Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPOCP – general authorisation server Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg.

Published byGloria Bradford Modified over 9 years ago

Similar presentations

Presentation on theme: "SPOCP – general authorisation server Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg."— Presentation transcript:

1 SPOCP – general authorisation server Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg

2 Outline – part1 ● SPOCP project ● SPOCP, how does it fit it ● How does it work ● SPOCP SAML/XACML ● Project status

3 The SPOCP project ● One year, ends May 31 th 2003 ● Relatively small budget, ~1 MSEK ● Run by Umeå University ● Partners in crime: * Stockholm University* Lund University * Uppsala University* Karolinska * SUNET* UNINETT * NYA & LpW

4 How does it fit in ? ● Middleware function the provides authorisation ● Separate from authentication ● Uses information resources

5 Spocp rules/queries ● Expressed as S-expressions – Fixed syntax, undefined semantics ● S-expression can be ordered – One can test whether S-expression A is '<=' S-expression B

6 S-expression ● Am S-expression is either – A byte-strings ("octet-strings") or – A finite list of simpler S-expressions ● A octet-string is a finite sequence of 8-bit octets ● Example: – (certificate (issuer bob)(subject alice))

7 Formal definition of the '<=' relation ● If A = (X_1 X_2... X_m) and B = (Y_1 Y_2... Y_n) then A <= B if and only if n <= m and X_i <= Y_i for i = 1,...,n ● Example: – (certificate (issuer bob morgan)(subject alice)) <= (certificate (issuer bob)(subject alice))

8 Spocp Authorisation Decision ● Given a authorisation Query (A). If there exists a rule (R) in the rule database such that A '<=' R then permission is granted. ● By default everything is disallowed ● Rules can only allow actions

9 SAML Spocp An objective comparision :-)

10 XACML/SAML Data-flow

11 Spocp Data-Flow

12 XACML Rule ● A person may read any record for which he or she is the designated patient * //medico.com/record.* read

13 Spocp Rule ● (spocp (resource medico.com)(action read)(subject medico.com urn:spocp:equal:${patient}:${name}))

14 SAML AuthorizationDecisionQuery – Julius Hibbert read Julius Hibbert http://www.oasis-open.org/committees/security/docs/draft-sstc-core- 24/artifact Julius Hibbert physician

15 SPOCP Query ● (spocp (resource record medico.com (patient Bartholomeus Simson) patientDoB )(action read)(subject medico.com (name Julius Hibbert)))

16 Project Status ● Source code available – Two server implementations ● Apache module (SAML/SOAP/HTTP) ● Standalone (uses the SPOCP protocol) – Server as library – PAM module – Modified Exim – Documentation

Download ppt "SPOCP – general authorisation server Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg."

Similar presentations

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
Distributed Access Control System

Distributed Access Control System
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Orthogonal Security With Cipherbase 1 Microsoft Research 2 UW-Madison 3 ETH-Zurich Arvind Arasu 1 Spyros Blanas 2 Ken Eguro 1 Donald Kossmann 3 Ravi Ramamurthy.

Orthogonal Security With Cipherbase 1 Microsoft Research 2 UW-Madison 3 ETH-Zurich Arvind Arasu 1 Spyros Blanas 2 Ken Eguro 1 Donald Kossmann 3 Ravi Ramamurthy.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Privilege Management and Spocp Presentation at Advance CAMP Authority Architecture – Broomfield, Colorado July 2, 2004 by Roland Hedberg.

Privilege Management and Spocp Presentation at Advance CAMP Authority Architecture – Broomfield, Colorado July 2, 2004 by Roland Hedberg.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Z39 Server DigiTool Version 3.0. Z39 Server 2 z39 SERVER Main Topics z39 server architecture z39 server services z39 server configuration Defining a new.

Z39 Server DigiTool Version 3.0. Z39 Server 2 z39 SERVER Main Topics z39 server architecture z39 server services z39 server configuration Defining a new.
1 SWE 205 - Introduction to Software Engineering Lecture 22 – Architectural Design (Chapter 13)

1 SWE Introduction to Software Engineering Lecture 22 – Architectural Design (Chapter 13)
1 Software Testing and Quality Assurance Lecture 30 - Introduction to Software Testing.

1 Software Testing and Quality Assurance Lecture 30 - Introduction to Software Testing.
Application architectures

Application architectures
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Application architectures

Application architectures
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.

XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.

Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.

Similar presentations

Ads by Google