1 / 18

Introduction to WS Authorization

This introduction provides an overview of WS Authorization, including its steps, security token acquisition, SAML, and its role in firewall authorization. It also explores how authorization works with other services and provides a code example using SAML.

hancocke
Download Presentation

Introduction to WS Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to WS Authorization Brian P. Barrett

  2. Authorization • WS-Authorization – Complete? • Steps of Authorization • Security Token Acquisition • SAML • Authorization in Firewall • Map of Authorization • Authorization in Code • References

  3. Where does Authorization fit in? • Authorization is an aspect of security that falls in with other categories: • Secure Conversation • Federation • Policy • Trust • Federation • Privacy Is this Authorized?

  4. Security • Authentication Determine identity of a person/object • Authorization Determine what the person is allowed to do • Integrity Ensure the data was not altered on its way to you • Signature Validate the source of the data • Confidentiality Limit the people allowed to view the data • Privacy Make sure no one abuses your data • Digital Rights Management Limit users from doing whatever they want

  5. How does Authorization work with other services? • If Authorization were to be on a layer working with other Services. It would work in conjunction with the Federation layer. WS-Federation WS-Secure Conversation WS-Authorization

  6. Authorization with other WS

  7. PMI or Privilege Management Infrastructure • Privilege Management Infrastructure: • Source of Authority (SOA) = The topmost root of trust, sometimes also referred to as trust anchor • Attribute Authority (AA) (also Privilege Allocator, Authoritative Entity) = The issuer of an attribute certificate • Certificate Holder / Privilege Holder = The User or Subject of an Attribute Certificate

  8. Security Token Authorized

  9. SAML – Security Assertion Markup Language • SAML’s purpose was to be a Security language that could be used as an industry standard for security. It uses XML digital signatures with XML encryption. • The languages uses assertions made in the code that can convey information about authentication functions, and authorization decisions.

  10. SAML Authorization Map

  11. PEP- Policy Enforcement Point • Definition • Dependence upon the resource • PDP-Policy Decision Point

  12. Authorization in Firewall Processing Insurance Co. Claims officer/ Customer Web-Service

  13. Authorization Process Map Client -Give server trust -Invocate policy -consult policy • Server • Access Policy • Give client resource • Policy authority Authorization Process Role based Authorization Instance based Authorization Capability listings

  14. How does the the Authorization code fit?

  15. Authorization in code Show SAML code and explain. SAML doc Authorization decision: by subject S, for access type A, to resource R, given evidence E.

  16. Code Example <Rule RuleId="//medico.corules/rule3" Effect="Permit"> <Target> <Subjects> <saml:Attribute AttributeName="RFC822Name" AttributeNamespace="//medico.com"> <saml:AttributeValue>*</saml:AttributeValue> </saml:Attribute> </Subjects> <Resources> <saml:Attribute AttributeName="documentURI" AttributeNamespace="//medico.com"> <saml:AttributeValue>//medico.com/records.*</saml:AttributeValue> </saml:Attribute> </Resources> <Actions> <saml:Action>read</saml:Action> </Actions> </Target> <Condition> <Equal> <AttributeDesignator AttributeName="urn:oasis:names:tc:xacml:identifiers:AccessSubject" /> <AttributeDesignator AttributeName="patientName" /> </Equal> </Condition></Rule>

  17. References • Primary • www.Globus.org • Globus is a resource to see the latest changes with WS-Authorization and other new standards. • http://www.cs.huji.ac.il/course/2002/sdbi/ • If you go here and choose XML Security under Lecture slides you will find some detail about coding with SAML and its interaction for Authorization processes. • Secondary • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp • Here you will fine some significant images that detail security over the web. • http://www.lightshipinc.com/lightship/resourcecenter/Etips.aspx • At this site you can learn new technology dealing with XML, SAML and XMACL.

More Related