SPOCP – general authorisation server Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg.

Slides:



Advertisements
Similar presentations
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
Advertisements

Distributed Access Control System
1 Authorization XACML – a language for expressing policies and rules.
Orthogonal Security With Cipherbase 1 Microsoft Research 2 UW-Madison 3 ETH-Zurich Arvind Arasu 1 Spyros Blanas 2 Ken Eguro 1 Donald Kossmann 3 Ravi Ramamurthy.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Privilege Management and Spocp Presentation at Advance CAMP Authority Architecture – Broomfield, Colorado July 2, 2004 by Roland Hedberg.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Authz work in GGF David Chadwick
Z39 Server DigiTool Version 3.0. Z39 Server 2 z39 SERVER Main Topics z39 server architecture z39 server services z39 server configuration Defining a new.
1 SWE Introduction to Software Engineering Lecture 22 – Architectural Design (Chapter 13)
1 Software Testing and Quality Assurance Lecture 30 - Introduction to Software Testing.
Application architectures
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Application architectures
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.
Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.
IBM Rhapsody Simulation of Distributed PACS and DIR systems Krupa Kuriakose, MASc Candidate.
Middleware challenges to service providers, the Nordic view TERENA, Ingrid Melve, UNINETT.
August 20, 2003 Slide 1 A Middleware Service for Policy Based Authorization Presentation at Nordunet 2003 by Roland Hedberg.
UNIT Enheten för IT-stöd What is going on in: Sweden Joakim Björklund Director of IT services division Linköpings universitet
Presentation Services  need for a presentation services  ASN.1  declaring data type  encoding data types  implementation issues  reading: text, section.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
A Document Format for Expressing Privacy Preferences H. Schulzrinne, J. Morris, H. Tschofenig, J. Cuellar, J. Polk, J. Rosenberg.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
1 CS 502: Computing Methods for Digital Libraries Lecture 19 Interoperability Z39.50.
Overview of Microsoft Access. Contents of an Access file Tables Forms Queries Reports Pages Macros Modules.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Chapter 7 Low-Level Programming Languages. 2 Chapter Goals List the operations that a computer can perform Discuss the relationship between levels of.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
© 2005,2006 NeoAccel Inc. Partners Presentation Authentication & Access Control.
An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer.
1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.
April, 2005 ebSOA Based on FERA Reference Model Vasco Drecun Collaborative Product Development Associates, LLC Goran Zugic ebXMLsoft Inc.
SQL Server Administration. Overview  Security  Server roles  Database roles  Object permissions  Application roles  Managing data  Backups  Restoration.
PAPI-PERMIS Integration Project Proposal David Chadwick
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
MNCS: DMA Extensions for Multinational Character Strings DMA Technical Committee Integration Subcommittee June 16, 1999 [ notes]
1 Authorization Sec PAL: A Decentralized Authorization Language.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Application architectures Advisor : Dr. Moneer Al_Mekhlafi By : Ahmed AbdAllah Al_Homaidi.
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
Upgrade on Windows 7. DownloadSoftware Download Software from link provided in Webliography: e/
Chapter 27 Network Management Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Fondation RESTENA euroCAMP 04 April 2006
Argus EMI Authorization Integration
Presentation Services
Contents. Goal and Overview. Ingredients. The Page Model.
Obligations in the OGSA SAML Authorization Service Interface
Inline Vs. External Policy Attachment SCA Policy Framework
Data Structures and Algorithms
Formal Language Theory
Information Security message M one-way hash fingerprint f = H(M)
File service architecture
O. Otenko PERMIS Project Salford University © 2002
GNOMIS – the northern light TF-AACE, Ingrid Melve, UNINETT
Presentation at TF-aace workshop in
ARC6 retreat, Umeå, 7-9 November 2018
Assertions and Triggers
Presentation transcript:

SPOCP – general authorisation server Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg

Outline – part1 ● SPOCP project ● SPOCP, how does it fit it ● How does it work ● SPOCP SAML/XACML ● Project status

The SPOCP project ● One year, ends May 31 th 2003 ● Relatively small budget, ~1 MSEK ● Run by Umeå University ● Partners in crime: * Stockholm University* Lund University * Uppsala University* Karolinska * SUNET* UNINETT * NYA & LpW

How does it fit in ? ● Middleware function the provides authorisation ● Separate from authentication ● Uses information resources

Spocp rules/queries ● Expressed as S-expressions – Fixed syntax, undefined semantics ● S-expression can be ordered – One can test whether S-expression A is '<=' S-expression B

S-expression ● Am S-expression is either – A byte-strings ("octet-strings") or – A finite list of simpler S-expressions ● A octet-string is a finite sequence of 8-bit octets ● Example: – (certificate (issuer bob)(subject alice))

Formal definition of the '<=' relation ● If A = (X_1 X_2... X_m) and B = (Y_1 Y_2... Y_n) then A <= B if and only if n <= m and X_i <= Y_i for i = 1,...,n ● Example: – (certificate (issuer bob morgan)(subject alice)) <= (certificate (issuer bob)(subject alice))

Spocp Authorisation Decision ● Given a authorisation Query (A). If there exists a rule (R) in the rule database such that A '<=' R then permission is granted. ● By default everything is disallowed ● Rules can only allow actions

SAML Spocp An objective comparision :-)

XACML/SAML Data-flow

Spocp Data-Flow

XACML Rule ● A person may read any record for which he or she is the designated patient * //medico.com/record.* read

Spocp Rule ● (spocp (resource medico.com)(action read)(subject medico.com urn:spocp:equal:${patient}:${name}))

SAML AuthorizationDecisionQuery – Julius Hibbert read Julius Hibbert 24/artifact Julius Hibbert physician

SPOCP Query ● (spocp (resource record medico.com (patient Bartholomeus Simson) patientDoB )(action read)(subject medico.com (name Julius Hibbert)))

Project Status ● Source code available – Two server implementations ● Apache module (SAML/SOAP/HTTP) ● Standalone (uses the SPOCP protocol) – Server as library – PAM module – Modified Exim – Documentation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.