Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Token Service (STS) Status Update

Published byJacob Watts Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Token Service (STS) Status Update"— Presentation transcript:

1 Security Token Service (STS) Status Update
Henri Mikkonen, Helsinki Institute of Physics EGI Technical Forum , Prague, Czech Republic

2 Henri Mikkonen @ EGI Technical Forum 2012
Current Status The following security token formats are currently functional Incoming token formats: Username/Password SAML assertion Outgoing token formats: X.509 certificate VOMS proxy certificate WS-Trust Interoperability profile is followed See 20/09/2012 Henri EGI Technical Forum 2012

3 Henri Mikkonen @ EGI Technical Forum 2012
Username/Password <soap11:Header> <wsse:Security> <wsse:UsernameToken wsu:Id="UsernameToken-0001"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap11:Header> Currently supports plaintext passwords Hashing, optionally by exploiting Nonce and Created –elements can be supported 20/09/2012 Henri EGI Technical Forum 2012

4 Henri Mikkonen @ EGI Technical Forum 2012
SAML Assertion <soap11:Header> <wsse:Security> <saml2:Assertion ID="_064090d66352b278a7cbfd95f345fec0" IssueInstant=" T07:33:47.224Z" Version="2.0"> </saml2:Assertion> </wsse:Security> </soap11:Header> Contents of the SAML attribute statements is used for the certificate to be issued How can the clients obtain the assertion? The assertion must be targeted to STS ECP Profile, SAML delegation 20/09/2012 Henri EGI Technical Forum 2012

5 Henri Mikkonen @ EGI Technical Forum 2012
X.509 issuance Currently supports CMP protocol with CRMF Very suitable for our use cases Access to the private key corresponding to the upcoming certificate is not needed by STS STS can construct the CSR itself <soap11:Header> <wsse:Security> <wsse:BinarySecurityToken EncodingType=" wsu:Id="X509SecurityToken"> … BASE64-encoded certificate … </wsse:BinarySecurityToken> </wsse:Security> </soap11:Header> 20/09/2012 Henri EGI Technical Forum 2012

6 Henri Mikkonen @ EGI Technical Forum 2012
VOMS proxy issuance End-entity certificate obtained from the online CA is used for the proxy initialization Access to the private key corresponding to the user certificate required for issuing the proxy certificate VOMS Java API used for the communication Minimal customization was needed A method for communicating the VOMS request params from the client was needed GridProxyRequest –extension to the RST 20/09/2012 Henri EGI Technical Forum 2012

7 GridProxyRequest - example
<soap11:Body> <wst:RequestSecurityToken wsu:Id=“…“ Context=“…"> <wst:RequestType> <wst:TokenType>urn:glite.org:sts:GridProxy</wst:TokenType> <gridProxy:GridProxyRequest xmlns:gridProxy="urn:glite.org:sts:proxy" lifetime="86400"> <gridProxy:VomsAttributeCertificates> <gridProxy:FQAN>testers.eu-emi.eu:/testers.eu-emi.eu</gridProxy:FQAN> </gridProxy:VomsAttributeCertificates> </gridProxy:GridProxyRequest> </wst:RequestSecurityToken> </soap11:Body> This RST requests a VOMS proxy with Lifetime of seconds (24 hours) VO attributes from the EMI testbed 20/09/2012 Henri EGI Technical Forum 2012

8 GridProxyRequest - schema
<xs:schema targetNamespace="urn:glite.org:sts:proxy” xmlns="urn:glite.org:sts:proxy" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:complexType name="GridProxyRequestType"> <xs:sequence> <xs:element name="VomsAttributeCertificates” type="VomsAttributeCertificatesType" minOccurs="0" maxOccurs="1"/> <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="lifetime" type="xs:int" use="required" /> <xs:attribute name="proxyType" type="xs:int" use="optional" /> <xs:attribute name="delegationType" type="xs:int" use="optional" /> <xs:attribute name="policyType" type="xs:int" use="optional" /> </xs:complexType> <xs:complexType name="VomsAttributeCertificatesType"> <xs:element name="FQAN" type="xs:string" minOccurs="1” maxOccurs="unbounded"/> <xs:attribute name="ordering" type="xs:string" use="optional"/> <xs:attribute name="targets" type="xs:string" use="optional"/> <xs:attribute name="verificationType" type="xs:int" use="optional"/> <xs:anyAttribute namespace="##other" processContents="lax"/> <xs:element name="GridProxyRequest" type="GridProxyRequestType"/> </xs:schema> Contents of the AttributeStatements can be used for the certificate 20/09/2012 Henri EGI Technical Forum 2012

9 Henri Mikkonen @ EGI Technical Forum 2012
Additional features Other token formats? Kerberos ticket? X.509 as an incoming token format? SAML assertion as an outgoing token format? Other CA protocols? MyProxy CA? 20/09/2012 Henri EGI Technical Forum 2012

10 Thank you! Questions? Henri Mikkonen

Download ppt "Security Token Service (STS) Status Update"

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Enabling Grids for E-sciencE www.eu-egee.org ISSGC’05 XML Schemas (XSD) Richard Hopkins, National e-Science Centre, Edinburgh June 2005.

Enabling Grids for E-sciencE ISSGC’05 XML Schemas (XSD) Richard Hopkins, National e-Science Centre, Edinburgh June 2005.
1 SOAP Simple Object Access Protocol 大葉大學資工系. 2 Purpose of SOAP Developers need to establish a standard transport and data-exchange framework to achieve.

1 SOAP Simple Object Access Protocol 大葉大學資工系. 2 Purpose of SOAP Developers need to establish a standard transport and data-exchange framework to achieve.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
X.509 Certificate management in.Net By, Vishnu Kamisetty

X.509 Certificate management in.Net By, Vishnu Kamisetty
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Www.monash.edu.au CSE4500 Information Retrieval Systems XML Schema – Part 1.

CSE4500 Information Retrieval Systems XML Schema – Part 1.
WSDL Usage Experience with XML Schema 1.0 Jonathan Marsh Chair, WS Description WG.

WSDL Usage Experience with XML Schema 1.0 Jonathan Marsh Chair, WS Description WG.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop 09.06.2011, CERN,

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

Similar presentations

Ads by Google