290 likes | 426 Views
Deploying a distributed access control architecture within a VO network Michel Kamel, Abdelmalek Benzekri, François Barrère, Bassem Nasser Université Paul Sabatier – IRIT Toulouse, France. +33 (0)5 61 55 60 86 {mkamel, benzekri, barrere, nasser} @irit.fr.
E N D
Deploying a distributed access control architecture within a VO network Michel Kamel, Abdelmalek Benzekri, François Barrère,Bassem Nasser Université Paul Sabatier – IRIT Toulouse, France +33 (0)5 61 55 60 86 {mkamel, benzekri, barrere, nasser} @irit.fr
The domains of interest of IRIT within the VIVACE project are the deployment and the enforcement of the VO access control policy modeled in order to manage access to the different partners’ critical resources. Concepts such as security policies and access control within a VO are being considered in order to deploy a shared infrastructure supporting the secure exchange of information between partners within the VO. Privilege Management Infrastructures (PMIs) are studied and a proposal architecture is described. IRIT Involvement
A formal approach must be adopted to specify an access control policy. RBAC or OrBAC models could be used. Infrastructures for identification and authorization must be used to enforce the access control policy within the VO shared infrastructure. Solutions based on Privilege Management Infrastructures (PMIs) must be adopted for authorization purposes; PKI, username/password or biometric techniques can be adopted for authentication. VO access control
PMI X.509 XACML Akenti Shibboleth PERMIS Solutions for access control enforcement
Shibboleth, a product of the Internet2 consortium, is an open source middleware software providing Web Single Sign On (SSO) across or within organizational boundaries. Shibboleth supplies a framework for a federated identity based authentication The implementation of Shibboleth comprises a configuration of the origin side “Identity Provider” IdP (the site to which users belong) and of the target side “Service Provider” SP (where resources exist). Shibboleth
PERMIS is an implementation of an X.509 PMI, and uses the RBAC paradigm, built in accordance with the ISO 10181-3 standard. PERMIS supports the distributed management of roles between multiple AAs. PERMIS functions in two modes: push and pull PERMIS
We propose the integration of Shibboleth and PERMIS architectures to implement a distributed infrastructure for authentication and authorization. In such a solution, Shibboleth is used for: User authentication Propagation of user attributes And PERMIS is used for: Authorization decisions (PEP, PDP) Act 3 Scene 2 – Access control architecture
A role can represent a job function, a qualification or expertise; permissions are granted to “Roles”. A role is affected to a user within an attribute certificate (AC) to protect the user’s credential. The SOA on the HP site “SOA1” generates an attribute certificate AC containing the attribute “Role0” and affects it to the user “User0” authorized to access the protected remote resource “secure2” . Affecting Role0 to User0 on the HP site
Authentication <Location /shibboleth/HS>AuthType BasicAuthName "Shibboleth Handle Service"AuthUserFile /conf/user.dbrequire valid-user</Location>
Authentication assertion 2006-09-25 [HS] - Handling request. 2006-09-25 [HS] - Remote provider has identified itself as: (http://sp.example.org/secure2). 2006-09-25 [HS] - Found Relying Party for (http://sp.example.org/secure2) 2006-09-25 [HS] - Assigning handle (0476f3d8-6753-4dcb-b17b-59c7f0d89dbc) to principal (User0). 2006-09-25 [HS] - User was authenticated via the default method for this relying party (password). 2006-09-25 [HS] - Dumping generated SAML Response: Recipient="http://sp.example.org/Shibboleth.shire" <Assertion AssertionID="bcf851fd785cd722b8ea22e80ea002b1" Issuer="http://idp.example.org"> <AuthenticationStatement AuthenticationInstant="2006-09-25T08:42:20.385Z" AuthenticationMethod="password"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="http://idp.example.org">0476f3d8-6753-4dcb-b17b- 59c7f0d89dbc</NameIdentifier><SubjectConfirmation></Subject><SubjectLocality IPAddress="10.10.20.54"></SubjectLocality></AuthenticationStatement> </Assertion> </Response>
Authorization PermisPolicyIdentifier 1.2.826.0.1.3344810.6.0.0.11 PermisPolicyIssuer cn= A Permis Test User,o=permis,c=gb PermisPolicyLocation ldap server PermisRootCA /etc/…/…/rootca.cer PermisACAttribute attributeCertificateAttribute PermisDebug debug <location /secure2> AuthType Shibboleth PermisAuthorization ShibRequireSession On require valid-user </location>
Authorization assertion-1 2006-09-25 [AA] - Handling request. 2006-09-25 [AA] - Remote provider has identified itself as: (http://sp.example.org/secure2). 2006-09-25 [AA] - Using default Relying Party: (http://sp.example.org/secure2). 2006-09-25 [AA] - Attribute Query Handle recognized. 2006-09-25 [AA] - Request is for principal (User0). 2006-09-25 [AA] - Computed possible attribute release set. 2006-09-25 [AA] - Possible attribute: urn:mace:dir:attribute-def:dn 2006-09-25 [AA] - Possible attribute: urn:mace:dir:attribute-def:attributeCertificateAttribute 2006-09-25 [AA] - Resolving attribute: (urn:mace:dir:attribute-def:attributeCertificateAttribute) 2006-09-25 [AA] - Found value(s) for attribute (urn:mace:dir:attribute def:attributeCertificateAttribute) 2006-09-25 [AA] - Resolving attribute: (urn:mace:dir:attribute-def:dn) 2006-09-25 [AA] - Found value(s) for attribute (urn:mace:dir:attribute-def:dn). 2006-09-25 [AA] - Found 2 attribute(s) for User0 2006-09-25 [AA] - Dumping generated SAML Response: <Response ResponseID="bd25b18a9bb19626831fbe51a404ee6c">
Authorization assertion-2 <Assertion AssertionID="d66fc370101099990431efbc90e770e8" Issuer="http://idp.example.org" <Audience>http://sp.example.org/secure2</Audience> <AttributeStatement> <Subject> <NameIdentifier NameQualifier="http://idp.example.org">0476f3d8-6753-4dcb-b17b-59c7f0d89dbc </Subject> <Attribute AttributeName="urn:mace:dir:attribute def:attributeCertificateAttribute" <AttributeValue xsi:type="typens:AttributeValueType">MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRV NSVMxDjAMBgNVBAMTBVVzZXIwoEEwP6Q9 ---</AttributeValue></Attribute> <Attribute AttributeName="urn:mace:dir:attribute-def:dn" <AttributeValue xsi:type="typens:AttributeValueType"> cn=User0,o=permis </AttributeValue></Attribute></AttributeStatement> </Assertion></Response> 2006-09-25 [AA] - Successfully responded about User0
Authorization decision pConf[2]ldap://ldap server creds 0 is: shib:User-Distinguished-Name=cn=User0,o=permis creds 1 is: shib:attributeCertificateAttribute= MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRVJNSVMxDjAMBgNVBAMTBVVzZXIwoEE ------ creds 2 is: shib:Shib-Application-ID=default creds 3 is: shib:Shib-Authentication-Method=password creds 4 is: shib:Shib-Origin-Site=http://idp.example.org Authorisation Token issued by idp.example.org to CN=User0,O=permis MIIBazCB1QIBATAnoSWkIzAhMQ8wDQYDVQQKEwZQRVJNSVMxDjAMBgNVBAMTBVVzZXIwoEE wP6Q----- The Subject has the following roles now: set of subsets [<role permisRole: Role0 intersection of (Sun Sep 10 23:00:00 GMT 2006; Tue Sep 13 23:00:00 GMT 2016) (-oo; +oo)>] Authorisation succeeded
Conclusion • We have defined and described the solution to implement for access control in a trans-organizational environment which is the VO network integrating Shibboleth and PERMIS • The solution has been demonstrated in a lab environment
Next Steps – VIVACE 3rd Iteration • Adapt PERMIS to existing business applications, in order to use their preexisting security means. • Extending the PERMIS PDP component, so we allow PERMIS to take into account policies specified with OrBAC access control model (concepts of activities, views and contexts). • Installation of the demonstrator within the DISI infrastructure in order to run the VIVACE scenarios.