9/2018 Web Services Security Maria Lizarraga CS691.
ISSGC’05 XML Schemas (XSD)
Web Based Applications
Training for developers of X-Road interfaces
CMP 051 XML Introduction Session III
A Private Key System KERBEROS.
TeraGrid 08 The Third Annual TeraGrid Conference
Kerberos Part of project Athena (MIT).
A Grid Authorization Model for Science Gateways
Optimising XML Schema for IODEF Data model
SOAP I: Intro and Message Formats
Composing Lifelong Learning Opportunity Pathways through Standards-based Services Raquel M. Crespo García.
XML In Action With Oracle
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Security Token Service (STS) Status Update Henri Mikkonen, Helsinki Institute of Physics EGI Technical Forum 2012 20.9.2012, Prague, Czech Republic

Henri Mikkonen @ EGI Technical Forum 2012 Current Status The following security token formats are currently functional Incoming token formats: Username/Password SAML assertion Outgoing token formats: X.509 certificate VOMS proxy certificate WS-Trust Interoperability profile is followed See http://www.switch.ch/grid/support/documents 20/09/2012 Henri Mikkonen @ EGI Technical Forum 2012

Henri Mikkonen @ EGI Technical Forum 2012 Username/Password <soap11:Header> <wsse:Security> <wsse:UsernameToken wsu:Id="UsernameToken-0001"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap11:Header> Currently supports plaintext passwords Hashing, optionally by exploiting Nonce and Created –elements can be supported 20/09/2012 Henri Mikkonen @ EGI Technical Forum 2012

Henri Mikkonen @ EGI Technical Forum 2012 SAML Assertion <soap11:Header> <wsse:Security> <saml2:Assertion ID="_064090d66352b278a7cbfd95f345fec0" IssueInstant="2012-08-28T07:33:47.224Z" Version="2.0"> … </saml2:Assertion> </wsse:Security> </soap11:Header> Contents of the SAML attribute statements is used for the certificate to be issued How can the clients obtain the assertion? The assertion must be targeted to STS ECP Profile, SAML delegation 20/09/2012 Henri Mikkonen @ EGI Technical Forum 2012

Henri Mikkonen @ EGI Technical Forum 2012 X.509 issuance Currently supports CMP protocol with CRMF Very suitable for our use cases Access to the private key corresponding to the upcoming certificate is not needed by STS STS can construct the CSR itself <soap11:Header> <wsse:Security> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#Base64Binary" wsu:Id="X509SecurityToken"> … BASE64-encoded certificate … </wsse:BinarySecurityToken> </wsse:Security> </soap11:Header> 20/09/2012 Henri Mikkonen @ EGI Technical Forum 2012

Henri Mikkonen @ EGI Technical Forum 2012 VOMS proxy issuance End-entity certificate obtained from the online CA is used for the proxy initialization Access to the private key corresponding to the user certificate required for issuing the proxy certificate VOMS Java API used for the communication Minimal customization was needed A method for communicating the VOMS request params from the client was needed GridProxyRequest –extension to the RST 20/09/2012 Henri Mikkonen @ EGI Technical Forum 2012

GridProxyRequest - example <soap11:Body> <wst:RequestSecurityToken wsu:Id=“…“ Context=“…"> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wst:RequestType> <wst:TokenType>urn:glite.org:sts:GridProxy</wst:TokenType> … <gridProxy:GridProxyRequest xmlns:gridProxy="urn:glite.org:sts:proxy" lifetime="86400"> <gridProxy:VomsAttributeCertificates> <gridProxy:FQAN>testers.eu-emi.eu:/testers.eu-emi.eu</gridProxy:FQAN> </gridProxy:VomsAttributeCertificates> </gridProxy:GridProxyRequest> </wst:RequestSecurityToken> </soap11:Body> This RST requests a VOMS proxy with Lifetime of 86400 seconds (24 hours) VO attributes from the EMI testbed 20/09/2012 Henri Mikkonen @ EGI Technical Forum 2012

GridProxyRequest - schema <xs:schema targetNamespace="urn:glite.org:sts:proxy” xmlns="urn:glite.org:sts:proxy" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:complexType name="GridProxyRequestType"> <xs:sequence> <xs:element name="VomsAttributeCertificates” type="VomsAttributeCertificatesType" minOccurs="0" maxOccurs="1"/> <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="lifetime" type="xs:int" use="required" /> <xs:attribute name="proxyType" type="xs:int" use="optional" /> <xs:attribute name="delegationType" type="xs:int" use="optional" /> <xs:attribute name="policyType" type="xs:int" use="optional" /> </xs:complexType> <xs:complexType name="VomsAttributeCertificatesType"> <xs:element name="FQAN" type="xs:string" minOccurs="1” maxOccurs="unbounded"/> <xs:attribute name="ordering" type="xs:string" use="optional"/> <xs:attribute name="targets" type="xs:string" use="optional"/> <xs:attribute name="verificationType" type="xs:int" use="optional"/> <xs:anyAttribute namespace="##other" processContents="lax"/> <xs:element name="GridProxyRequest" type="GridProxyRequestType"/> </xs:schema> Contents of the AttributeStatements can be used for the certificate 20/09/2012 Henri Mikkonen @ EGI Technical Forum 2012

Henri Mikkonen @ EGI Technical Forum 2012 Additional features Other token formats? Kerberos ticket? X.509 as an incoming token format? SAML assertion as an outgoing token format? Other CA protocols? MyProxy CA? 20/09/2012 Henri Mikkonen @ EGI Technical Forum 2012

Thank you! Questions? Henri Mikkonen <henri.mikkonen@hip.fi>