Centralized Application Permissions Privilege Management Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.

Slides:

Advertisements

Similar presentations

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

Advertisements

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) January 09, 2007.

All About Attributes (in federated identity) Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

Federated Identity for Grid Architects Tom Scavo NCSA

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

GT 4 Security Goals & Plans Sam Meder

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

WSO2 Identity Server Road Map

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

The EC PERMIS Project David Chadwick

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

SWITCHaai Team Federated Identity Management.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

1 Chapter Overview Introducing Replication Planning for Replication Implementing Replication Monitoring and Administering Replication.

An XML based Security Assertion Markup Language

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Unified Identity for Access Control Carl Ellison 7 April 2011 IDtrust.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Secure Connected Infrastructure

LIGO Identity and Access Management

SAP Enterprise Digital Rights Management by NextLabs

Current Campus Issues – From My Horizon

Attribute-Based Access Control (ABAC)

The DAMe’s First Steps: eduroam and NAS-SAML

NSF Middleware Initiative: GridShib

Technical Topics in Privilege Management

A History of the Next Five Years: (the rise of indoor plumbing)

IST346: Namespaces, Identity Management

NSF Middleware Initiative: GridShib

Presentation transcript:

Centralized Application Permissions Privilege Management Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill

The Saga Getting applications to relinquish authentication is pretty hard Getting applications to relinquish attribute control is harder Getting applications to relinquish control of authorizations… (fine print: do so in an inter-realm context too)

The Applications Have a Point Identity-based functions often live deep inside the application –How can you better identify and handle my authorization needs than me? –Why do I have to consult you when my application makes a decision? –Why do I need to work with you every time I want to change my permission definitions? Application databases and directories have worked great for years

The IT Guys Also Have a Point Theres tremendous duplication of effort Distributed information is more likely to be compromised Users can barely take care of one set of information, privileges, or credentials This is all weve got to live for –So we do it well Auditors exist, and also do it well –Compliance

Privilege Centralization Considerations Broader applicability –Granularity again How precise is your privilege definition? How many other source and destination systems could share your definition? The same questions apply when deciding whether to federate privileges –Intra-realm SSO & centralization is a subset of federated identity; the same tools should handle both

Privileges vs. Attributes vs. Groups We can instinctually determine what the difference is In digital systems, the distinction is less clear Is the difference only semantic? –Formats? –Management? How do these structures in source systems line up with those in apps?

Privileges Based on Attributes Were all familiar with privileges based on attributes –VOMS –Standard Shibboleth How do permissions based on attributes differ from individual privileges? –Grouping of permissions –Granularity RBAC models –MIT –NIST –Stanford –Etc.

Privileges vs. Attributes vs. Groups Redundancy and security requirements Transport protocols, profiles, bindings, formats –How much can you squeeze into SAML? –XACML transport

What does a Privilege Look Like? XACML Signet eduPersonEntitlement URL & value

Privileges for Applications What do you deliver to an application? Is a boolean good enough? If not, what do you consume? What can your authorization system provide? –What can your partners provide?

Introducing Signet Centralized privilege management system Supports privilege: –Issuance –Reissuance –Prohibition of reissuance –Delegation –Prohibition of Delegation More information forthcoming…

Integrating Privilege Systems with Applications What data format do applications want? –Conditions –Variables Push, or pull? –Protocols When? –Freshness vs. Frustration –Caching? How do you define the appropriate central data structures?

Grid Permissions Are there sufficiently common privilege requirements across grids that we can: –Pick a format for consumers? –Define a vocabulary and naming style? –Build one or more templates? –Standardize a basic set? How is this expressed in a form the grid can use? –VOMS Attributes?

Integrating Signet with Signets Dr. Jean Blue is a professor at Sandstone University and a PI of VORTEX, a virtual organization. As a PI of VORTEX, she has many VORTEX privileges and wants to administer them consistently across a variety of environments. She wants to assign her students permission to read one of the VORTEX mass- hypometers; etc. At what level do you connect the systems? With what data harmonization? Which transport mechanisms? –Which transport formats? How do they synchronize? Authorize?

Any Questions? Nate Klingenstein