Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.

Slides:

Advertisements

Similar presentations

PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept

Advertisements

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Implementing and Administering AD FS

Module 5: Configuring Access for Remote Clients and Networks.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Security and Policy Enforcement Mark Gibson Dave Northey

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Use Case Development Scott Shorter, Electrosoft Services January/February 2013.

ORACLE DATABASE SECURITY

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Configuring Routing and Remote Access(RRAS) and Wireless Networking

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

70-411: Administering Windows Server 2012

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.

Secure Credential Manager Claes Nilsson - Sony Ericsson

The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Module 11: Securing a Microsoft ASP.NET Web Application.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Windows Role-Based Access Control Longhorn Update

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

Microsoft Management Seminar Series SMS 2003 Change Management.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Authorization Use Cases - Financial Example - Identity and Authorization Services Working Group (IAS-WG) June 07, 2010 DRAFT.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Secure Mobile Development with NetIQ Access Manager

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

© 2014 IBM Corporation Mobile Customization & Administration IBM Connections 5.0 Workshop Author: Paul Godby IBM Ecosystem Development Duration: 30 minutes.

Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.

Identity and Access Management

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Microsoft Windows NT 4.0 Authentication Protocols

Module Overview Installing and Configuring a Network Policy Server

Configuring and Troubleshooting Routing and Remote Access

Chapter 2: System Structures

TPM and TPM Security Technologies

Power BI Security Best Practices

Introduction to Cisco Identity Services Engine (ISE)

Goals Introduce the Windows Server 2003 family of operating systems

Lecture 2 - SQL Injection

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010

AuthZ Use Case - Web SSO via Web Access Management (WAM) System PrincipalPEP Target Resource PIP PDP PAP User/device WAM plug-in WAM Server HTML or web app WAM console LDAP Environment Time/Location

Use case details – Web SSO via Web Access Management (WAM) System Author:John Tolbert Brief Description:Human user requesting access to an html document protected by a web access management system (WAM). Policy information stored in LDAP, authored within WAM. Goal:Human user gains access to authorized document or application. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:User clicks link to protected resource Steps or flow:User clicks link to protected html resource; WAM plug-in on host system asks PDP if the user can get access; PDP relies on pre-authored LDAP policy data; PDP returns result to PEP, host system delivers document to user. Post-conditions:Transaction logged. Non-functional requirements: Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. Issues:PEP and PDP deployments in this case are limited to platforms served by the WAM agent and server.

AuthZ Use Case - Web SSO via SAML PrincipalPEP Target Resource PIP PDP PAP User/device SAML-enabled Web app SAML server HTML or web app LDAP & SAML consoles LDAP Environment Time/Location

Use case details – Web SSO via SAML Author:John Tolbert Brief Description:Human user requesting access to an html document protected by a web application that accepts SAML assertions. Policy information stored in LDAP, authored within LDAP/SAML/other utilities. Goal:Human user gains access to authorized document or application. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:User clicks link to protected resource Steps or flow:User clicks link to protected html resource; SAML assertion with appropriate attributes created and passed to application; application on host system asks PDP if the user can get access; PDP relies on pre-authored LDAP policy data; PDP returns result to PEP, host system delivers document to user. Post-conditions:Transaction logged. Non-functional requirements: Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. Issues:PEP and PDP deployments in this case are limited to platforms served by the SAML-enabled application.

AuthZ Use Case – File access mediated by operating system (OS) PrincipalPEP Target Resource PIP PDP PAP User/device OS File OS utilities OS Environment Time/Location

Use case details – File access mediated by operating system (OS) Author:John Tolbert Brief Description:Human user requesting access to a file controlled by an operating system (OS). Policy information stored within OS structures, authored by OS utilities. Goal:Human user gains access to authorized document or application. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:File created with permissions, access determined in advance by entitlement creation using OS utilities. Steps or flow:User attempts to access a file protected by an OS. OS makes decision based upon entitlements created by OS utilities. File delivered to user. Post-conditions:Transaction logged. Non-functional requirements: Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. Issues:PEP and PDP deployments in this case are dependent on the OS and its mechanisms.

AuthZ Use Case – remote network access to virtual private network (VPN) PrincipalPEP Target Resource PIP PDP PAP User/device VPN RADIUS Network RADIUS utilities RADIUS DB Environment Time/Location

Use case details – remote network access to virtual private network (VPN) Author:John Tolbert Brief Description:Human user and/or requesting access to a network controlled by a VPN device. Policy information stored within RADIUS (or TACACS or LDAP), authored by RADIUS utilities. Goal:Human user gains access to authorized network. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:Entitlements created in advance by RADIUS utilities. VPN client software installed. Steps or flow:User attempts to access a remote network. VPN device makes decision based upon entitlements created. Network access granted to user. Post-conditions:Transaction logged. Non-functional requirements: Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, citizenship, etc. Issues:PEP and PDP deployments in this case are dependent on the OS and its mechanisms.

AuthZ Use Case – Database access using local DB accounts PrincipalPEP Target Resource PIP PDP PAP User/device DB Rows, columns, or tables DB utilities DB security tables Environment Time/Location

Use case details – Database access using local DB accounts Author:John Tolbert Brief Description:Human user requesting access to data stored in a database. Policy information stored in internal database security structures (user, group, permissions tables), created by DB utilities. Goal:Human user gains access to authorized document or application. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:User executes SQL query against database. Steps or flow:User executes SQL query against database. Database security functions match user context information against pre-configured values in the user, group, and permissions table structures within the database itself. If conditions are met, results will be returned. Post-conditions:Transaction logged. Non-functional requirements: Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. Issues:PEP and PDP deployments in this case are limited to platforms which can operate within the database program.

AuthZ Use Case – Database access via web application PrincipalPEP Target Resource PIP PDP PAP Web app/ Service account DB Rows, columns, or tables DB utilities DB security tables Environment Time/Location

Use case details – Database access using Database access via web application Author:John Tolbert Brief Description:Human user requesting access to data stored in a database via a web application. Policy information stored in internal database security structures (user, group, permissions tables), created by DB utilities. Goal:Human user gains access to authorized document or application. Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:User clicks link in web application that launches a SQL query against a back-end database. Steps or flow:User clicks link in web application that launches a SQL query against a backend database. Web application executes SQL query on behalf of the user, either using impersonation or a service account. Database security functions match user or service account context information against pre-configured values in the user, group, and permissions table structures within the database itself. If conditions are met, results will be returned. Post-conditions:Transaction logged. Non-functional requirements: Business rules:Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. Issues:PEP and PDP deployments in this case are limited to platforms which can operate within the database program. WAM may also front-end the web application.

AuthZ Use Case: Multi-channel access to financial service PrincipalPEP Target Resource PIP PDP PAP Involved party/channel Channel Credential Collector AuthZ Web Service Financial web Application or service Admin point LDAP Policy Store Environment Channel type, Location Typical self-serve channels include online, ABM, IVR, Mobile

Use case details: Multi-channel access to financial service Author:Gavin Illingworth Brief Description:Involved Party (IP) is a subject who may play a role of (bank) customer, guarantor, trustee or similar. IP uses bank-issued credentials to first authenticate to a channel. IP is then authorized to access one or more services. Which services are permitted depends on the following factors: Goal:Managed access to financial applications Actors:User, PEP, PDP, PIP, PAP, resource. Initial conditions:Subject has authenticated to a channel. Subject has been assigned several credentials of varying strength. Steps or flow:1.Subject authenticates to channel 2.Authentication Service gets channel properties, credential, credential type and assurance level of identity 3.The assurance level assigned to a subject at registration time (depends on bona fides, such as driver’s license, submitted by the subject at a branch). This is a static value 4.A session assurance level is calculated as determined by the strength of the supplied credential and channel properties, such as channel type and location 5.Uses authorization rules in the Policy Store to calculate decisions 6.The session assurance value is used (in prior step) to assess what entitlements are ‘operational’ during the session. 7.Returns authorization decision back to the invoking applications. 8.The “conditional” return value may result in a request to the customer/user to provide additional credentials to increase the session assurance level (stronger credential). 9.Subject may be granted resource access

Use case details: Multi-channel access to financial service (2) Business rules: Issues:The list of services during a session is not fixed, but is dynamically calculated as shown. The implication for the UI is that, although there is a list of (all) available services determined by entitlements (at enrolment time), the authorization decision during a session may render some of them non-permissible. Do you present both and remind the subject that additional AuthN is required for any services greyed out in the session? Or do you present only the ones permissible for that AuthZ decision?