1 / 16

SPOCP – general authorisation server

Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg <roland@catalogix.se>. SPOCP – general authorisation server. Outline – part1. SPOCP project SPOCP, how does it fit it How does it work SPOCP <-> SAML/XACML Project status. The SPOCP project.

wanda-pearson
Download Presentation

SPOCP – general authorisation server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg <roland@catalogix.se> SPOCP – general authorisation server

  2. Outline – part1 • SPOCP project • SPOCP, how does it fit it • How does it work • SPOCP <-> SAML/XACML • Project status

  3. The SPOCP project • One year, ends May 31th 2003 • Relatively small budget, ~1 MSEK • Run by Umeå University • Partners in crime: * Stockholm University * Lund University * Uppsala University * Karolinska * SUNET * UNINETT * NYA & LpW

  4. How does it fit in ? • Middleware function the provides authorisation • Separate from authentication • Uses information resources

  5. Spocp rules/queries • Expressed as S-expressions • Fixed syntax, undefined semantics • S-expression can be ordered • One can test whether S-expression A is '<=' S-expression B

  6. S-expression • Am S-expression is either • A byte-strings ("octet-strings") or • A finite list of simpler S-expressions • A octet-string is a finite sequence of 8-bit octets • Example: • (certificate (issuer bob)(subject alice))

  7. Formal definition of the '<=' relation • If A = (X_1 X_2 ... X_m) and B = (Y_1 Y_2 ... Y_n) then A <= B if and only if n <= m and X_i <= Y_i for i = 1,...,n • Example: • (certificate (issuer bob morgan)(subject alice)) <= (certificate (issuer bob)(subject alice))

  8. Spocp Authorisation Decision • Given a authorisation Query (A). If there exists a rule (R) in the rule database such that A '<=' R then permission is granted. • By default everything is disallowed • Rules can only allow actions

  9. An objective comparision :-) SAML <-> Spocp

  10. XACML/SAML Data-flow

  11. Spocp Data-Flow

  12. XACML Rule • <?xml version="1.0" encoding="UTF-8"?> <rule ruleId="//medico.com/rules/rule1" effect="Permit" xmlns="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-schema-policy-12.xsd" xmlns:saml="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-schema-policy-12.xsd D:\MYDOCU~1\Standards\XACML\V12SCH~1\XACMLV~3.XSD"> <description>A person may read any record for which he or she is the designated patient</description> <target> <subjects> <saml:Attribute AttributeName="RFC822Name" AttributeNamespace="//medico.com"> <saml:AttributeValue>*</saml:AttributeValue> </saml:Attribute> </subjects> <resources> <saml:Attribute AttributeName="documentURI" AttributeNamespace="//medico.com"> <saml:AttributeValue>//medico.com/record.*</saml:AttributeValue> </saml:Attribute> </resources> <actions> <saml:Action>read</saml:Action> </actions> </target> <condition><equal> <saml:AttributeDesignator AttributeName="requestor" AttributeNamespace="//oasis-open.org/committees/xacml/docs/identifiers/"/> <saml:AttributeDesignator AttributeName="patientName" AttributeNamespace="//medico.com/record/patient/"/> </equal>

  13. Spocp Rule • (spocp (resource medico.com)(action read)(subject medico.com urn:spocp:equal:${patient}:${name}))

  14. SAML AuthorizationDecisionQuery • <?xml version="1.0" encoding="UTF-8"?> <Request RequestID="47823081" MajorVersion="0" MinorVersion="28" IssueInstant="2002-03-22T08:23:47-05:00" xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-protocol-28.xsd" xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-protocol-28.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-protocol-28.xsdD:\MYDOCU~1\Standards\XACML\V12SCH~1\draft-sstc-schema-protocol-28.xsd"> <AuthorizationDecisionQuery Resource="//medico.com/record/patient[@patientName/first='Bartholomew'][@patientName/last='Simpson']/patientDoB"><saml:Subject><saml:NameIdentifier NameQualifier="\\medico.com">Julius Hibbert</saml:NameIdentifier> </saml:Subject> <saml:Action>read</saml:Action> <saml:Evidence> <saml:Assertion AssertionID="64578390" Issuer="medico.com" IssueInstant="2002-03-08T08:23:47-05:00" MajorVersion="0" MinorVersion="28" xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd D:\MYDOCU~1\Standards\XACML\V10SCH~1\draft-sstc-schema-assertion-28.xsd"> <saml:AuthenticationStatement AuthenticationInstant="2002-03-08T08:23:45-05:00" AuthenticationMethod="http://www.oasis-open.org/committees/security/docs/draft-sstc-core-28/password-sha1"> <saml:Subject> <saml:NameIdentifier NameQualifier="\\medico.com">Julius Hibbert</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>http://www.oasis-open.org/committees/security/docs/draft-sstc-core-24/artifact</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject> <saml:AuthenticationLocality IPAddress="217.57.95.242"/> </saml:AuthenticationStatement> </saml:Assertion> <saml:Assertion MajorVersion="0" MinorVersion="28" AssertionID="68938960" Issuer="medico.com" IssueInstant="2000-06- 15T15:02:39-05:00" xmlns="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd D:\MYDOCU~1\Standards\XACML\V10SCH~1\draft-sstc-schema-assertion-28.xsd"> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier NameQualifier="\\medico.com">Julius Hibbert</saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="role" AttributeNamespace="//medico.com"> <saml:AttributeValue>physician</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </saml:Evidence> </AuthorizationDecisionQuery> </Request>

  15. SPOCP Query • (spocp (resource record medico.com (patient Bartholomeus Simson) patientDoB )(action read)(subject medico.com (name Julius Hibbert)))

  16. Project Status • Source code available • Two server implementations • Apache module (SAML/SOAP/HTTP) • Standalone (uses the SPOCP protocol) • Server as library • PAM module • Modified Exim • Documentation

More Related