Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guidelines for attribute translation to X.509

Published byTerence Leonard Modified over 7 years ago

Similar presentations

Presentation on theme: "Guidelines for attribute translation to X.509"— Presentation transcript:

1 Guidelines for attribute translation to X.509
Peter Solagna EGI Foundation AARC 4th General meeting 29 November 2016

2 Available material AARC Non-AARC
MJRA1.3: Design for the integration of an Attribute Management Tool DJRA1.4A: Recommendation expression group membership DJRA1.4C: Guidelines on token translation services Non-AARC OGF: Interoperable certificate profile

3 Keep separated authorization and authentication information
SAML Identity provider X.509 Certification authority SAML Group Management service X.509 Group Management service

4 Attributes in the EEC as foreseen in the OGF/IGTF policies
DC: Domain C: Country L: Locality O: Organization CN: Common name Real life example: /C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth /O=dutchgrid/O=users/O=egi/CN=Peter Solagna

5 How RC Auth translates information from SAML IDPs to X.509
Unique within the namespace SAML displayName: Peter Solagna eduPersonUniqueId: X.509 Issued to: CN=Peter Solagna <shortened&unique epuid>, eduPersonUniqueId Or eduPersonPrincipalName eduPersonTargetedID Requested Suggested

6 How RC Auth translates information from SAML IDPs to X.509 (2)
SAML Options schacHomeOrganisation organisationDisplayName domain name of the IdP entity ID URL X.509 O=egi, O=users, O=dutchgrid Issued by: Certification authority DN

7 Group information, AARC general recommendation
DJRA1.4A Recommendation Centralised harmonisation of group membership information Compatibility with existing group information models Scoping of group membership information Use of eduPersonEntitlement attribute Use of valid URIs either URLs or URNs Best practices in attribute management Attributes technical requirements

8 Example of VO membership as expressed by CheckIn
urn:mace:egi.eu:<authority- <authority-fqdn> is the FQDN of the authoritative source for the entitlement value <vo> is the name of the Virtual Organisation <group> is the name of a group in the identified <vo>; specifying a group is optional zero or more <subgroup> components represent the hierarchy of subgroups in the <group>; specifying sub-groups is optional the <role> component is scoped to the rightmost (sub)group; if no group information is specified, the role applies to the VO

9 X.509 attribute certificate
End Entity proxy certificate CA EEC X.509 Attribute authority Attribute certificate

10 Attribute certificates in EGI
subject : /O=dutchgrid/O=users/O=egi/CN=Peter Solagna/CN=<proxy uid> issuer : /O=dutchgrid/O=users/O=egi/CN=Peter Solagna identity : /O=dutchgrid/O=users/O=egi/CN=Peter Solagna type : RFC3820 compliant impersonation proxy strength : 1024 path : /tmp/x509up_u506 timeleft : 11:59:53 key usage : Digital Signature, Key Encipherment, Data Encipherment === VO dteam extension information === VO : dteam subject : /O=dutchgrid/O=users/O=egi/CN=Peter Solagna issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr attribute : /dteam/Role=NULL/Capability=NULL attribute : /dteam/EGI/Role=NULL/Capability=NULL uri : voms2.hellasgrid.gr:15004 Personal proxy certificate Attribute certificate

11 Attribute certificates in EGI -2-
R3: One attribute certificate per VO VO name: unique within the infrastructure VO : dteam subject : /O=dutchgrid/O=users/O=egi/CN=Peter Solagna issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=vo ms2.hellasgrid.gr attribute : /dteam/Role=NULL/Capability=NULL attribute : /dteam/EGI/Role=NULL/Capability=NULL timeleft : 11:59:53 uri : voms2.hellasgrid.gr:15004 Signed by the X.509 attribute authority Groups, sub groups, membership, and roles within the group R5: Valid URI. Constant for all certificates released through the translation service

12 Possible AARC recommendation for group membership translation to X.509
Group membership information should be translated into an attribute certificate (AC) separate from the EEC. AC should be included in a EE proxy certificate RFC3820 RFC3281 One AC should contain information about a single virtual organization Groups, sub-groups and roles within the group should be expressed in the form: /<vo>/<group>/<sub-group/../Role=<role> Optional? AC should be short-lived: max 24h

13 Pilot for attribute translation from SAML to X.509
Request VO1 proxy VO portal for VO1 Master portal MyProxy Return proxy with VO Add VOMS extensions CheckIn IdP VOMS for VO1 Add user to VO1 Attribute authority VO1 membership

14

Download ppt "Guidelines for attribute translation to X.509"

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
The UK Access Management Federation John Chapman Project Adviser – Becta.

The UK Access Management Federation John Chapman Project Adviser – Becta.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE 51 11 October 2005 Geoff Huston.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

Similar presentations

Ads by Google