1 / 29

Deploying a distributed access control architecture within a VO network

Deploying a distributed access control architecture within a VO network Michel Kamel, Abdelmalek Benzekri, François Barrère, Bassem Nasser Université Paul Sabatier – IRIT Toulouse, France. +33 (0)5 61 55 60 86 {mkamel, benzekri, barrere, nasser} @irit.fr.

arista
Download Presentation

Deploying a distributed access control architecture within a VO network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deploying a distributed access control architecture within a VO network Michel Kamel, Abdelmalek Benzekri, François Barrère,Bassem Nasser Université Paul Sabatier – IRIT Toulouse, France +33 (0)5 61 55 60 86 {mkamel, benzekri, barrere, nasser} @irit.fr

  2. The domains of interest of IRIT within the VIVACE project are the deployment and the enforcement of the VO access control policy modeled in order to manage access to the different partners’ critical resources. Concepts such as security policies and access control within a VO are being considered in order to deploy a shared infrastructure supporting the secure exchange of information between partners within the VO. Privilege Management Infrastructures (PMIs) are studied and a proposal architecture is described. IRIT Involvement

  3. The VO concept

  4. A formal approach must be adopted to specify an access control policy. RBAC or OrBAC models could be used. Infrastructures for identification and authorization must be used to enforce the access control policy within the VO shared infrastructure. Solutions based on Privilege Management Infrastructures (PMIs) must be adopted for authorization purposes; PKI, username/password or biometric techniques can be adopted for authentication. VO access control

  5. PMI X.509 XACML Akenti Shibboleth PERMIS Solutions for access control enforcement

  6. Shibboleth, a product of the Internet2 consortium, is an open source middleware software providing Web Single Sign On (SSO) across or within organizational boundaries. Shibboleth supplies a framework for a federated identity based authentication The implementation of Shibboleth comprises a configuration of the origin side “Identity Provider” IdP (the site to which users belong) and of the target side “Service Provider” SP (where resources exist). Shibboleth

  7. Shibboleth origin side

  8. Shibboleth target side

  9. PERMIS is an implementation of an X.509 PMI, and uses the RBAC paradigm, built in accordance with the ISO 10181-3 standard. PERMIS supports the distributed management of roles between multiple AAs. PERMIS functions in two modes: push and pull PERMIS

  10. PERMIS module

  11. We propose the integration of Shibboleth and PERMIS architectures to implement a distributed infrastructure for authentication and authorization. In such a solution, Shibboleth is used for: User authentication Propagation of user attributes And PERMIS is used for: Authorization decisions (PEP, PDP) Act 3 Scene 2 – Access control architecture

  12. Shibboleth-PERMIS interactions

  13. A descriptive scenario

  14. Scenario-Enterprises wishing to communicate

  15. Scenario-Building a VO

  16. Access control policy on the Airbus side

  17. Scenario-Agreements between partners

  18. A role can represent a job function, a qualification or expertise; permissions are granted to “Roles”. A role is affected to a user within an attribute certificate (AC) to protect the user’s credential. The SOA on the HP site “SOA1” generates an attribute certificate AC containing the attribute “Role0” and affects it to the user “User0” authorized to access the protected remote resource “secure2” . Affecting Role0 to User0 on the HP site

  19. Scenario-User0 wishing to access the secure2 resource

  20. Demonstrator system configuration

  21. Authentication <Location /shibboleth/HS>AuthType BasicAuthName "Shibboleth Handle Service"AuthUserFile /conf/user.dbrequire valid-user</Location>

  22. Authentication assertion 2006-09-25 [HS] - Handling request. 2006-09-25 [HS] - Remote provider has identified itself as: (http://sp.example.org/secure2). 2006-09-25 [HS] - Found Relying Party for (http://sp.example.org/secure2) 2006-09-25 [HS] - Assigning handle (0476f3d8-6753-4dcb-b17b-59c7f0d89dbc) to principal (User0). 2006-09-25 [HS] - User was authenticated via the default method for this relying party (password). 2006-09-25 [HS] - Dumping generated SAML Response: Recipient="http://sp.example.org/Shibboleth.shire" <Assertion AssertionID="bcf851fd785cd722b8ea22e80ea002b1" Issuer="http://idp.example.org"> <AuthenticationStatement AuthenticationInstant="2006-09-25T08:42:20.385Z" AuthenticationMethod="password"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="http://idp.example.org">0476f3d8-6753-4dcb-b17b- 59c7f0d89dbc</NameIdentifier><SubjectConfirmation></Subject><SubjectLocality IPAddress="10.10.20.54"></SubjectLocality></AuthenticationStatement> </Assertion> </Response>

  23. Authorization PermisPolicyIdentifier 1.2.826.0.1.3344810.6.0.0.11 PermisPolicyIssuer cn= A Permis Test User,o=permis,c=gb PermisPolicyLocation ldap server PermisRootCA /etc/…/…/rootca.cer PermisACAttribute attributeCertificateAttribute PermisDebug debug <location /secure2> AuthType Shibboleth PermisAuthorization ShibRequireSession On require valid-user </location>

  24. Authorization assertion-1 2006-09-25 [AA] - Handling request. 2006-09-25 [AA] - Remote provider has identified itself as: (http://sp.example.org/secure2). 2006-09-25 [AA] - Using default Relying Party: (http://sp.example.org/secure2). 2006-09-25 [AA] - Attribute Query Handle recognized. 2006-09-25 [AA] - Request is for principal (User0). 2006-09-25 [AA] - Computed possible attribute release set. 2006-09-25 [AA] - Possible attribute: urn:mace:dir:attribute-def:dn 2006-09-25 [AA] - Possible attribute: urn:mace:dir:attribute-def:attributeCertificateAttribute 2006-09-25 [AA] - Resolving attribute: (urn:mace:dir:attribute-def:attributeCertificateAttribute) 2006-09-25 [AA] - Found value(s) for attribute (urn:mace:dir:attribute def:attributeCertificateAttribute) 2006-09-25 [AA] - Resolving attribute: (urn:mace:dir:attribute-def:dn) 2006-09-25 [AA] - Found value(s) for attribute (urn:mace:dir:attribute-def:dn). 2006-09-25 [AA] - Found 2 attribute(s) for User0 2006-09-25 [AA] - Dumping generated SAML Response: <Response ResponseID="bd25b18a9bb19626831fbe51a404ee6c">

  25. Authorization assertion-2 <Assertion AssertionID="d66fc370101099990431efbc90e770e8" Issuer="http://idp.example.org" <Audience>http://sp.example.org/secure2</Audience> <AttributeStatement> <Subject> <NameIdentifier NameQualifier="http://idp.example.org">0476f3d8-6753-4dcb-b17b-59c7f0d89dbc </Subject> <Attribute AttributeName="urn:mace:dir:attribute def:attributeCertificateAttribute" <AttributeValue xsi:type="typens:AttributeValueType">MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRV NSVMxDjAMBgNVBAMTBVVzZXIwoEEwP6Q9 ---</AttributeValue></Attribute> <Attribute AttributeName="urn:mace:dir:attribute-def:dn" <AttributeValue xsi:type="typens:AttributeValueType"> cn=User0,o=permis </AttributeValue></Attribute></AttributeStatement> </Assertion></Response> 2006-09-25 [AA] - Successfully responded about User0

  26. Authorization decision pConf[2]ldap://ldap server creds 0 is: shib:User-Distinguished-Name=cn=User0,o=permis creds 1 is: shib:attributeCertificateAttribute= MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRVJNSVMxDjAMBgNVBAMTBVVzZXIwoEE ------ creds 2 is: shib:Shib-Application-ID=default creds 3 is: shib:Shib-Authentication-Method=password creds 4 is: shib:Shib-Origin-Site=http://idp.example.org Authorisation Token issued by idp.example.org to CN=User0,O=permis MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRVJNSVMxDjAMBgNVBAMTBVVzZXIwoEE wP6Q----- The Subject has the following roles now: set of subsets [<role permisRole: Role0 intersection of (Sun Sep 10 23:00:00 GMT 2006; Tue Sep 13 23:00:00 GMT 2016) (-oo; +oo)>] Authorisation succeeded

  27. Conclusion • We have defined and described the solution to implement for access control in a trans-organizational environment which is the VO network integrating Shibboleth and PERMIS • The solution has been demonstrated in a lab environment

  28. Next Steps – VIVACE 3rd Iteration • Adapt PERMIS to existing business applications, in order to use their preexisting security means. • Extending the PERMIS PDP component, so we allow PERMIS to take into account policies specified with OrBAC access control model (concepts of activities, views and contexts). • Installation of the demonstrator within the DISI infrastructure in order to run the VIVACE scenarios.

  29. Thank You Any Questions ?

More Related