conventional access control

2. conventional access control • read policy for submitOrder() submitOrder() requires [name,password] cred application client 2. call submitOrder() including [planky, ****]

3. claims-based access control:authentication service submitOrder() requires {role} from sts_authentication • read policy for submitOrder() application • read policy for request security token • request security • token passing [planky, ****] {role} requires [name,password] cred security token service sts_authentication

4. claims-based access control:authentication service “submit order” requires {role} from sts_authentication • call “submit order” with security token {role=purchaser}signed sts_authentication application {role=purchaser}signed sts_authentication 4. request security token response security token service sts_authentication mapping: (planky,****)  {role = purchaser}

5. claims-based access controldelegated authentication and authorization • read policy forsubmitOrder() submitOrder() requires {submit order} from sts_authorization client • read policy for request security token application • request security token passing [planky’s kerb ticket] {role} requires[kerb ticket] or [name/pwd] cred • read policy for request security token {submit order} requires {role} claim from sts_authentication security token service sts_authentication “identity claimsprovider” security token service sts_authorization “authorization claimsprovider”

6. claims-based access controldelegated authentication and authorization call submitOrder() submitOrder() requires {submit order} claim from sts_authorization {submit order = true}signed sts_authorization client {submit order = true}signed sts_authorization application {role=purchaser}signed sts_authentication submitOrder() requires {role} claim from sts_authentication {role=purchaser}signed sts_authentication security token service sts_authentication security token service sts_authorization mapping: planky {role = purchaser} mapping: {role = purchaser}  {submit order = true}