150 likes | 240 Views
Integrating Shibboleth and PERMIS (SIPS). Presented by Sassa Otenko JISC Core Middleware Programme Meeting, Loughborough, May 16-17 2005. Presentation Outline. PERMIS Privilege Management Infrastructure PERMIS Policy Decision Point Integration Scenarios Apache+PERMIS (demo available)
E N D
Integrating Shibboleth and PERMIS (SIPS) Presented by Sassa Otenko JISC Core Middleware Programme Meeting, Loughborough, May 16-17 2005
Presentation Outline • PERMIS Privilege Management Infrastructure • PERMIS Policy Decision Point • Integration Scenarios • Apache+PERMIS (demo available) • Shibboleth+PERMIS • GT3.4/GT4+PERMIS
Manager Project Leader Team Leader Employee Role Based Access Controls Targets/ Actions Roles Subjects Andrew Bill Mary Fred Jane Jim Salary Increases Access Building Delete Files Read Files Sign Orders • Task-oriented specification of privileges • Task-oriented assignment of privileges to subjects
Role Assignment Attribute Certificates Users PERMIS Role Assignment Infrastructure My Will Be Done Signed: SOA SOA (Source of Authority) Policy The holder of this is a Worker Signed: SOA The holder of this is a Secretary Signed: SOA LDAP
PERMIS Policy Decision Point Authentication Service Submit Access Request Initiator Present Access Request Target PEP Decision Request Decision The PERMIS PMI API PERMIS API Implementation PDP PKI LDAP Directories Retrieve Policy and Role ACs (pull)
Web Browser Authentication Module (LDAP) HTTP request PERMIS PDP Protected Page Apache Web server (PEP) Apache+PERMIS
Shibboleth+PERMIS • Three modes of operation: • Shibboleth is an authentication module • Shibboleth is an Attribute Certificate provider • Shibboleth is a Role provider
Web Browser Authentication Module (Shibboleth) HTTP request PERMIS PDP Protected Page Apache Web server (PEP) Shibboleth Authentication One of the attributes returned by the AA is the DN of the user PERMIS PDP pulls the Role Assignment ACs from LDAP
Apache web-server Service Provider (Shibboleth Target) Identity Provider & Attribute Authority (Shibboleth Origin) DN HTTP Headers DN LDAP PERMIS PDP ACs Policy Shibboleth Authentication (contd.)
Apache web-server Service Provider (Shibboleth Target) ACs Identity Provider & Attribute Authority (Shibboleth Origin) DN HTTP Headers ACs DN LDAP PERMIS PDP Policy Shibboleth AC Provider
Apache web-server Service Provider (Shibboleth Target) Identity Provider & Attribute Authority (Shibboleth Origin) HTTP Headers Roles Roles LDAP PERMIS PDP Policy Shibboleth Role Provider
Benefits • Powerful and flexible Policy • Role hierarchy • Constraints on Issuer • Fine granularity • Separation of Duties (DyCOM) • With ACs • Relaxed security requirements for the Repository • Cross-certification and delegation (DyVOSE)
Client service request Protected Service SAML Request Grid Service Container (PEP) SAML Response PERMIS AuthZ Grid Service Container (PEP) Globus Toolkit + PERMIS PEP = Policy Enforcement Point
Client service request Protected Service PERMIS PDP Grid Service Container (PEP) GT+PERMIS-2
Questions, Please! • http://sec.cs.kent.ac.uk/ • ISSRG web-site • http://www.openpermis.org/ • Open Source PERMIS