SPOCP – general authorisation server - PowerPoint PPT Presentation

Presentation at tf aace meeting in stockholm 26 nov 2002 roland hedberg roland@catalogix se
1 / 16

  • Uploaded on
  • Presentation posted in: General

Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg <roland@catalogix.se>. SPOCP – general authorisation server. Outline – part1. SPOCP project SPOCP, how does it fit it How does it work SPOCP <-> SAML/XACML Project status. The SPOCP project.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

SPOCP – general authorisation server

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Presentation at tf aace meeting in stockholm 26 nov 2002 roland hedberg roland@catalogix se

Presentation at TF-aace meeting in Stockholm

26 nov 2002

Roland Hedberg <roland@catalogix.se>

SPOCP – general authorisation server

Outline part1

Outline – part1

  • SPOCP project

  • SPOCP, how does it fit it

  • How does it work


  • Project status

The spocp project

The SPOCP project

  • One year, ends May 31th 2003

  • Relatively small budget, ~1 MSEK

  • Run by Umeå University

  • Partners in crime:

    * Stockholm University* Lund University

    * Uppsala University* Karolinska


    * NYA & LpW

How does it fit in

How does it fit in ?

  • Middleware function the provides authorisation

  • Separate from authentication

  • Uses information resources

Spocp rules queries

Spocp rules/queries

  • Expressed as S-expressions

    • Fixed syntax, undefined semantics

  • S-expression can be ordered

    • One can test whether S-expression A is '<=' S-expression B

S expression


  • Am S-expression is either

    • A byte-strings ("octet-strings") or

    • A finite list of simpler S-expressions

  • A octet-string is a finite sequence of 8-bit octets

  • Example:

    • (certificate (issuer bob)(subject alice))

Formal definition of the relation

Formal definition of the '<=' relation

  • If A = (X_1 X_2 ... X_m) and B = (Y_1 Y_2 ... Y_n) then A <= B if and only if n <= m and X_i <= Y_i for i = 1,...,n

  • Example:

    • (certificate (issuer bob morgan)(subject alice)) <= (certificate (issuer bob)(subject alice))

Spocp authorisation decision

Spocp Authorisation Decision

  • Given a authorisation Query (A). If there exists a rule (R) in the rule database such that A '<=' R then permission is granted.

  • By default everything is disallowed

  • Rules can only allow actions

An objective comparision

An objective comparision :-)

SAML <-> Spocp

Xacml saml data flow

XACML/SAML Data-flow

Spocp data flow

Spocp Data-Flow

Xacml rule


  • <?xml version="1.0" encoding="UTF-8"?> <rule ruleId="//medico.com/rules/rule1" effect="Permit" xmlns="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-schema-policy-12.xsd" xmlns:saml="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-schema-policy-12.xsd D:\MYDOCU~1\Standards\XACML\V12SCH~1\XACMLV~3.XSD"> <description>A person may read any record for which he or she is the designated patient</description> <target> <subjects> <saml:Attribute AttributeName="RFC822Name" AttributeNamespace="//medico.com"> <saml:AttributeValue>*</saml:AttributeValue> </saml:Attribute> </subjects> <resources> <saml:Attribute AttributeName="documentURI" AttributeNamespace="//medico.com"> <saml:AttributeValue>//medico.com/record.*</saml:AttributeValue> </saml:Attribute> </resources> <actions> <saml:Action>read</saml:Action> </actions> </target> <condition><equal> <saml:AttributeDesignator AttributeName="requestor" AttributeNamespace="//oasis-open.org/committees/xacml/docs/identifiers/"/> <saml:AttributeDesignator AttributeName="patientName" AttributeNamespace="//medico.com/record/patient/"/> </equal>

Spocp rule

Spocp Rule

  • (spocp (resource medico.com)(action read)(subject medico.com urn:spocp:equal:${patient}:${name}))

Saml authorizationdecisionquery

SAML AuthorizationDecisionQuery

  • <?xml version="1.0" encoding="UTF-8"?> <Request RequestID="47823081" MajorVersion="0" MinorVersion="28" IssueInstant="2002-03-22T08:23:47-05:00" xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-protocol-28.xsd" xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-protocol-28.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-protocol-28.xsdD:\MYDOCU~1\Standards\XACML\V12SCH~1\draft-sstc-schema-protocol-28.xsd"> <AuthorizationDecisionQuery Resource="//medico.com/record/patient[@patientName/first='Bartholomew'][@patientName/last='Simpson']/patientDoB"><saml:Subject><saml:NameIdentifier NameQualifier="\\medico.com">Julius Hibbert</saml:NameIdentifier> </saml:Subject> <saml:Action>read</saml:Action> <saml:Evidence> <saml:Assertion AssertionID="64578390" Issuer="medico.com" IssueInstant="2002-03-08T08:23:47-05:00" MajorVersion="0" MinorVersion="28" xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd D:\MYDOCU~1\Standards\XACML\V10SCH~1\draft-sstc-schema-assertion-28.xsd"> <saml:AuthenticationStatement AuthenticationInstant="2002-03-08T08:23:45-05:00" AuthenticationMethod="http://www.oasis-open.org/committees/security/docs/draft-sstc-core-28/password-sha1"> <saml:Subject> <saml:NameIdentifier NameQualifier="\\medico.com">Julius Hibbert</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>http://www.oasis-open.org/committees/security/docs/draft-sstc-core-24/artifact</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject> <saml:AuthenticationLocality IPAddress=""/> </saml:AuthenticationStatement> </saml:Assertion> <saml:Assertion MajorVersion="0" MinorVersion="28" AssertionID="68938960" Issuer="medico.com" IssueInstant="2000-06- 15T15:02:39-05:00" xmlns="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-28.xsd D:\MYDOCU~1\Standards\XACML\V10SCH~1\draft-sstc-schema-assertion-28.xsd"> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier NameQualifier="\\medico.com">Julius Hibbert</saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="role" AttributeNamespace="//medico.com"> <saml:AttributeValue>physician</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </saml:Evidence> </AuthorizationDecisionQuery> </Request>

Spocp query


  • (spocp (resource record medico.com (patient Bartholomeus Simson) patientDoB )(action read)(subject medico.com (name Julius Hibbert)))

Project status

Project Status

  • Source code available

    • Two server implementations

      • Apache module (SAML/SOAP/HTTP)

      • Standalone (uses the SPOCP protocol)

    • Server as library

    • PAM module

    • Modified Exim

    • Documentation

  • Login