T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.

Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

WebFTS as a first WLCG/HEP FIM pilot

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

An XML based Security Assertion Markup Language

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

The FederID project The First Identity Management and Federation Free Software.

Access Policy - Federation March 23, 2016

Shibboleth Roadmap

HMA Identity Management Status

Data and Applications Security Developments and Directions

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Presentation transcript:

T Network Application Frameworks and XML Service Federation Sasu Tarkoma

Introduction n How to combine and use services in different security domains? n How to take into account privacy aspects? n How to enable single sign on (SSO) for users?

Web services trust model Requestor Claims Security tokens Policy Security Token Service Web service Claims Security tokens Policy Claims Security tokens Policy

WS-Trust n Methods for issuing, renewing, and validating security tokens. n Ways to establish, assess the presence of, and broker trust relationships n Messages for u Requesting security tokens from a security token service (STS) u Renewal of tokens u Cancel binding u Validation n Extensions for forwarding and delegation

WS-Federation n How to establish trust between security token services (or identity providers) n Goal: use security tokens to realize seamless service access in different domains n Builds on WS-* specifications n WS-trust u Request a security token n WS-policy u Describe and acquire metadata u Grammar for requirements and capabilities u Practical concern: minimum crypto? Do participants support same security mechanisms?

Federation Sequence Diagram Requestor SRC STS DST STS Web service Request token Issue token Request token with token reference Issue token from DST domain Send request (+token) to service Validate token Approve token Return value

Delegation

Federated Sign-out n Sign out notification sent to members of the federation n Special messages to request and cancel sign out messages (subject to policies) n Idempotent and unreliable n Special SOAP message n Clean any cached state and security tokens in the federation n Implication for active transactions not specified (resource specific)

Pseudonyms n Support for pseudonyms (optional) n A resource does not need necessarily to know the true identity of a requestor n Authorization is required and relevant attributes for personalization n Authorized services can query these attributes n Messages for getting/setting/deleting pseudonyms

OMA ID-FF n Liberty Alliance Identity Federation Framework (ID-FF) n Basic case: Web direction n Mandatory features for an identity provider u Single sign on and federation u Single sign out u Federation termination u Affliliations u Dynamic proxying of Identity Providers n Circle of trust implemented using u SAML assertions, requests, redirection, and validation

ID-FF specs n Liberty ID-FF u Identity Federation Framework u A forerunner to the SAML 2.0 specification. All of the functionality in ID-FF has been incorporated into SAML 2.0 n Liberty ID-WSF u Identity Web Services Framework u Builds on WS-Security and SAML 2.0 n Liberty ID-SIS u Identity Services Interface Specifications u High-level web service interfaces that support particular use cases like data/profile, geolocation, contact book, and presence services.

Shibboleth n The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-Sign-On and attribute exchange framework. n Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the Attribute information being released to each Service Provider. n Using Shibboleth-enabled access simplifies management of identity and access permissions for both Identity and Service Providers. n An open-standard authentication system used by universities and the research community n Released under the Apache Software License. n Shibboleth 2.0 is basically equivalent to ID-FF through SAML 2.0 support n Integrates with Microsoft ADFS n

Putting it together so far HTTP Liberty ID-FFWS-Federation SAML 1.1WS-Trust WS-Security SOAP SAML 2.0 Shibboleth Integrated with Liberty specifications and the result is SAML 2.0, which OASIS ratified in March Backed by multiple vendors (IBM, BEA,..) Backed by Microsoft

Active Directory n Active Directory Federation Services (ADFS) n Windows Server 2003 n Web SSO (single sign-on) n Identity federation u Distributed web-SSO n SSO for IISv6 web farms n Security tokens & assertions u Assertions on security principals u Security token service grants tokens u Possession of private key is proof of identity

Trust Federation n Federation servers u Maintain trust (keys) u Security (required assertions) u Privacy (allowed assertions) u Auditing (identities, authorizations) n Based on WS-Federation

Passport n Intended to solve two problems u to be an identity provider to MSN u identity provider for the Internet n First goal u over 250 million active Passport accounts and u 1 billion authentications per day n Second goal u What is the role of the identity provider in transactions? u Passport no longer stores personal information other than username/password credentials n Authentication service for sites n Proprietary technology n Roadmap: towards identity card

Identities n CardSpace (Microsoft) u Multiple identities u Interface for identity based authentication and authorization u Identity cards that people can choose u Integration with Web sites u Consistent user interface u Microsoft plans to implement this F ActiveX, WS-* n

IdentityCard Source:

Summary n We are going towards identity-based access u A number of identities per host u Pseudonyms, privacy issues u Delegation and federation are needed u SAML 2.0 is a key specification in representing assertions and provides a baseline for interoperability F ID-FF, Shibboleth, ADFS n Challenges u Automatic configuration of policies u Logging and auditing