Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Published byOpal Gibson Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH JRA1 All-Hands Meeting NIKHEF, Amsterdam, 20-22 February 2008

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 2 Web Service Standards XML, SOAP, WSDL, HTTPS (SSL/TLS) WS-Security –Security Tokens  Username token  X.509 Certificate  SAML  Kerberos –XML Encryption  Encrypt message content –XML Signature  Digital signature of message WS-Trust –OASIS Standard (WS-Trust 1.3) –Framework for requesting and issuing Security Tokens –Broker for trust relationship –It' also a point for enforcing token related policies (i.e. this token can be delegated by service A to service B)

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 3 Security Token Service WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS) The Security Token Service have a trust relationship with both the client and the service.

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 4 Multiple Security Domains A client may need to communicate with services that operate across trust boundaries –Shibboleth SAML vs Grid X.509 Multiple STS can be used in a trust chain across security domains (delegated trust)

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 5 Functionalities Authenticates and authorizes users based on security tokens Transforms a security token (the claim) into another security token suitable for the requested service –Username token into SAML token –SAML token into X.509 token Aggregates required information from external Attribute Authorities Establishes a trust relation between different application domains –Shibboleth domain vs Grid domain Web Service (SOAP) based protocol –Platform independent –Language independent (C, Java, Python, …)

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 6 Security Mechanisms Authentication –WS-Security –Transport provided mechanisms Authorization –WS-Policy –XACML –Application specific (ACL, …) Message Integrity –Transport SSL/TLS –XML Signature Message Confidentiality –Transport SSL/TLS –XML Encryption

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 7 Example RST Message http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 2008-02-05T14:31:48.890Z myusername mypassword 2008-02-05T14:31:48.889Z

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 8 Architecture Profile Handler implements the WS-Trust profile Token Authority manages the security tokens Resolver retrieves information, attributes from external authorities (LDAP, DB, Online CA, VOMS, …)

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 9 Scenario: Issue a proxy X.509 User authenticates with his credential to a Shibboleth IdP STS and receives a SAML security token User requests a proxy X.509 from a Grid STS using the SAML token

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 10 Scenario: Renew a proxy X.509 At proxy X.509 expiration the WMS requests a proxy X.509 renewal from the Grid STS

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 11 Status WS-Trust 1.3 Profile document finalized The Security Token Service (STS) will be implemented within the Internet2 framework –WS-Security implementation finished –WS-Trust implementation finished –STS profile handlers to be implemented  Transforms username token into SAML token  Transforms SAML token into X.509 token Prototype should be available by the middle of March

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 JRA1 All Hands Meeting, Amsterdam, 20-22 February 2008 12 Comments and Questions Comments ? Questions ?

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.

Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
Will Darby 91.514 5 April 2010.  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.

Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Presented at: Demonstrations and Prototypes TIM 7 Presented by: Dominic Timoteo / Shoeb Jafri SWIM Implementation Team May 04, 2011 Federal Aviation Administration.

Presented at: Demonstrations and Prototypes TIM 7 Presented by: Dominic Timoteo / Shoeb Jafri SWIM Implementation Team May 04, 2011 Federal Aviation Administration.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Similar presentations

Ads by Google