Presentation is loading. Please wait.

Presentation is loading. Please wait.

HMA Identity Management Status

Published byPatience Thompson Modified over 6 years ago

Similar presentations

Presentation on theme: "HMA Identity Management Status"— Presentation transcript:

1 HMA Identity Management Status
HMA-T Final Presentation, Frascati, 14 December 2009 Y. Coene, SPACEBEL P. Denis, SPACEBEL Slide 1

2 Overview Updated specification OGC 07-118 version v0.0.5
Planned specification OGC version v0.0.6 Single Signon scenario (UM-SSO) Authentication service open-source Next steps Slide 2 2

3 Specification OGC 07-118 version 0.0.4, 30/06/2009
Adding ATS prepared in HMA-T (Intecs, Terradue) Adding authorisation with XACML (HMA-T - Intecs) More consistent terminology (independent from DAIL, HMA etc.) Fixing errors Resolving issue with non-standard <Assertion> tag. User attributes (minimal profile) as example moved to annex.

4 Specification Issues solved in version 0.0.5:
EUMETSAT and con terra comments: MRE-001 (partly), MRE-002 (partly), MRE-005, MRE-008 (partly), MRE-009, MRE-010, MRE-014, MRE-016, MRE-017. HMA-T actions A88, A89 (partly), A91, A93 Cover and first page aligned with latest version received from OGC (IPR issues).

5 Overview Updated specification OGC 07-118 version v0.0.5
Planned specification OGC version v0.0.6 Authentication service open-source Next steps Slide 5 5

6 Scenarios To contain revised HMA Identity Management Scenarios
Additional scenario from UM-SSO

7 Specification Future work Version 0.0.6:
Signature of the service requests by clients, PEP verifies that the client is trusted (MRE-01, MRE-04) Support for multiple federating entities (MRE-02) Integration with Shibboleth / UM-SSO, standardisation of authentication interface through WS-Trust (STS, RST,...) (MRE-06) List of DAIL SAML token attributes to be updated (MRE-08) Add WS-Policy example from INTECS (A89)

8 New authentication interface(s)
Replace "Authenticate" with STS "RequestSecurityToken" and UsertokenProfile as per ws-trust. Security Token Service (STS) which accepts a "token" for one domain and returns a token for a second domain. Operation RequestSecurityToken Compliant with OASIS ws-trust Interoperability Profile "Username Token Profile" from Switch (TBC)

9 STS Advantages Standardised "authentication service" interface.
OASIS STS Commercial and open-source implementations available of STS. Profiled by SWITCH, OIO - Danish eGovernment 2009 (to be analysed) STS interface can be used for: ESA UM-SSO users: UM-SSO ID -> SAML token Other users: user name + password -> SAML token Evolution patch towards SAML 2.0

10 Overview Updated specification OGC 07-118 version v0.0.5
Planned specification OGC version v0.0.6 Single Signon scenario (UM-SSO) Authentication service open-source Next steps Slide 10 10

11 Concept Paper Purpose:
Describe integration of DAIL Portal and DAIL in ESA UM-Single Signon Environment (UM-SSO) based on Shibboleth. ESA users authenticated by UM-SSO Users authenticated by DAIL IDP Users authenticated by G/S through DAIL Users authenticated by G/S directly (not supported by OGC v0.0.5) Slide 11 11

12 UM-SSO security domain
Security Domains UM-SSO security domain UM-SSO IdP UM-SSO artifact DAIL security domain SAML token DAIL DAIL Portal

13 Use Case 1 EO-DAIL EO-DAIL

14 Use Case 2 Ground Segment 1 Ground Segment 1

15 Use Case 2 UM-SSO EO-DAIL EO-DAIL UM-SSO-Enabled,
E.g. EOLI-SA, DAIL Portal

16 Baseline Solution - STS
DAIL DAIL Portal Security Gateway STS UM-SSO artifact UM-SSO ID or artifact SAML token UM-SSO IdP CP PEP Web Services SOAP request user registry In OGC v0.0.5: user name, password In Concept Paper - Baseline: UM-SSO-ID In Concept Paper – Alternative: UM-SSO Artifact

17 UM-SSO check & sign-on protocol
Baseline Solution DAIL Portal DAIL Client Browser UM-SSO IdP WS DAIL Adapter PEP DAIL User UM-SSO check & sign-on protocol CP User Registry GET request RequestSecurityToken Retrieve UM-SSO-ID from HTTP header Prepare and sign RequestSecurityToken request SAML Token Put SAML token in SOAP header Check signature SOAP request Authorize request process request Get user attributes Build up SAML token Sign & encrypt response 1 2 3 4 5 6 7 8 9 10 11 GET request with assertions in HTTP header STS OGC Concept Paper UM-SSO / Shibboleth

18 Overview Updated specification OGC 07-118 version v0.0.5
Planned specification OGC version v0.0.6 Authentication service open-source Next steps Slide 19 19

19 Authentication Service
Open-source Available on index.php?page=HMA+Authentication+Service

20 Authentication Service
Static architecture: Java Naming package to authenticate the given user in the LDAP user registry and to retrieve his attributes, OpenSAML package to build the SAML token from user attributes, Apache XML Security package to sign and encrypt the SAML token, Java Security package to retrieve private and public keys from the keystore, used in signature and encryption steps.

21 Authentication Service
Sequence diagram successful authentication

22 Authentication Service
Configurable Which user attributes from LDAP to be included in SAML assertions using which name (configuration file) Independent of "minimal profile" Associated documents: Software Requirements Document Architectural Design Document Acceptance Test Plan Installation procedure (part of software package).

23 Overview Updated specification OGC 07-118 version v0.0.5
Planned specification OGC version v0.0.6 Authentication service open-source Next steps Slide 24 24

24 Next Steps Done: Planned:
23/09/2009: Authentication Service software (as per 0.0.4). 30/10/2009: OGC version 0.0.5 11/12/2009: Authentication Service software 0.0.5 Planned: 24/12/2009: Outline OGC version XX/01/2010: OGC version

Download ppt "HMA Identity Management Status"

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Similar presentations

Ads by Google