1 / 15

Integrating Shibboleth and PERMIS (SIPS)

Integrating Shibboleth and PERMIS (SIPS). Presented by Sassa Otenko JISC Core Middleware Programme Meeting, Loughborough, May 16-17 2005. Presentation Outline. PERMIS Privilege Management Infrastructure PERMIS Policy Decision Point Integration Scenarios Apache+PERMIS (demo available)

regis
Download Presentation

Integrating Shibboleth and PERMIS (SIPS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrating Shibboleth and PERMIS (SIPS) Presented by Sassa Otenko JISC Core Middleware Programme Meeting, Loughborough, May 16-17 2005

  2. Presentation Outline • PERMIS Privilege Management Infrastructure • PERMIS Policy Decision Point • Integration Scenarios • Apache+PERMIS (demo available) • Shibboleth+PERMIS • GT3.4/GT4+PERMIS

  3. Manager Project Leader Team Leader Employee Role Based Access Controls Targets/ Actions Roles Subjects Andrew Bill Mary Fred Jane Jim Salary Increases Access Building Delete Files Read Files Sign Orders • Task-oriented specification of privileges • Task-oriented assignment of privileges to subjects

  4. Role Assignment Attribute Certificates Users PERMIS Role Assignment Infrastructure My Will Be Done Signed: SOA SOA (Source of Authority) Policy The holder of this is a Worker Signed: SOA The holder of this is a Secretary Signed: SOA LDAP

  5. PERMIS Policy Decision Point Authentication Service Submit Access Request Initiator Present Access Request Target PEP Decision Request Decision The PERMIS PMI API PERMIS API Implementation PDP PKI LDAP Directories Retrieve Policy and Role ACs (pull)

  6. Web Browser Authentication Module (LDAP) HTTP request PERMIS PDP Protected Page Apache Web server (PEP) Apache+PERMIS

  7. Shibboleth+PERMIS • Three modes of operation: • Shibboleth is an authentication module • Shibboleth is an Attribute Certificate provider • Shibboleth is a Role provider

  8. Web Browser Authentication Module (Shibboleth) HTTP request PERMIS PDP Protected Page Apache Web server (PEP) Shibboleth Authentication One of the attributes returned by the AA is the DN of the user PERMIS PDP pulls the Role Assignment ACs from LDAP

  9. Apache web-server Service Provider (Shibboleth Target) Identity Provider & Attribute Authority (Shibboleth Origin) DN HTTP Headers DN LDAP PERMIS PDP ACs Policy Shibboleth Authentication (contd.)

  10. Apache web-server Service Provider (Shibboleth Target) ACs Identity Provider & Attribute Authority (Shibboleth Origin) DN HTTP Headers ACs DN LDAP PERMIS PDP Policy Shibboleth AC Provider

  11. Apache web-server Service Provider (Shibboleth Target) Identity Provider & Attribute Authority (Shibboleth Origin) HTTP Headers Roles Roles LDAP PERMIS PDP Policy Shibboleth Role Provider

  12. Benefits • Powerful and flexible Policy • Role hierarchy • Constraints on Issuer • Fine granularity • Separation of Duties (DyCOM) • With ACs • Relaxed security requirements for the Repository • Cross-certification and delegation (DyVOSE)

  13. Client service request Protected Service SAML Request Grid Service Container (PEP) SAML Response PERMIS AuthZ Grid Service Container (PEP) Globus Toolkit + PERMIS PEP = Policy Enforcement Point

  14. Client service request Protected Service PERMIS PDP Grid Service Container (PEP) GT+PERMIS-2

  15. Questions, Please! • http://sec.cs.kent.ac.uk/ • ISSRG web-site • http://www.openpermis.org/ • Open Source PERMIS

More Related