260 likes | 433 Views
IDENTITY mANAGEMET and Access Control. مهرگان مهدوی استادیارگروه مهندسی کامپیوتر دانشگاه گیلان mahdavi@guilan.ac.ir. فهرست مطالب. مقدمه در خصوص Authentication مدیریت هویت متمرکز Single Sign On Federated Identity Management SAML Shibboleth نتیجه گیری. مقدمه.
E N D
IDENTITY mANAGEMET and Access Control مهرگان مهدوی استادیارگروه مهندسی کامپیوتر دانشگاه گیلان mahdavi@guilan.ac.ir
فهرست مطالب مقدمه در خصوص Authentication مدیریت هویت متمرکز Single Sign On Federated Identity Management SAML Shibboleth نتیجه گیری
مقدمه Authentication به معنی تصدیق درستی یک صفت از یک موجودیت میباشد. ممکن است تصدیق هویت یک شخص یا یک برنامه باشد. Token-based مبتنی بر این سوال اساسی که: “What you have?” Key card Bank card Smart Card Biometric مبتنی بر این سوال اساسی که: “Who you are?” Knowledge-based مبتنی بر این سوال اساسی که: “What you know?” Textual Graphical
Identity Management There are different systems at institutions E.g. Email, Finance, Student portal, etc. Currently, Identity Management often fragmented (several directories or databases)
eDir Finance System Student Portal Web AuthN Mail Calendar SunOne eDir Password Management Forgot password Helpdesk Printer service Oracle People Data System
eDir Finance System Student Portal Web AuthN Mail Calendar Sync Sync Password SunOne eDir Password Management Forgot password Helpdesk Printer service Sync Sync Oracle People Data System
راه حل • Same Sign On (استفاده از یک Userid و Password در همه سیستمها) • Key Ring (دسته کلید) • Single Sign On
Single Sign-On پیاده سازی استفاده از یک دایرکتوری مرکزی جهت Authentication تصدیق کاربران بر اساس این دایرکتوری مرکزی تعیین مجوزهای کاربران بر اساس Credential های کاربر مربوطه
Single Sign-On پیاده سازی سوال: Single Sign On بین چند سازمان چگونه عمل خواهد کرد؟ استفاده ازSAML (Security Assertion Markup Language)
SAML Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee. SAML assumes the principal (often a user) has enrolled with at least one identity provider. This identity provider is expected to provide local authentication services to the principal
SAML Assertions <saml:Assertion ...> ... </saml:Assertion> SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions. Three types of statements are provided by SAML: Authentication statements Attribute statements Authorization decision statements
SAML Assertions Authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. An attribute statement asserts that a subject is associated with certain attributes. An attribute is simply a name-value pair. Relying parties use attributes to make access-control decisions. An authorization decision statement asserts that a subject is permitted to perform action A on resource R given evidence E. The expressiveness of authorization decision statements in SAML is intentionally limited. More-advanced use cases are encouraged to use XACML instead.
XACML (eXtensible Access Control Markup Language) • An Attribute Based Access Control system (ABAC) • Attributes associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. • Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.
Shibboleth • Shibboleth is an Internet2Middleware Initiativeproject • An architecture and open-source implementation for Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML • Federated identity allows for information about users in one security domain to be provided to other organizations in a federation • This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords. • Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and give access to secure content.
XML <bibliography> <paper ID= "object-fusion"> <authors> <author>Y. Papakonstantinou</author> <author>S. Abiteboul</author> <author>H. Garcia-Molina</author> </authors> <fullPaper source="fusion"/> <title>Object Fusion in Mediator Systems</title> <booktitle>VLDB 96</booktitle> </paper> </bibliography>
Advantages of XML • Human-readable • Machine-readable • Standard format for data interchange • Possible to validate • Extensible • can represent any data • can add new tags for new data formats
Well-Formed vs. Valid • Well-Formed: Structure follows XML syntax rules • Valid: Structure conforms to a DTD
Adding Structure and Semantics • XML Document Type Definitions (DTDs) • XML Schema • defines structure and data types • allows developers to build their own libraries of interchanged data types
نتیجه گیری • مدیریت هویت متمرکز میتواند بسیاری از مشکلات نگهداری چندین Username و Password را کاهش دهد • نیاز به مکانیزمی جهت مدیریت هویت در کاریردهایی نظیر به اشتراک گذاشتن داده های دیجیتال و نطایر آن • SAML یک مکانیزم جهت مدیریت هویت • Shibbolethیک پیاده سازی از SAML
با تشکر! ؟؟؟