1 / 9

GridShibPERMIS Update

GridShibPERMIS Update. David Chadwick University of Kent. Main Provision. A policy decision point called PERMIS that plugs into either Shibboleth (via mod_permis in Apache) or GT4 (via OGSA-Authz protocol or GT4’s Java interface)

marge
Download Presentation

GridShibPERMIS Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GridShibPERMIS Update David Chadwick University of Kent University of Kent

  2. Main Provision • A policy decision point called PERMIS that plugs into either Shibboleth (via mod_permis in Apache) or GT4 (via OGSA-Authz protocol or GT4’s Java interface) • PDP will accept Shibboleth attributes or X.509 ACs to make decisions • Policies are signed and protected so they cannot be tampered with • We have a Shibboleth early adopter project called KUSP which will use Shibboleth and PERMIS to access campus resources via a portal. • KUSP staff are not security specialists so writing XML policies is not for these resource managers University of Kent

  3. Ease of Use • Has been our mantra for the last 6 months • Strong security is fine, but it has to be easy to use by administrators, Sooooo…… • New Simple PERMIS released • New reengineered Policy Editor released • New Policy Wizard that guides a user through the process of creating an authorisation policy (beta is almost available) • That has built in support for EduPerson Attributes, Level of Authentication, WSDL and GT4 WSDD files University of Kent

  4. SIMPLE PERMIS • A new Simple PERMIS has been released which does not require X.509 attribute certificates, or LDAP servers or any cryptography or IAIK toolkit in order for the PDP to make access control decisions • Simple PERMIS reads in a plain XML policy from a local directory and relies on the OS to protect the policy file • It makes decisions based on plain text (Shibboleth) attributes. • Download the jar file and plug it in University of Kent

  5. Policy Editorv2 • Multiple screens for setting up components of the policy, with an English version of the policy printed at the bottom of each screen • Allows the manager to configure in any attributes from any IdP • EduPerson attributes and LOA built in • Can easily specify arbitrary conditions on access such as time of day, operational arguments etc. • (Currently adding an obligation capability) University of Kent

  6. Policy Wizard • Step by step approach to creating an authorisation policy • We have tried to implement defaults at each stage so that the user can create simple policies with minimum effort • Policy is printed out in English at the end so that the user can check if this is what he wanted it to be University of Kent

  7. Demo • First the Policy Wizard • Second the Policy Editor • Footnote. We have just started a new research project to allow managers to create authorisation policies in natural language – so watch this space University of Kent

  8. University of Kent

  9. University of Kent

More Related