Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

Published byClara Hunter Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks OpenSAML extension library and API to support."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks OpenSAML extension library and API to support SAML2.0 profile of XAMCL protocol, for interoperable authorization infrastructure in distributed Grid application Håkon Sagehaug, University of Bergen Yuri Demchenko, University of Amsterdam Valerio Venture, CNAF, INFN Alberto Forti, CNAF, INFN EGEE User Forum 11-14 February 2008, Clermont-Ferrand, France

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand Outline Overview of XML standards involved Introduction of the SAML 2.0 profile of XACML The provided extension and API Authorization Use of the library Handling of XACML obligations Testing Status and work further

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 Overview of SAML Security Assertion Markup Language(SAML) is a XML specification, defining syntax and processing semantics about security assertions Security assertion here means a package of information that supplies zero or more assertion statements made by a SAML Authority In SAML there is defined three different assertion statements –Authentication, information about when, who and by what the subject was authenticated –Attributes, the asserted subject is associated with these attributes –Authorization Decision, the action of granting access or not to a asserted subject

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 Overview of XACML eXtensible Access Control Markup Language(XACML) is a specification in XML for writing access control policies in XML and how to interpret them In XACML one operates with a context and two of the main elements in the context is –Request, which is a message for asking for a authorization decision –Response, containing the authorization decision

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand SAML 2.0 profile of XACML The SAML2.0 profile of XACML is combining SAML2.0 and XACML Now able to use SAML for sending queries and statements about authorization decisions and policies Introduces some new elements –XACMLAuthorizationDecisionQuery  Made for containing a AuthZ decision query from a PEP to the PDP –XACMLAuthorizationDecisionStatement  The result of the AuthZ decision from PDP to PEP –XACMLPolicyQuery  Used for requesting a XACML Policy or PolicySet –XACMLPolicyStatement  Contains the returned policy or set *Query is sending a request *Statement is the response

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand The provided extension and API Implements the SAML2.0 profile of XACML in Java It is build as an extension to the OpenSAML code Has the same features as OpenSAML in respect to be able to work with the XML elements as Java- object,each element has –*Builder –*Impl –*Marshaller –*Unmarshaller If familiar with OpenSAML, the extension is easy to use If not, there is a programming guide on the projects web page (address on the last slide)

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand Authorization in Grid Authorization is the act of giving users access to resources Authorization decision is based upon policies Two possible places for these policies to be located –Locally –Centrally, through Site Central Authorization Service(SCAS), where every service is contacting a central authorization service Often we have two major components in a authorization infrastructure –Policy Enforcement Point(PEP) on the resource side for protecting the resource, where the authorization is initiated and later enforced –Policy Decision Point(PDP), where the authorization decision is made. If these two components are distributed from each other they need to communicate

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand Use of the extension and API For communication between different authorization components(e.g. PEP and PDP/SCAS ) Since it’s an XML specification the data that goes on the wire is just XML That gives the possibility of having different implementation of the profile at the different functional elements. The library and API provides helper classes for creating and validating SAML-XACML messages. Implemented as pluggable module so it can be used in different Java based AuthZ frameworks –gLite Java Authorization Framework –Globus Toolkit AuthZ –G-PBox

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand Use of the extension and API Globus is providing the C implementation of this profile, then Local Credential Authorization Service(LCAS)/Local Credential Mapping Service(LCMAPS) also can be used as SCAS and be called out to Decisions from here can be conveyed to be used from gLexec at the Worker Node(WN) and enforced there

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 Handling of Obligation Another issue that can be handled elegant with this extension is handling of obligations from PDP. Obligations is defined as actions that should be preformed by the PEP in conjunction with the enforcement of an authorization decision(XACML Spec). Such obligations can be mapping of users to pool account at WN

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 SAML XACML data flow SAML-XACML CVS (extern) Obligation Handler Context Handler PEP PDP PAP State DB AuthZ Gateway SAML-XACML PIP Resource ServReq(Srv,An,Az) Resource ObligHdlr AzResp(Dcsn,Oblig2) AzReq(Srv,Subj,Act)) XACMLAzReq WSDL AuthZ PT SAMLXACMLReq XACMLAzResp SAMLXACMLResp XACMLAzReq XACMLAzResp XACMLPolicy 10 1 2 3 4 5 6 7 8 9 11 12 13 14 15 16 17 18 19 20 Resource Site Site Central AuthZ Service ServReq(Srv,Oblig2) Rsr Environm, state

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand Testing sequence G-PBox is one of the suggested SCAS implementation It contains different policies and also a XACML Policy Decision Point Using gJAF as policy enforcement point and G-PBox as Policy decision point Used the web service interface for G-PBox for communication gJAF G-PBox Open- SAML ext XFire- stubs XACMLDecisionQuery XACMLDecisionStatment

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand Stages is the testing The user wants to be authorized for using some resource gJAF extracts the needed information from the voms- proxy certificate Creates a XACMLAuthzDecisionQuery and sends it to G- PBox by using the web service interface G-PBox evaluates the query against some XACML policy, using the sunxacml PDP G-PBox creates a XACMLDecisionSatement wrappers it inside a SAMLResponse and sends it back to gJAF Back at gJAF the response from G-PBox is handled and we get out the account which the user is supposed to be mapped to

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE User Forum, 11-14 February 2008, Clermont-Ferrand Other benefits Easy integration of EGEE/Grid Authz infrastructure with Shibboleth and SAML based universities. If Grid AuthZ infrastructure and Shibboleth/SAML based universities is combined, that means that users can use their general purpose credentials, from their home organization, for accessing Grid services and applications This will ease the use of the Grid

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 Status and further work The code has been committed to the Internet 2 OpenSAML 2.0 project Further work of AuthZ interoperability consists of defining –attributes for common XACML-compatible policies –obligation handling API Links –Home page of the project: http://www.bccs.uib.no/~hakont/SAMLXACMLExtension/ http://www.bccs.uib.no/~hakont/SAMLXACMLExtension/

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks OpenSAML extension library and API to support."

Similar presentations

Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.

Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org EGEE and gLite are registered trademarks Security and Job Management.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.

Similar presentations

Ads by Google