Access Management in Federated Digital Libraries Kailash Bhoopalam Kurt Maly Mohammed Zubair Ravi Mukkamala Old Dominion University Norfolk, Virginia.

Slides:

Advertisements

Similar presentations

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Advertisements

1 Authorization XACML – a language for expressing policies and rules.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Authz work in GGF David Chadwick

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

The EC PERMIS Project David Chadwick

Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

James Cabral, David Webber, Farrukh Najmi, July 2012.

Madrid. Oct 8, 2004IADIS International Conference WWW/Internet Access Management in Federated Digital Libraries Kailash Bhoopalam Kurt Maly Mohammed.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Dec 9-11, 2003ICADL Challenges in Building Federation Services over Harvested Metadata Hesham Anan, Jianfeng Tang, Kurt Maly, Michael Nelson, Mohammad.

Indo-US Workshop, June23-25, 2003 Building Digital Libraries for Communities using Kepler Framework M. Zubair Old Dominion University.

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University.

1 herbert van de sompel CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

JISC/NSF PI Meeting, June Archon - A Digital Library that Federates Physics Collections with Varying Degrees of Metadata Richness Department of Computer.

May 26-28ICNEE 2003 ARCHON: BUILDING LEARNING ENVIRONMENTS THROUGH EXTENDED DIGITAL LIBRARY SERVICES Hesham Anan, Kurt Maly, Mohammad Zubair,et al. Digital.

Oct 12-14, 2003NSDL Challenges in Building Federation Services over Harvested Metadata Kurt Maly, Michael Nelson, Mohammad Zubair Digital Library.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

PAPI 2 Distributed trust model and AA interoperability.

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain.

Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Access Control and Audit Indrakshi Ray Computer Science Department Colorado State University Fort Collins CO

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

1 Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Advisor: Prof. Ravi Sandhu.

Argus EMI Authorization Integration

Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University Purdue University.

OGSA-WG Interim F2F Meeting Security Feb. 9-10,2004

Adding Distributed Trust Management to Shibboleth

OGSA-WG Security Use Cases Jan 29, 2004

Federated Digital Rights Management

Institutional Repositories

Groups and Permissions

Access Control What’s New?

Presentation transcript:

Access Management in Federated Digital Libraries Kailash Bhoopalam Kurt Maly Mohammed Zubair Ravi Mukkamala Old Dominion University Norfolk, Virginia

Contents The Federated Digital Library Distributed Authentication using Shibboleth Role – Based Access Control Access Control Using XACML The XACML Policy Editor Conclusion

Aggregator Contributor CERN Contributor APS Subscriber NSU Subscriber IBM Subscriber ODU Archon Federated Digital Library System The Stakeholders –The Aggregator Archon (resource repository) –The Contributors APS, CERN, etc. –The Subscribers ODU, IBM, NSU, etc. –The End-users Members of the subscribing institutions who access the resource. Contributor-Subscriber Information Access Agreement Contributor-Aggregator Information Publishing Agreement Aggregator enables Contributor-Subscriber Information Access Agreement End - User

The Federated Digital Library 1.User request’s resource protected by Shibboleth 2.Target and User’s home organization authenticate each other and the home organization provides user attributes 3.End-User gains access to resource based on access control specifications provided in the policy (XACML) Contributors Aggregator Shibboleth Target Federated DL & Harvester Policy Enforcement Point PDP Policy Editor Reg. Shibboleth Origin (IBM) [Admin classifies users into groups] Shibboleth Origin (ODU) Shibboleth Origin (NSU) [ODU Users, IBM Users, NSU Users] End-Users xArchiveCERNAPS a.Contributor registers with Federated Digital Library b.Contributor manages access policies for user access to its documents c.Provides policy in XACML compliant format to the Policy Decision Point a.a. b.b. c.c. SUBSCRIBERSSUBSCRIBERS

End User Access Archon, XACML and Shibboleth Linux 8 (Apache, Tomcat) Password based Authentication Linux 8 (Apache, Tomcat) Shibboleth requires Apache Archon requires Apache & Tomcat ARCHONARCHON TARGET+XACMLTARGET+XACML ORIGINORIGIN 1. Access 2. Authentication Redirect 3. Opaque handle 4. Attribute Request, Opaque handle 5. User Attributes 6. Access Token using XACML 7. Token based access Subscriber Aggregator End-User

Distributed Authentication Using Shibboleth

XACML’s Decision Model Semantics of an XACML policy –PolicySet  Policy + –Policy  (Rule +, PA*) –Rule  (Subject*, Object*, Action, Condition*) Semantics of a request to an XACML policy –Request  (Subject*, Object, Action) Semantics of a response after access evaluation –Response  (Status, Decision, Obligation*) Status  {OK, Error} Decision  {Permit, Deny, Not Applicable} Conflict resolution –Deny overrides, Permit overrides, First deny, First permit. Engine (PDP) Enforcer (PEP) ResourceResource RequestAccess XReq XRes Policy Environment (Timestamp, Source IP)

Access Control using XACML Response Context* [XACML Compliant] OriginTargetPDP ArchonUser User Attribute transfer using Shibboleth [SAML] User Attributes [Request Parameters ] Request Context* [XACML Compliant] Decision Evaluation using XACML* Access Token Generation Access Token Managed User Access PEP Authorization in Archon using XACML Access Request Information

Differential Access Views in Archon using XACML Access View for Student Access View for Faculty

XACML Policy Editor Customizable The content administrators of the contributors are shown information (resources in the columns and the roles in the top row based on the contractual agreements the contributor has with each subscriber. Consistent Access Rules It is impossible to create access rules where a “subject” is provided access to a “resource” in one rule and denied in another.

Sample XACML Policy

Conclusion