Presentation is loading. Please wait.

Presentation is loading. Please wait.

Page: 1 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Deploying a distributed access control architecture within.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Page: 1 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Deploying a distributed access control architecture within."— Presentation transcript:

1 Page: 1 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Deploying a distributed access control architecture within a VO network Michel Kamel, Abdelmalek Benzekri, François Barrère, Bassem Nasser Université Paul Sabatier – IRIT Toulouse, France +33 (0)5 61 55 60 86 {mkamel, benzekri, barrere, nasser} @irit.fr

2 Page: 2 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 IRIT Involvement The domains of interest of IRIT within the VIVACE project are the deployment and the enforcement of the VO access control policy modeled in order to manage access to the different partners’ critical resources. Concepts such as security policies and access control within a VO are being considered in order to deploy a shared infrastructure supporting the secure exchange of information between partners within the VO. Privilege Management Infrastructures (PMIs) are studied and a proposal architecture is described.

3 Page: 3 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 The VO concept

4 Page: 4 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 A formal approach must be adopted to specify an access control policy. RBAC or OrBAC models could be used. Infrastructures for identification and authorization must be used to enforce the access control policy within the VO shared infrastructure. Solutions based on Privilege Management Infrastructures (PMIs) must be adopted for authorization purposes; PKI, username/password or biometric techniques can be adopted for authentication. VO access control

5 Page: 5 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2  PMI X.509  XACML  Akenti  Shibboleth  PERMIS Solutions for access control enforcement

6 Page: 6 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Shibboleth, a product of the Internet2 consortium, is an open source middleware software providing Web Single Sign On (SSO) across or within organizational boundaries. Shibboleth supplies a framework for a federated identity based authentication The implementation of Shibboleth comprises a configuration of the origin side “Identity Provider” IdP (the site to which users belong) and of the target side “Service Provider” SP (where resources exist). Shibboleth

7 Page: 7 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Shibboleth origin side

8 Page: 8 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Shibboleth target side

9 Page: 9 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 PERMIS is an implementation of an X.509 PMI, and uses the RBAC paradigm, built in accordance with the ISO 10181-3 standard. PERMIS supports the distributed management of roles between multiple AAs. PERMIS functions in two modes: push and pull PERMIS

10 Page: 10 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 PERMIS module

11 Page: 11 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 We propose the integration of Shibboleth and PERMIS architectures to implement a distributed infrastructure for authentication and authorization. In such a solution, Shibboleth is used for: oUser authentication oPropagation of user attributes And PERMIS is used for: oAuthorization decisions (PEP, PDP) Act 3 Scene 2 – Access control architecture

12 Page: 12 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Shibboleth-PERMIS interactions

13 Page: 13 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 A descriptive scenario

14 Page: 14 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Scenario-Enterprises wishing to communicate

15 Page: 15 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Scenario-Building a VO

16 Page: 16 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Access control policy on the Airbus side

17 Page: 17 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Scenario-Agreements between partners

18 Page: 18 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 A role can represent a job function, a qualification or expertise; permissions are granted to “Roles”. A role is affected to a user within an attribute certificate (AC) to protect the user’s credential. The SOA on the HP site “SOA1” generates an attribute certificate AC containing the attribute “Role0” and affects it to the user “User0” authorized to access the protected remote resource “secure2”. Affecting Role0 to User0 on the HP site

19 Page: 19 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Scenario-User0 wishing to access the secure2 resource

20 Page: 20 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Demonstrator system configuration

21 Page: 21 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Authentication AuthType Basic AuthName "Shibboleth Handle Service" AuthUserFile /conf/user.db require valid-user

22 Page: 22 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Authentication assertion 2006-09-25 [HS] - Handling request. 2006-09-25 [HS] - Remote provider has identified itself as: (http://sp.example.org/secure2). 2006-09-25 [HS] - Found Relying Party for (http://sp.example.org/secure2) 2006-09-25 [HS] - Assigning handle (0476f3d8-6753-4dcb-b17b-59c7f0d89dbc) to principal (User0). 2006-09-25 [HS] - User was authenticated via the default method for this relying party (password). 2006-09-25 [HS] - Dumping generated SAML Response: Recipient="http://sp.example.org/Shibboleth.shire" <AuthenticationStatement AuthenticationInstant="2006-09-25T08:42:20.385Z" AuthenticationMethod="password"> <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="http://idp.example.org">0476f3d8-6753-4dcb-b17b- 59c7f0d89dbc <SubjectLocality IPAddress="10.10.20.54">

23 Page: 23 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Authorization PermisPolicyIdentifier 1.2.826.0.1.3344810.6.0.0.11 PermisPolicyIssuer cn= A Permis Test User,o=permis,c=gb PermisPolicyLocation ldap server PermisRootCA /etc/…/…/rootca.cer PermisACAttribute attributeCertificateAttribute PermisDebug debug AuthType Shibboleth PermisAuthorization ShibRequireSession On require valid-user

24 Page: 24 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Authorization assertion-1 2006-09-25 [AA] - Handling request. 2006-09-25 [AA] - Remote provider has identified itself as: (http://sp.example.org/secure2). 2006-09-25 [AA] - Using default Relying Party: (http://sp.example.org/secure2). 2006-09-25 [AA] - Attribute Query Handle recognized. 2006-09-25 [AA] - Request is for principal (User0). 2006-09-25 [AA] - Computed possible attribute release set. 2006-09-25 [AA] - Possible attribute: urn:mace:dir:attribute-def:dn 2006-09-25 [AA] - Possible attribute: urn:mace:dir:attribute-def:attributeCertificateAttribute 2006-09-25 [AA] - Resolving attribute: (urn:mace:dir:attribute-def:attributeCertificateAttribute) 2006-09-25 [AA] - Found value(s) for attribute (urn:mace:dir:attribute def:attributeCertificateAttribute) 2006-09-25 [AA] - Resolving attribute: (urn:mace:dir:attribute-def:dn) 2006-09-25 [AA] - Found value(s) for attribute (urn:mace:dir:attribute-def:dn). 2006-09-25 [AA] - Found 2 attribute(s) for User0 2006-09-25 [AA] - Dumping generated SAML Response:

25 Page: 25 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Authorization assertion-2 <Assertion AssertionID="d66fc370101099990431efbc90e770e8" Issuer="http://idp.example.org" http://sp.example.org/secure2 0476f3d8-6753-4dcb-b17b-59c7f0d89dbc <Attribute AttributeName="urn:mace:dir:attribute def:attributeCertificateAttribute" <AttributeValue xsi:type="typens:AttributeValueType">MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRV NSVMxDjAMBgNVBAMTBVVzZXIwoEEwP6Q9 --- <Attribute AttributeName="urn:mace:dir:attribute-def:dn" cn=User0,o=permis 2006-09-25 [AA] - Successfully responded about User0

26 Page: 26 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Authorization decision pConf[2]ldap://ldap server creds 0 is: shib:User-Distinguished-Name=cn=User0,o=permis creds 1 is: shib:attributeCertificateAttribute= MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRVJNSVMxDjAMBgNVBAMTBVVzZXIwoEE ------ creds 2 is: shib:Shib-Application-ID=default creds 3 is: shib:Shib-Authentication-Method=password creds 4 is: shib:Shib-Origin-Site=http://idp.example.orghttp://idp.example.org Authorisation Token issued by idp.example.org to CN=User0,O=permis MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRVJNSVMxDjAMBgNVBAMTBVVzZXIwoEE wP6Q----- The Subject has the following roles now: set of subsets [<role permisRole: Role0 intersection of (Sun Sep 10 23:00:00 GMT 2006; Tue Sep 13 23:00:00 GMT 2016) (-oo; +oo)>] Authorisation succeeded

27 Page: 27 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Conclusion We have defined and described the solution to implement for access control in a trans-organizational environment which is the VO network integrating Shibboleth and PERMIS The solution has been demonstrated in a lab environment

28 Page: 28 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Next Steps – VIVACE 3rd Iteration Adapt PERMIS to existing business applications, in order to use their preexisting security means. Extending the PERMIS PDP component, so we allow PERMIS to take into account policies specified with OrBAC access control model (concepts of activities, views and contexts). Installation of the demonstrator within the DISI infrastructure in order to run the VIVACE scenarios.

29 Page: 29 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Thank You Any Questions ?

Download ppt "Page: 1 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 Deploying a distributed access control architecture within."

Similar presentations

SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Implementing and Administering AD FS

Implementing and Administering AD FS
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Page: 1 24-26 October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM 2 +33 (0)5 61 55 60 86 {mkamel, benzekri, barrere, nasser}

Page: October 2006 © 2006 VIVACE Consortium Members. All rights reserved VIVACE FORUM (0) {mkamel, benzekri, barrere, nasser}
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Similar presentations

Ads by Google