bindings and profiles for attribute based authz in the grid n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Bindings and Profiles for Attribute-based Authz in the Grid PowerPoint Presentation
Download Presentation
Bindings and Profiles for Attribute-based Authz in the Grid

Loading in 2 Seconds...

play fullscreen
1 / 25

Bindings and Profiles for Attribute-based Authz in the Grid - PowerPoint PPT Presentation


  • 140 Views
  • Uploaded on

Bindings and Profiles for Attribute-based Authz in the Grid. Tom Scavo trscavo@ncsa.uiuc.edu NCSA. Overview. Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x Metadata Extension for SAML V2.0 and V1.x Query Requesters SAML V1.1 Profiles for X.509 Subjects

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Bindings and Profiles for Attribute-based Authz in the Grid


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Bindings and Profilesfor Attribute-based Authzin the Grid Tom Scavotrscavo@ncsa.uiuc.edu NCSA

    2. Overview • Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x • Metadata Extension for SAML V2.0 and V1.x Query Requesters • SAML V1.1 Profiles for X.509 Subjects • SAML V2.0 Profiles for X.509 Subjects • X.509 Binding for SAML • X.509 Attribute-based Authorization Profile for SAML • BONUS! Level of Assurance Attribute!

    3. Metadata Profile for SAML V1.x • SAML V2.0 includes a Metadata Profile • The Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x profiles the use of SAML V2.0 metadata with SAML V1.x entities • Document is in final stages of pipeline • Shibboleth V1.3 (or later) supports SAML V1.x metadata

    4. Metadata for Query Requesters • GridShib use cases (e.g.) are rife with notion of standalone attribute requesters • The Metadata Extension for SAML V2.0 and V1.x Query Requesters profiles use of SAML metadata with standalone query requesters • Document is in final stages of pipeline • Shibboleth V1.3 (or later) supports metadata for SAML V1.x attribute requester • It’s not clear if Shibboleth V2.0 will support SAML V2.0 attribute requester

    5. SAML Profiles for X.509 Subjects • Two profile sets have been submitted to the OASIS Security Services TC: • SAML V1.1 Profiles for X.509 Subjectshttp://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security • SAML V2.0 Profiles for X.509 Subjectshttp://www.oasis-open.org/committees/document.php?document_id=20000&wg_abbrev=security • Comments are welcome!http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

    6. SAML V1.1 Profiles • The SAML V1.1 profile set consists of four layered profiles for X.509 subjects: • X.509 SAML Subject Profile • SAML Assertion Profile for X.509 Subjects • SAML Attribute Query Profile for X.509 Subjects • SAML Attribute Self-Query Profile for X.509 Subjects • Document is brand new and not vetted

    7. X.509 SAML Subject Profile • The X.509 SAML Subject Profile specifies a <saml:Subject> element:<saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:NameIdentifier></saml:Subject> • The DN SHOULD be RFC2253 format • The NameQualifier attribute SHOULD be omitted

    8. X.509 SAML Subject Profile • From the profile: • “This profile specifies a SAML V1.1 <saml:Subject> element that represents a principal who has been issued an X.509 certificate.” • “An entity that produces a <saml:Subject> element according to this profile MUST have previously determined that the principal does in fact possess the corresponding private key.”

    9. SAML Assertion Profile • The SAML Assertion Profile for X.509 Subjects is a very general profile for SAML V1.1 assertions based on the X.509 SAML Subject Profile • The number of SAML statements per assertion is arbitrary but • Each pair of <saml:Subject> elements MUST very strongly match (for all practical purposes, they must be identical)

    10. SAML Assertion Profile • Excerpt from the profile: • “The SAML Assertion Profile for X.509 Subjects describes how a SAML V1.1 assertion regarding a principal who has been issued an X.509 certificate is produced.” • Holder-of-key subject confirmation is optional but tied to the X.509 certificate

    11. SAML Attribute Query Profile • The SAML Attribute Query Profile for X.509 Subjects specifies how a service provider and an identity provider exchange attributes about a principal who has been issued an X.509 certificate • This profile relies on the X.509 SAML Subject Profile and the SAML Assertion Profile for X.509 Subjects

    12. SAML Attribute Query Profile

    13. SAML Attribute Query • SAML V1.1 doesn’t provide much guidance re attribute query • A standard Shibboleth attribute query is profiled: • <samlp:Request ...> <samlp:AttributeQuery ...> <saml:Subject>...</saml:Subject> <saml:AttributeDesignator .../> ... </samlp:AttributeQuery></samlp:Request>

    14. Attribute Query Response • <samlp:Response ...> <samlp:Status>...</samlp:Status> <saml:Assertion ...> <saml:Conditions NotBefore="2006-07-17T22:21:41Z" NotOnOrAfter="2006-07-17T22:51:41Z"> <saml:AudienceRestrictionCondition> <saml:Audience>...</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AttributeStatement> <saml:Subject>...</saml:Subject> <saml:Attribute ...> <saml:AttributeValue ...> ... </saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> </saml:Assertion></samlp:Response>

    15. SAML Attribute Self-Query Profile • The SAML Attribute Self-Query Profile for X.509 Subjects specifies how a principal who has been issued an X.509 certificate self-queries an identity provider for attributes • This profile extends the SAML Attribute Query Profile for X.509 Subjects • A driving use case for self-query is caBIG Dorian

    16. SAML Attribute Self-Query Profile

    17. Attribute Self-Query Response • <saml:Assertion ...> <!-- assertion lifetime constrained by X.509 --> <saml:Conditions ...> <!-- no AudienceRestrictionCondition --> </saml:Conditions> <saml:AuthenticationStatement ...> <saml:Subject>...</saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Subject>...</saml:Subject> <saml:Attribute ...> <saml:AttributeValue ...> ... </saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> <ds:Signature>...</ds:Signature></saml:Assertion>

    18. Subject of Self-Query • The <saml:Subject> of a self-query uses holder-of-key:<saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:holder-of-key </saml:ConfirmationMethod> <saml:SubjectConfirmationData> <ds:KeyInfo> <ds:X509Data> <!-- principal's X.509 cert --> <ds:X509Certificate> ... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation></saml:Subject>

    19. SAML V2.0 Profiles • Likewise the SAML V2.0 profile set consists of four sub-profiles: • X.509 SAML Subject Profile • SAML Assertion Profile for X.509 Subjects • SAML Attribute Query Profile for X.509 Subjects • SAML Attribute Self-Query Profile for X.509 Subjects • Significant difference is encryption

    20. Revision History • SAML V2.0 profiles have a long history: • Draft-01, 22 Jun 2004 • Draft-02, 03 Feb 2005 • Draft-07, 23 May 2005 • CD-01, 01 Jun 2005 • Draft-08, 14 Mar 2006 • CD-02, 28 Mar 2006 • Draft-09, 26 Jun 2006 • Draft-10, 05 Jul 2006 • Draft-11, 24 Aug 2006

    21. X.509 Binding for SAML An ASN.1 SEQUENCE of <saml:Assertion> elements at a well-known, non-critical X.509 v3 certificate extension This profile is a work in progress (but it won’t be an OASIS profile) <Assertion> … </Assertion>

    22. X.509 Attribute-based Authz • Goal: Use SAML Assertion Profile and X.509 Binding to profile attribute push • Distinguish between two types of bound attribute assertions: • Self-issued assertions • Third-party assertions (e.g., Shib-issued) • https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/X509BindingSAML

    23. Bound Assertion Example • <!-- shib-enabled community portal --><saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:Advice> <!-- attribute assertion obtained from campus Shib AA --> <saml:Assertion ...>...</saml:Assertion> <!-- authn assertion obtained from campus Shib IdP (if available) --> <saml:Assertion ...>...</saml:Assertion> </saml:Advice> <!-- community attributes --> <saml:AttributeStatement ...> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement></saml:Assertion>

    24. MACE-Dir LoA Attribute • MACE-Dir is profiling use of authnLoa attribute in conjunction with usPerson • Proposed SAML binding:<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion“ xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:..." FriendlyName="authnLOA"> <saml:AttributeValue xsi:type="xs:anyURI"> ... </saml:AttributeValue></saml:Attribute> • Legal attribute values are per federation

    25. E-Auth LoA Values • For the E-Authentication Program, the recommended initial set of values is: • http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-1 • http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-2 • http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-3 • http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-4 • http://www.cio.gov/eauthentication/usperson/authnloa#test • InCommon values have not been proposed