INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.

Slides:



Advertisements
Similar presentations
GT 4 Security Goals & Plans Sam Meder
Advertisements

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
INFSO-RI Enabling Grids for E-sciencE GRID sites connectivity database design Anthony Teslyuk, RRC KI JRA4, SA2 Meeting 4 th EGEE.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS e GSI Vincenzo Ciaschini EMI Security.
INFSO-RI Enabling Grids for E-sciencE Information and Monitoring Status and Plans Plzeň, 10 July 2006 Steve Fisher/RAL.
INFSO-RI Enabling Grids for E-sciencE User Survey Objectives and Results F.Jacq CNRS-IN2P3 EGEE Conference - Athens 21 th April.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract INFSO-RI Grid Accounting.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
OSG AuthZ components Dane Skow Gabriele Carcassi.
INFSO-RI Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE SRMv2.2 in DPM Sophie Lemaitre Jean-Philippe.
INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE P-GRADE overview and introduction: workflows & parameter sweeps (Advanced features)
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE VO Naming practice and suggested development Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS & Reliability Vincenzo Ciaschini & Andrea.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Authorization Service Christoph Witzig, SWITCH.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks SE Security Rémi Mollon, Ákos Frohner EGEE'08,
Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.
Trygve Aspelien and Yuri Demchenko
Obligations in the OGSA SAML Authorization Service Interface
AuthZ Interop report out
Overview OSG & EGEE Authorization Models
Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS
UNIX System Protection
SharePoint Online Authentication Patterns
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 2 Subject attributes

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 3 Overview of Subject attributes (0) Subject-id –Type: string –Example:  /O=dutchgrid/O=users/O=nikhef/CN=Oscar Koeroo Subject-issuer –Type: string –Example:  /C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth Subject-serial-number –Type: integer –Example:  42

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 4 Overview of Subject attributes (1) Subject-vo –Type: string –Example:  gin.ggf.org Voms-signing-subject –Type: string –Example:  /O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl Voms-signing-issuer –Type: integer –Example:  /C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth Voms-dns-port –Type: string –Example:  kuiken.nikhef.nl:15050

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 5 Overview of Subject attributes (2) Voms-fqan –Type: string –Example:  /gin.ggf.org/APAC/Role=VO-Admin Voms-primary-fqan –Type: integer –Example:  /gin.ggf.org/APAC/Role=VO-Admin

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 6 Overview of Subject attributes (3) CA-serial-number –Type: integer –Example:  1 Cert-policy-oid –Type: string –Example: 

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 7 Overview of Subject attributes (4) Cert-chain (experimental) –Type: string –Example:  MIICbjCCAVagAwIBAgICBNgwDQYJKoZIhvcNAQEEBQAwTDES MBAGA1UEChMJZHV0Y2hncmlkMQ4wDAYDVQQKEwV1c2Vycz EPMA0GA1UEChMGbmlraG…(base64)

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 8 Obligations

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 9 Obligations (0) UIDGID  UID (integer): Unix User ID local to the PEP  GID (integer): Unix Group ID local to the PEP –Stakeholder: Common –Must be consistent with: Username Username  Username (string): Unix username or account name local to the PEP. –Stakeholder: VO Services Project –Must be consistent with: UIDGID SecondaryGIDs –Complex type solution  ListOfGIDs (list of integer): List of secondary Unix Group ID (GID) local to the PEP. Each UID is of type Integer –Multi recurrence  GID (integer): Unix Group ID local to the PEP –Stakeholder: EGEE –Needs obligation(s): UIDGID

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 10 Obligations (1) AFSToken  AFSToken (string) in base64: AFS Token passed as a string –Stakeholder: EGEE –Needs obligation(s): UIDGID

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 11 Obligations (2) RootAndHomePaths  RootPath (string): this parameter defines a sub-tree of the whole file system available at the PEP. The PEP should mount this sub-tree as the “root” mount point (‘/’) of the execution environment. This is an absolute path.  HomePath (string): this parameter defines the path to home areas of the user accessing the PEP. This is a path relative to RootPath. –Stakeholder: VO Services Project –Needs obligation(s): UIDGID or Username StorageAccessPriority  Priority (integer): an integer number that defines the priority to access storage resources. –Stakeholder: VO Services Project –Needs obligation(s): UIDGID or Username

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 12 The implementation

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 13 It works! Code snippets forwarded to Joe –Creation/add/free of an Obligation structure

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 14 Still open to C Still open for discussion on the C implementation: –Request send out to be able to handle the SSL/TLS plumbing our selves  Joe is investigating –Propagation of the understood Obligations from the PEP to the PDP and interacting with that content

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 15 Stuff we don’t have time for The relationship between: 1.the SSL client peer identity 2.SAML assertion Sender Receiver 3.SAML-XACML Requester / Responder 4.XACML attributes –(not for this discussion) multiple XACML Name spaces for the attributes and identifiers in all sections –We may use the registered OID of Nikhef JRA3 Security  urn:OID: :

Enabling Grids for E-sciencE INFSO-RI To change: View -> Header and Footer 16 ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.