220 likes | 410 Views
Ocean Observatories Initiative Cyberinfrastructure Component. CI Design Workshop 17-19 October 2007. Core Interaction Patterns of an Identity Federation Framework. OASIS SAMLv2.0 Liberty Alliance ID-WSF2.0. Core Interaction Patterns of an Identity Federation Framework.
E N D
Ocean Observatories InitiativeCyberinfrastructure Component CI Design Workshop 17-19 October 2007
Core Interaction Patterns of an Identity Federation Framework OASIS SAMLv2.0 Liberty Alliance ID-WSF2.0
Core Interaction Patterns of an Identity Federation Framework • Explore general interaction aspects • Using Interactions to integrate an architecture • By example
Connectivities Data Network Messages from & about interactions Control Network Realizes interactions for Observations Process Network Plays and constrains interactions to plan COI-Core
The Message “Object” Evolution of semantic richness Interaction: Messages of Authn
The art of the coddle: Bootstrapping Referrals Proxy Hiding Interaction: Exchanges of Authn
Identity Federation Framework • Identity-enabled … • Privacy-respecting … • Regulatory/Governance-tractable … • Composable … • Domain-cognizant … • Dynamically-configurable … • Resource-aware … • Deployment-time extensible … • Process-instantiating … • Network services … • Framework
Key Characteristics • Identity as organizing principle • Subject identification +[transient | persistent, opaque] • Sharing identifiers across trust domains • Confirming rights to authenticate • Authentication context • Discovery • Interaction • Attributed as first class objects • Privacy preferences, and policies • General application-level services framework • Extensible metadata for description & verification
Liberty ID-WSF v2.0 http://projectliberty.org/liberty/specifications__1
OASIS SAML v2.0 Stylized from: http://projectliberty.org/liberty/specifications__1
SAML v2.0 context: assertion Subject The Subject • Subject’s Identifier | implied • SubjectConfirmation • Who are you to talk to me about this subject? … now? • You know what I want to hear • Encryption options • Extensible
SAML v2.0 Name Identifiers The Principal • Abstract and Concrete types • Extend your own • Pair-wise semantics • Peering-mechanics • Extensible Typing (Format) • Privacy-preserving • EncryptedID • Pseudonyms
SAML v2.0 SAML v2.0 Assertions • Statements • From SAML authority • About the Subject (or application-implied Subject(s)) • And other coordination (conditions, advice, encrypt) • Extensible • Kinds of Statements from SAMLAuthority about Subject: • Authentication Statement • Attribute Statement • Authorization Decision Statement • Statement (Extension point)
SAML v2.0 Authentication Context • Context Class or Specific Context Declarations • Data Model: • Identification • Technical Protection • Operational Protection • Authentication Method • Governing Agreements • Authentication Contexts, before your extensions: • IP, IP password, Kerberos, time sync token, XML Signature, X.509 • mobile [one|two]-factor [contract|unregistered] • [authenticated] telephony, nomadic telephony, personal telephony • password-protected transport, SSL certificate, [secure remote] password • previous session, PGP, software PKI, SPKI, smartcard [PKI]
SAML v2.0 SAML v2.0 Protocols* • Statements • From SAML authority • About the Subject (or application-implied Subject(s)) • And other coordination (conditions, advice, encrypt) • Extensible • Kinds of Statements from SAMLAuthority about Subject: • Authentication Statement • Attribute Statement • Authorization Decision Statement • Statement (Extension point) * and Bindings, and Profiles
Liberty ID-WSF v2.0 http://projectliberty.org/liberty/specifications__1
Modern Authentication Architectures • General interaction architectures • Decorated for identity • Attractive for specialization • At level of message exchange, and • At level of message object
Core Interaction Patterns of an Identity Federation Framework • Explore general interaction aspects • Using Interactions to integrate an architecture • By example