Presentation is loading. Please wait.

Presentation is loading. Please wait.

HMA-S Project User Management for EO Services OGC r9

Published byVanessa James Modified over 7 years ago

Similar presentations

Presentation on theme: "HMA-S Project User Management for EO Services OGC r9"— Presentation transcript:

1 HMA-S Project User Management for EO Services OGC 07-118r9
P. Jacques, Spacebel s.a. Y. Coene, Spacebel s.a. T.H. Nguyen, Spacebel s.a. November 6, 2013

2 Outline Issues with OGC r9 Proposed solutions HMA-S EO UM Issues

3 Issues Related to delegation authentication Use Cases Issue with (4)
(2) Delegate STS as IdP (4) Delegate STS with External IdP Issue with (4) Delegated STS has to know the public key of all the Clients in delegating STS domain Public key of Clients needed by delegated STS to verify RST signature HMA-S EO UM Issues

4 Delegate SAML token generation for target PEP
STS Multiplicity Web-SSO IdP Client STS (sts-1) STS Service DelegateTo  sts-x PEP Service Web-SSO IdP Client STS (sts-2) Delegate SAML token generation for target PEP Service Service PEP PEP Service Service HMA-S EO UM Issues

5 STS Multiplicity - DAIL
Web-SSO IdP Client STS (sts-1) STS Service DelegateTo  sts-x PEP Service Web-SSO IdP Client STS (sts-2) Delegate SAML token generation for target PEP Service PEP PEP DAIL Service HMA-S EO UM Issues

6 Issues - Delegate STS with External IdP
External Security Domain External Identity Provider (IdP) Client Role Authentication service STS STS User Registry Component 1 authenticate Verify identity 2 Out of scope 3 authenticate response 4 Prepare RST and sign with Client’s private key 5 RST with signature 6 HTTPS redirect RST to known external STS 7 Verify signature with Client’s public key HTTPS Create SAML token 9 RTSR (SAML token in clear) HTTPS 10 Sign SAML token using STS private key 11 Encrypt SAML token with Relying Party’s public key 12 RSTR HTTPS HMA-S EO UM Issues

7 Solution/Alternative – Issue with (4)
External Security Domain External Identity Provider (IdP) Client Role Authentication service STS STS User Registry Component 1 authenticate Verify identity 2 Out of scope 3 authenticate response 4 Prepare RST and sign with Client’s private key 5 RST with signature 5b Verify signature with Client’s public key Sign RST with STS’s private key HTTPS 6 Redirect RST to known external STS 7 Verify signature with STS’s public key HTTPS Create SAML token 9 RTSR (SAML token in clear) HTTPS 10 Sign SAML token using STS private key 11 Encrypt SAML token with Relying Party’s public key 12 RSTR HTTPS HMA-S EO UM Issues

8 STS Multiplicity - DAIL – Current
ClientA public key Delegate SAML token generation for target PEP STS (sts-1) ClientB public key STS DelegateTo  sts-x Service PEP Web-SSO IdP ClientA Service ClientA private key ClientA public key STS (sts-2) ClientB public key Web-SSO IdP ClientB ClientB private key Service PEP PEP DAIL Service HMA-S EO UM Issues

9 STS Multiplicity – DAIL - Alternative
STS public key Delegate SAML token generation for target PEP STS (sts-1) STS DelegateTo  sts-x Service STS private key PEP ClientA public key Web-SSO IdP ClientA Service ClientB public key ClientA private key STS public key STS (sts-2) Web-SSO IdP ClientB ClientB private key Service PEP PEP DAIL Service HMA-S EO UM Issues

10 Conclusion Advantage of “alternative”:
Clients can be added without impacting the G/S. No additional key exchange required. E.g. HMA-SE: NASA (or CEOS) would access FedEO (ordering) and VITO, DLR and EUMETSAT do not have to make changes. Feedback from HMA-AWG would be appreciated. HMA-S EO UM Issues

Download ppt "HMA-S Project User Management for EO Services OGC r9"

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services

Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.

NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Shibboleth: An Introduction

Shibboleth: An Introduction
1 The Quest for Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 8, 2013 © Ravi Sandhu.

1 The Quest for Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 8, © Ravi Sandhu.

Similar presentations

Ads by Google