Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.

Slides:

Advertisements

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Advertisements

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014.

This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Componentization of FICAM TFS into Trustmarks Sample FICAM Trustmark Definition Overview of Trustmark Issuance and Binding Agenda.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.

GFIPM Deliverables Overview GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

This presentation was prepared by Georgia Tech Research Institute using Federal funds under award 70NANB13H189 from National Institute of Standards and.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

1 1 Interoperating: MIT’s Fusion Center Prototype & JHU/APL’s Back End Attribute Exchange (Identity Management Testbed) January 2013.

Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Wisconsin Digital Summit Monona Terrace November 15, 2004 Justice and Public Safety Interoperability: Wisconsin’s Justice Information Sharing (WIJIS) Initiative.

SWITCHaai Team Introduction to Shibboleth.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

GFIPM Metadata Status Update GFIPM Delivery Team Meeting November 2011.

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Evaluation and Testbed Development Bhavani Thuraisingham The University of Texas at Dallas Jim Massaro and Ravi Sandhu.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

GRA Implementations using Open Source Technologies Mark Perbix and Yogesh Chawla SEARCH.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth: An Introduction

OGSA Security Roadmap Discussion GGF5 – 7/24/02. Outline l Introduction l Architecture Goal l Roadmap Goal l Proposed Specs l Challenges l Next Steps.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.

State of e-Authentication in Higher Education August 20, 2004.

E-Authentication in Higher Education April 23, 2007.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

August 3, 2004WSRP Technical Committee WSRP v2 leveraging WS-Security Discussion 1. WS-* Standards 2. WS-Securtiy Interop&Implementations 3. Customer demands.

Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.

EAuthentication – Update on Federal Initiative Jacqueline Craig IR&C September 27, 2005.

Access Policy - Federation March 23, 2016

OGSA-WG Basic Profile Session #1 Security

Shibboleth Roadmap

Federation Systems, ADFS, & Shibboleth 2.0

SAML New Features and Standardization Status

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

OpenID Enhanced Authentication Profile (EAP) Working Group

OpenID Enhanced Authentication Profile (EAP) Working Group

Shibboleth 2.0 IdP Training: Introduction

OpenID Enhanced Authentication Profile (EAP) Working Group

Web Service Security support in the SSE Toolbox

OpenID Enhanced Authentication Profile (EAP) Working Group

Presentation transcript:

Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011

Other GFIPM Activity Threads NCSC/GBI XACML Sample Implementation Privacy Policy Framework Implementer Guide GFIPM/BAE Interoperability Pilot SAML Holder-of-Key Profile Implementation CONNECT Consortium Update (Rob Kribs)

NCSC/GBI XACML Sample Implementation Status Update

NCSC/GBI XACML Sample Implementation Funded via BJA grant to NCSC – Period of Performance: Mid 2010 to EOY 2011 Goal: Demonstrate the use of an externalized access control mechanism with an existing law enforcement info sharing system – Integrate XACML with GBI JIMnet test instance – Implement info sharing policies from GBI Directive 7-6 Work Products: – GBI rules expressed in XACML – Identification of potential new GFIPM attributes – “XACML-enablement” prototype of GBI JIMnet Also conformant to GFIPM web services spec

JIMnet Architecture

Prototype Architecture with XACML and GFIPM Web Services

NCSC/GBI Project Final Report Draft submitted to NCSC on 11/1 Final draft to be complete by EOY 2011

Privacy Policy Framework Implementer Guide Status Update

Privacy Policy Framework Implementer Guide Funded via BJA grant to NCSC – Period of Performance: Late 2011 to Mid 2012 – Follow-on to GBI XACML implementation work Goal: Develop an implementer guide/tutorial for implementing a XACML-based authorization/privacy framework – Will include implementation exercises, sample code/solutions, etc. Currently in early phase

Privacy Policy Framework Implementer Guide TOC

GFIPM/BAE Interoperability Pilot Status Update

HSPD-12 Back-End Attribute Exchange Supports operation of PIV and PIV-I cards Supports operation of PIV and PIV-I cards Personal ID card with embedded crypto token Personal ID card with embedded crypto token Delivers additional attributes not on cards Delivers additional attributes not on cards Protocol spec and system implementation Protocol spec and system implementation Uses SAML 2.0 Attribute Query Profile Uses SAML 2.0 Attribute Query Profile Technical support provided by JHUAPL Technical support provided by JHUAPL BAE defines ~35 data attributes about users BAE defines ~35 data attributes about users Already reconciled with GFIPM Metadata 2.0 Already reconciled with GFIPM Metadata 2.0

GFIPM/BAE Interoperability Pilot Pilot project initiated in mid-2010 Pilot project initiated in mid-2010 Use Case: BAE user accesses GFIPM resource Use Case: BAE user accesses GFIPM resource 1.BAE user authenticates to GFIPM IDP (TIB) 2.GFIPM IDP collects BAE user attributes This is the primary GFIPM/BAE integration point This is the primary GFIPM/BAE integration point 3.GFIPM IDP translates BAE attrs to GFIPM attrs Mapping from BAE to GFIPM attrs already exists Mapping from BAE to GFIPM attrs already exists 4.GFIPM IDP sends SAML assertion to GFIPM SP 5.BAE user accesses GFIPM resource

Proposed GFIPM/BAE Use Case GFIPM Relying Party GFIPM Relying Party Trusted Identity Broker Authoritative Attribute Source 1 Authoritative Attribute Source 2 Authoritative Attribute Source 3 Virtual/Met a Directory State & Local Agency Attribute Service XML Security Gateway (BAE) User with PIV or PIV-I Card

GFIPM/BAE Pilot Status Held initial technical discussions with JHUAPL Held initial technical discussions with JHUAPL GTRI is prototyping the GFIPM components GTRI is prototyping the GFIPM components Will connect to existing BAE test-bed Will connect to existing BAE test-bed BAE client-side software does not exist BAE client-side software does not exist Must perform SAML attr query over web svcs Must perform SAML attr query over web svcs GTRI will develop it using GFIPM WS sample code GTRI will develop it using GFIPM WS sample code Timeline is TBD Timeline is TBD Gated in 2011 due to GFIPM WS development Gated in 2011 due to GFIPM WS development Sought funding in 2010 – not a high priority then Sought funding in 2010 – not a high priority then

SAML Holder-of-Key (HoK) Profile Implementation Status Update

SAML Holder-of-Key (HoK) Profile Extension to the core SAML spec – OASIS Committee Specification (not ratified yet) – No implementations available yet Enables NIST level of assurance 4 (LOA-4) – LOA-4 requires direct authentication with RP – Traditional SAML provides assertion only – SAML HoK provides hybrid direct authn/assertion Plan: Seek funding to extend Shibboleth w/ HoK – Most groups using SAML don’t need LOA-4 authentication – Justice community requires it for some data exchanges Current Status: on hold pending demand/funding