X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

Slides:



Advertisements
Similar presentations
SAML Overview 1 Security Assertion Markup Language Tom Scavo NCSA
Advertisements

SAML CCOW Work Item: Task 2
Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic.
OASIS OData Technical Committee. AGENDA Introduction OASIS OData Technical Committee OData Overview Work of the Technical Committee Q&A.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.
OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Levels of Assurance OGF Activity Michael Helm ESnet/LBNL 27 Feb 2007.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
An XML based Security Assertion Markup Language
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
The Feds and Shibboleth Peter Alterman, Ph.D. Asst. CIO, E-Authentication National Institutes of Health.
Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.
AuEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798]
Shibboleth A Technical Overview
Security Assertion Markup Language (SAML) Interoperability Demonstration.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Access Policy - Federation March 23, 2016
OGSA-WG Basic Profile Session #1 Security
Shibboleth Roadmap
Levels of Assurance OGF Activity
SAML New Features and Standardization Status
A Use Case for SAML Extensibility
Technical Approach Chris Louden Enspier
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
A Grid Authorization Model for Science Gateways
CPPA3 Overview.
SAML/SIP Profiles and Call Initiation
Presentation transcript:

x509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA

x509-bindings-profiles-sep062 Overview Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x Metadata Extension for SAML V2.0 and V1.x Query Requesters SAML V1.1 Profiles for X.509 Subjects SAML V2.0 Profiles for X.509 Subjects X.509 Binding for SAML X.509 Attribute-based Authorization Profile for SAML BONUS! Level of Assurance Attribute!

x509-bindings-profiles-sep063 Metadata Profile for SAML V1.x SAML V2.0 includes a Metadata Profile The Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x profiles the use of SAML V2.0 metadata with SAML V1.x entities Document is in final stages of pipeline Shibboleth V1.3 (or later) supports SAML V1.x metadata

x509-bindings-profiles-sep064 Metadata for Query Requesters GridShib use cases (e.g.) are rife with notion of standalone attribute requesters The Metadata Extension for SAML V2.0 and V1.x Query Requesters profiles use of SAML metadata with standalone query requesters Document is in final stages of pipeline Shibboleth V1.3 (or later) supports metadata for SAML V1.x attribute requester It’s not clear if Shibboleth V2.0 will support SAML V2.0 attribute requester

x509-bindings-profiles-sep065 SAML Profiles for X.509 Subjects Two profile sets have been submitted to the OASIS Security Services TC: –SAML V1.1 Profiles for X.509 Subjects open.org/committees/document.php?document_id=19996&wg_abb rev=security open.org/committees/document.php?document_id=19996&wg_abb rev=security –SAML V2.0 Profiles for X.509 Subjects open.org/committees/document.php?document_id=20000&wg_abb rev=security open.org/committees/document.php?document_id=20000&wg_abb rev=security Comments are welcome! open.org/committees/tc_home.php?wg_abbrev=security open.org/committees/tc_home.php?wg_abbrev=security

x509-bindings-profiles-sep066 SAML V1.1 Profiles The SAML V1.1 profile set consists of four layered profiles for X.509 subjects: 1.X.509 SAML Subject Profile 2.SAML Assertion Profile for X.509 Subjects 3.SAML Attribute Query Profile for X.509 Subjects 4.SAML Attribute Self-Query Profile for X.509 Subjects Document is brand new and not vetted

x509-bindings-profiles-sep067 X.509 SAML Subject Profile The X.509 SAML Subject Profile specifies a element: C=US, O=NCSA-TEST, OU=User, The DN SHOULD be RFC2253 format The NameQualifier attribute SHOULD be omitted

x509-bindings-profiles-sep068 X.509 SAML Subject Profile From the profile: –“This profile specifies a SAML V1.1 element that represents a principal who has been issued an X.509 certificate.” –“An entity that produces a element according to this profile MUST have previously determined that the principal does in fact possess the corresponding private key.”

x509-bindings-profiles-sep069 SAML Assertion Profile The SAML Assertion Profile for X.509 Subjects is a very general profile for SAML V1.1 assertions based on the X.509 SAML Subject Profile The number of SAML statements per assertion is arbitrary but –Each pair of elements MUST very strongly match (for all practical purposes, they must be identical)

x509-bindings-profiles-sep0610 SAML Assertion Profile Excerpt from the profile: –“The SAML Assertion Profile for X.509 Subjects describes how a SAML V1.1 assertion regarding a principal who has been issued an X.509 certificate is produced.” Holder-of-key subject confirmation is optional but tied to the X.509 certificate

x509-bindings-profiles-sep0611 SAML Attribute Query Profile The SAML Attribute Query Profile for X.509 Subjects specifies how a service provider and an identity provider exchange attributes about a principal who has been issued an X.509 certificate This profile relies on the X.509 SAML Subject Profile and the SAML Assertion Profile for X.509 Subjects

x509-bindings-profiles-sep0612 SAML Attribute Query Profile

x509-bindings-profiles-sep0613 SAML Attribute Query SAML V1.1 doesn’t provide much guidance re attribute query A standard Shibboleth attribute query is profiled:......

x509-bindings-profiles-sep0614 Attribute Query Response

x509-bindings-profiles-sep0615 SAML Attribute Self-Query Profile The SAML Attribute Self-Query Profile for X.509 Subjects specifies how a principal who has been issued an X.509 certificate self-queries an identity provider for attributes This profile extends the SAML Attribute Query Profile for X.509 Subjects A driving use case for self-query is caBIG Dorian

x509-bindings-profiles-sep0616 SAML Attribute Self-Query Profile

x509-bindings-profiles-sep0617 Attribute Self-Query Response

x509-bindings-profiles-sep0618 Subject of Self-Query The of a self-query uses holder-of-key: C=US, O=NCSA-TEST, OU=User, urn:oasis:names:tc:SAML:1.0:cm:holder-of-key...

x509-bindings-profiles-sep0619 SAML V2.0 Profiles Likewise the SAML V2.0 profile set consists of four sub-profiles: 1.X.509 SAML Subject Profile 2.SAML Assertion Profile for X.509 Subjects 3.SAML Attribute Query Profile for X.509 Subjects 4.SAML Attribute Self-Query Profile for X.509 Subjects Significant difference is encryption

x509-bindings-profiles-sep0620 Revision History SAML V2.0 profiles have a long history: –Draft-01, 22 Jun 2004 –Draft-02, 03 Feb 2005 –Draft-07, 23 May 2005 –CD-01, 01 Jun 2005 –Draft-08, 14 Mar 2006 –CD-02, 28 Mar 2006 –Draft-09, 26 Jun 2006 –Draft-10, 05 Jul 2006 –Draft-11, 24 Aug 2006

x509-bindings-profiles-sep0621 X.509 Binding for SAML … An ASN.1 SEQUENCE of elements at a well- known, non-critical X.509 v3 certificate extension This profile is a work in progress (but it won’t be an OASIS profile)

x509-bindings-profiles-sep0622 X.509 Attribute-based Authz Goal: Use SAML Assertion Profile and X.509 Binding to profile attribute push Distinguish between two types of bound attribute assertions: –Self-issued assertions –Third-party assertions (e.g., Shib-issued) state.edu/twiki/bin/view/GridShib/X509B indingSAMLhttps://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/X509B indingSAML

x509-bindings-profiles-sep0623 Bound Assertion Example

x509-bindings-profiles-sep0624 MACE-Dir LoA Attribute MACE-Dir is profiling use of authnLoa attribute in conjunction with usPerson Proposed SAML binding:... Legal attribute values are per federation

x509-bindings-profiles-sep0625 E-Auth LoA Values For the E-Authentication Program, the recommended initial set of values is: – person/authnloa#nist-sp – person/authnloa#nist-sp – person/authnloa#nist-sp – person/authnloa#nist-sp – person/authnloa#test InCommon values have not been proposed

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.