16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

Slides:



Advertisements
Similar presentations
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Advertisements

Access management: challenges and approaches James Dalziel Adjunct Professor and Director Macquarie E-learning Centre of Excellence
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
An Overview of eResearch Activities in Australia Paul Davis, GrangeNet Jane Hunter, Uni of Qld.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Repositories Reasons to restrict open access Katie Blake ARROW Implementation Consultant.
Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Cloud Computing Cloud Security– an overview Keke Chen.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
James Cabral, David Webber, Farrukh Najmi, July 2012.
Identity Management Report By Jean Carreon and Marlon Gonzales.
ISpheres Project. Project Overview iSpheresCore iSpheresImage Demonstration References.
Integrating with UCSF’s Shibboleth system
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
R utgers C ommunity R epository RU CORE 1 A Statewide Community of Trust: An RUcore Implementation using Shibboleth and XACML The Fourth International.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Shibboleth: An Introduction
Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Access Management in Federated Digital Libraries Kailash Bhoopalam Kurt Maly Mohammed Zubair Ravi Mukkamala Old Dominion University Norfolk, Virginia.
Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
Shibboleth Project at GSU
HMA Identity Management Status
Identity Management and Authorization
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Current Campus Issues – From My Horizon
ESA Single Sign On (SSO) and Federated Identity Management
Groups and Permissions
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

26/3/2015 META ACCESS MANAGEMENT SYSTEM Backing Australia’s Ability DEST founded ARIIC to guide: Australian Digital Thesis (ADT) Australian Digital Thesis (ADT) Australian Partnership for Sustainable Repositories (APSR) Australian Partnership for Sustainable Repositories (APSR) Australian Research Repositories Online to the World (ARROW) Australian Research Repositories Online to the World (ARROW) Meta Access Management System (MAMS) Meta Access Management System (MAMS) Financed by DEST till the end of 2006 ($4.2 million) Financed by DEST till the end of 2006 ($4.2 million) FRODO (Federated Repositories of Digital Objects)

36/3/2015 META ACCESS MANAGEMENT SYSTEM Single Sign-On Digital Identity Mgmt Federated Identity Mgmt Access Control Provisioning Federated search Legacy plug-ins

46/3/2015 META ACCESS MANAGEMENT SYSTEM How open is your IR really? My institutional repository is open: Submissions use separate client Submissions use separate client For internal members, but external people have to wait some time For internal members, but external people have to wait some time And staff can self submit And staff can self submit But only peers can rank & annotate But only peers can rank & annotate Except for some special content (e.g. data/source files) – my faculty only Except for some special content (e.g. data/source files) – my faculty only Except for reviewing prepublications, which are only for some colleagues Except for reviewing prepublications, which are only for some colleagues

56/3/2015 META ACCESS MANAGEMENT SYSTEM What Access Control do you need? None None IP-based is sufficient IP-based is sufficient With Authentication With Authentication Access Control Lists: Access Control Lists: If you are on the list, you are in If you are on the list, you are in Role-Based Access Control: Role-Based Access Control: Your role gives you certain rights Your role gives you certain rights Attribute Based Access Control: Attribute Based Access Control: Your attributes give you certain rights Your attributes give you certain rights

66/3/2015 META ACCESS MANAGEMENT SYSTEM Which attributes does the IR need? When I visit an IR, how do I present myself? Reference # Staff at Macquarie Uni Erik Vullings ICT Staff at Macquarie Erik Vullings ICT Staff at Macquarie +61-(0) MQ

76/3/2015 META ACCESS MANAGEMENT SYSTEM Different cards open different doors – Services & Service Level – Reference # Staff at Macquarie Uni Enables access to some of the IR Erik Vullings ICT Staff at Macquarie Enables access to all of the IR MQ Erik Vullings ICT Staff at Macquarie +61-(0) Allows me to submit content MQ

86/3/2015 META ACCESS MANAGEMENT SYSTEM How do I get your attributes? Solution: Use local LDAP Solution: Use local LDAP Problem: What about external users? Problem: What about external users? Solution: Create guest account Solution: Create guest account Problem: Users have too many passwords Problem: Users have too many passwords Solution: Use MAMS Testbed Federation based on Shibboleth Solution: Use MAMS Testbed Federation based on Shibboleth Problem: Huh??? Problem: Huh???

96/3/2015 META ACCESS MANAGEMENT SYSTEM Manages trust between parties. Auditing? Federation Components Identity Provider Service Provider Manages trust between parties. Auditing Provides services to internal and external users via the web. Want to focus on core business & avoid risks of managing users’ confidential info. Attribute Authority manages and asserts (to trusted SPs) user’s attributes securely. Have privacy concerns. Want transparent but secure SSO.

106/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository User wants to access IR

116/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository Shibboleth Apache filter intercepts

126/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository User is redirected and selects IdP: Where Are You From

136/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository User is redirected to IdP and logs in

146/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository IdP uses Attribute Release Policy for SAML assertion

156/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository User is redirected to IR with SAML handle

166/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository My ID Card IR uses SAML handle to retrieve user attributes

176/3/2015 META ACCESS MANAGEMENT SYSTEM Typical SAML Access Scenario Identity Provider Institutional Repository Shibboleth validates assertion and maps user to IR role

186/3/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth and SSO The previous example illustrates INTER- institutional SSO The previous example illustrates INTER- institutional SSO However, it can also be used for INTRA- Institutional SSO However, it can also be used for INTRA- Institutional SSO Not only for IR, but potentially any application (like E-Learning systems or dataset repositories) Not only for IR, but potentially any application (like E-Learning systems or dataset repositories)

196/3/2015 META ACCESS MANAGEMENT SYSTEM What about Access Control? – One Language to Rule Them All – eXtended Access Control Markup Language (XACML) eXtended Access Control Markup Language (XACML) IR 1 Fedora IR 2 DSpace Institutional XACML Policy Store Federation XACML Policy Store Enable Shibboleth Access

206/3/2015 META ACCESS MANAGEMENT SYSTEM XACML in Action Request Policy Enforcement Point (PEP) Policy Decision Point (PDP) Policy Access Point (PAP) Policy Information Point (PIP) JOE wants to EDIT his PREPRINT Retrieve Policies Retrieve Information Create XACML request Respond with Permit/deny/obligation

216/3/2015 META ACCESS MANAGEMENT SYSTEM XACML and Rights Expression XACML for fine-grained access control XACML for fine-grained access control Digital Rights Expression Languages (DRELs) manage a wide range of digital rights Digital Rights Expression Languages (DRELs) manage a wide range of digital rights MAMS view: MAMS view: Leave the legal bit to the lawyers Leave the legal bit to the lawyers Just focus on access control Just focus on access control

226/3/2015 META ACCESS MANAGEMENT SYSTEM Testing XACML with Fedora

236/3/2015 META ACCESS MANAGEMENT SYSTEM MAMS activities in Authorization Existing work to date Existing work to date Web-based XACML demo Web-based XACML demo Authenticated Federated Search (XACML) Authenticated Federated Search (XACML) Testing XACML with Fedora Testing XACML with Fedora New work for 2006 New work for 2006 Defining key XACML policies for IR Defining key XACML policies for IR Further develop MAMS Fedora+XACML IR Further develop MAMS Fedora+XACML IR Visual XACML editor (XML-free) Visual XACML editor (XML-free)

246/3/2015 META ACCESS MANAGEMENT SYSTEM What about my Privacy?

256/3/2015 META ACCESS MANAGEMENT SYSTEM I accept the copyrights Access Control with XACML JOE wants to EDIT the POLICY PLAN SubjectActionResource Target Policy Set PolicyObligation Plan Rule Comb. Alg. Policy Comb. Alg. Staff memberPermit Show copyrights If any

266/3/2015 META ACCESS MANAGEMENT SYSTEM Need for a common language for Subjects, Actions & Resources Subject attributes: Subject attributes: eduPerson(Scoped)Affiliation eduPerson(Scoped)Affiliation mail mail eduPersonPrincipalName eduPersonPrincipalName Group/community Group/community Actions: Actions: CRUD: Create, Read, Update, Delete CRUD: Create, Read, Update, Delete Resource attributes, e.g.: Resource attributes, e.g.: Type, Course, Time, Date, Collections Type, Course, Time, Date, Collections Readers, Editors, Managers (groups or persons) Readers, Editors, Managers (groups or persons)

276/3/2015 META ACCESS MANAGEMENT SYSTEM policies XACML Editor w/o XML XACML Editor GUI Log Changes Load Policies Publish Policies IR-GUI Validate policies CRUD policies InputOutput Build policies Test Cases Load Tests

286/3/2015 META ACCESS MANAGEMENT SYSTEM XACML Editor w/o XML File Edit Options View Help Subjects Actions Resources Environment Thesis Course Paper T C P Create Read Update Delete Time Calendar Policies S A R P T Description: RBAC for staff Target: Staff subject, any action/resource Staff Policy Add rule S A R Read T C P T P Create

296/3/2015 META ACCESS MANAGEMENT SYSTEM XACML Editor w/o XML File Edit Options View Help Subjects Actions Resources Environment Thesis Course Paper T C P Create Read Update Delete Time Calendar Add rule Read T C P T P Create Rules T C P CRUD