PAPI-PERMIS Integration Project Proposal David Chadwick

Slides:

Advertisements

Similar presentations

4 June 2002© TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford

Advertisements

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

MyProxy Jim Basney Senior Research Scientist NCSA

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

DyVOSE Status Report Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director Technical Bioinformatics Research Centre University.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Report on Attribute Certificates By Ganesh Godavari.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Authz work in GGF David Chadwick

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

The EC PERMIS Project David Chadwick

Page: October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Deploying a distributed access control architecture within.

A Privacy Policy Enforcement System Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK Primelife IFIP Summer.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent.

Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

IBM Rhapsody Simulation of Distributed PACS and DIR systems Krupa Kuriakose, MASc Candidate.

Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.

PAPI Points of Access to Providers of Information.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.

10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

Athens – integrated AMS services Ed Zedlewski JISC/CNI Conference Edinburgh, June 2002.

Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.

Delegation of Authority David Chadwick

An Authentication and Authorization Infrastructure: the PAPI System.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

The PAPI System Point of Access to Providers of Information

Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange Dr John Watt Grid Developer, National e-Science Centre University of Glasgow.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

PAPI 2 Distributed trust model and AA interoperability.

Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

Diego R. Lopez RedIRIS update Middleware activities at the South-western Border.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

GALT 031 Distributed Programmable Authorisation David Chadwick.

Gilda certificates. Certification Authority

EFDA-Fed: European federation among fusion energy research laboratories EURATOM/CIEMAT JET CEA R. Castro, J. Vega, A. Portas, A. Pereira, S. Balme, A.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

e-Infrastructure Workshop 28th March 2006, University of Leeds

Adding Distributed Trust Management to Shibboleth

Computer Science Department

Hao Yin1, Sofia Brenes-Barahona2, Donald F. McMullen

O. Otenko PERMIS Project Salford University © 2002

R. Castro, J. Vega, A. Portas, A. Pereira, S. Balme, A. Duarte,

The JISC Core Middleware Call

Presentation transcript:

PAPI-PERMIS Integration Project Proposal David Chadwick

Background PAPI is a Web based protocol for carrying authentication and authorisation credentials between different sites. It is being used and/or piloted at several sites including the library services of the Spanish National Research Council (CSIC), the University of Seville, the University of Edinburgh, the University of London Library and the JT-II Nuclear Fusion Facility. PAPI is written in PERL PERMIS is a policy based authorisation infrastructure that uses X.509 attribute certificates as the privileges given to users. Built under the EC PERMIS project it has been validated in pilots in the US and Europe. PERMIS is now distributed as part of the US NSA Middleware Initiative (NMI) release 3. PERMIS is written in Java.

Existing PAPI Infrastructure User Authentication Server Keys Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook data

Existing PERMIS Infrastructure Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF Authentication Service LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation Retrieve Role ACs (push)

Integration of PAPI and PERMIS PAPI will carry authorisation URLs from the user’s home site to PERMIS at the target site PAPI and PERMIS will be given a SAML interface conformant to the spec currently being defined by GGF PERMIS will retrieve X.509 ACs from the user’s home site PERMIS will be used to protect privacy at the user’s home site according to an Attribute Release Policy, so that only the necessary ACs are released to the target site A multi-lingual user friendly interface will be built for administrators to set the access control policies for their sites

PAPI-PERMIS Integration User Authentication Server Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook shortlived URL cookie Home LDAP Directory Access Control Policy PKI ADF SAML Interface PERMIS API Implementation URL from cookie + access request Granted/ denied Target’s LDAP Directory Keys plus URL of home LDAP PERMIS Gateway Retrieve User’s ACs Attribute Release Policy

Partners RedIRIS will –add the SAML interface to PAPI, –modify the authentication server to add the local LDAP URI to it, –modify GPoA to add short lived URIs to the cookies University of Malaga will –build a multilingual user friendly interface for setting access control policies at target sites –build attribute release policy modules to plug into the Privilege Allocator University of Salford will –add the SAML interface to PERMIS and to its Privilege Allocator, and –modify PERMIS to accept a URI from where to fetch ACs –integrate University of Malaga’s modules into PERMIS

Costs Total Cost of €148,544 provided by Red IRIS €43,500 University of Salford €24,644 University of Malaga €24,000 TERENA and NRENs €56,400 This means we are looking for 4 or 5 NRENs to pay approx €10,000 each plus a contribution from TERENA