Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting 17.-19.10.2011, Padova, Italy.

Published byRussell Beasley Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting 17.-19.10.2011, Padova, Italy."— Presentation transcript:

1 Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting 17.-19.10.2011, Padova, Italy

2 EMI INFSO-RI-261611 Content Short Recap Overall Architecture for STS WS-Trust Profile Handler Design Token Authority Design Client Toolkit Schedule 17/10/2011 STS Design & Development Plans 2

3 EMI INFSO-RI-261611 Recap: Security tokens? STS? Security token is a collection of statements/claims about a user or resource, attached into a message – X.509, SAML assertion, Kerberos ticket, Username/Pwd – Defined in the WS-Security specification & profiles STS is a service used to issue, renew, validate and cancel security tokens – “Transforms security tokens from one format into another format” – Defined in the WS-Trust specification 17/10/2011 STS Design & Development Plans 3

4 EMI INFSO-RI-261611 Issue Operation Sequence 1.Decode the request: decode, decrypt, etc 2.Validate the request: signatures, SSL/TLS, replay, timestamps, policy conformancy.. 3.Validate the claims: extract & validate 4.Resolve attributes: resolution & filtering 5.Issuance of the security tokens: use the collected data & possibly use external sources 6.Create the response: generate the RSTR, possibly encrypted & signed 17/10/2011 STS Design & Development Plans 4

5 EMI INFSO-RI-261611 Overall Architecture (1/2) 17/10/2011 STS Design & Development Plans 5 Components in green boxes are provided by Shib3, yellows to be implemented

6 EMI INFSO-RI-261611 Overall Architecture (2/2) SOAP Client: Any client holding a security token and capable of producing RST messages and understanding RSTR messages WS-Trust Profile Handler: Orchestrates the profile sequence between the components Token Authority: Issues the requested security tokens by using appropriate token generators Token Generator: Issues a requested security token, possibly exploiting external sources 17/10/2011 STS Design & Development Plans 6

7 EMI INFSO-RI-261611 WS-Trust Profile Handler Shib3 Request Dispatcher sends the appropriate requests to the profile handler Profile consists of a sequence of states in a flow Implementation uses Spring WebFlow – Set of actions containing the logic of the flow All the actions exploits (possibly updates) profile request context, the current “state” of the profile 17/10/2011 STS Design & Development Plans 7

8 EMI INFSO-RI-261611 Token Authority Overview 17/10/2011 STS Design & Development Plans 8 Components in green boxes are provided by Shib3, yellows to be implemented

9 EMI INFSO-RI-261611 Token Generators 17/10/2011 STS Design & Development Plans 9 Three supported security token formats – X.509, X.509 proxy, SAML assertion – Plugin-mechanism for supporting additional formats X.509 generator already implemented, CMP protocol currently supported for online CA connection – Support for MyProxy and others possible SAML assertion will be constructed using existing Shib3 WebFlow actions

10 EMI INFSO-RI-261611 Client Toolkit Client Toolkit is a Java-library, helping in: – Generating the security tokens From file system: X.509 certificate, proxy From an IDP: SAML assertion (ECP profile) From a KDC: Kerberos ticket – Generating the request messages – Communicating the messages with STS – Extracting the response messages Storage of the security tokens Toolkit can be utilized in client UI or in the integration with services (e.g. portals) 17/10/2011 STS Design & Development Plans 10

11 EMI INFSO-RI-261611 Schedule Shib3 is in development phase, full functionality expected during the autumn – The most important APIs are already stable – First release expected 2012Q1 Current allocations for the development – Henri Mikkonen / HIP, 60% – Valery Tschopp / SWITCH, 30% First version of STS scheduled to 2012Q2 17/10/2011 STS Design & Development Plans 11

12 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Thank you! 17/10/2011 12 STS Design & Development Plans

Download ppt "Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting 17.-19.10.2011, Padova, Italy."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Web services security I

Web services security I
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Similar presentations

Ads by Google