presentation at tf aace meeting in stockholm 26 nov 2002 roland hedberg roland@catalogix se n.
Skip this Video
Download Presentation
SPOCP – general authorisation server

Loading in 2 Seconds...

play fullscreen
1 / 16

SPOCP – general authorisation server - PowerPoint PPT Presentation

  • Uploaded on

Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg <>. SPOCP – general authorisation server. Outline – part1. SPOCP project SPOCP, how does it fit it How does it work SPOCP <-> SAML/XACML Project status. The SPOCP project.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'SPOCP – general authorisation server' - wanda-pearson

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline part1
Outline – part1
  • SPOCP project
  • SPOCP, how does it fit it
  • How does it work
  • Project status
the spocp project
The SPOCP project
  • One year, ends May 31th 2003
  • Relatively small budget, ~1 MSEK
  • Run by Umeå University
  • Partners in crime:

* Stockholm University * Lund University

* Uppsala University * Karolinska


* NYA & LpW

how does it fit in
How does it fit in ?
  • Middleware function the provides authorisation
  • Separate from authentication
  • Uses information resources
spocp rules queries
Spocp rules/queries
  • Expressed as S-expressions
    • Fixed syntax, undefined semantics
  • S-expression can be ordered
    • One can test whether S-expression A is '<=' S-expression B
s expression
  • Am S-expression is either
    • A byte-strings ("octet-strings") or
    • A finite list of simpler S-expressions
  • A octet-string is a finite sequence of 8-bit octets
  • Example:
    • (certificate (issuer bob)(subject alice))
formal definition of the relation
Formal definition of the '<=' relation
  • If A = (X_1 X_2 ... X_m) and B = (Y_1 Y_2 ... Y_n) then A <= B if and only if n <= m and X_i <= Y_i for i = 1,...,n
  • Example:
    • (certificate (issuer bob morgan)(subject alice)) <= (certificate (issuer bob)(subject alice))
spocp authorisation decision
Spocp Authorisation Decision
  • Given a authorisation Query (A). If there exists a rule (R) in the rule database such that A '<=' R then permission is granted.
  • By default everything is disallowed
  • Rules can only allow actions
xacml rule
  • <?xml version="1.0" encoding="UTF-8"?> <rule ruleId="//" effect="Permit" xmlns="" xmlns:saml="http://www.oasis-" xmlns:xsi="" xsi:schemaLocation=" D:\MYDOCU~1\Standards\XACML\V12SCH~1\XACMLV~3.XSD"> <description>A person may read any record for which he or she is the designated patient</description> <target> <subjects> <saml:Attribute AttributeName="RFC822Name" AttributeNamespace="//"> <saml:AttributeValue>*</saml:AttributeValue> </saml:Attribute> </subjects> <resources> <saml:Attribute AttributeName="documentURI" AttributeNamespace="//"> <saml:AttributeValue>//*</saml:AttributeValue> </saml:Attribute> </resources> <actions> <saml:Action>read</saml:Action> </actions> </target> <condition><equal> <saml:AttributeDesignator AttributeName="requestor" AttributeNamespace="//"/> <saml:AttributeDesignator AttributeName="patientName" AttributeNamespace="//"/> </equal>
spocp rule
Spocp Rule
  • (spocp (resource read)(subject urn:spocp:equal:${patient}:${name}))
saml authorizationdecisionquery
SAML AuthorizationDecisionQuery
  • <?xml version="1.0" encoding="UTF-8"?> <Request RequestID="47823081" MajorVersion="0" MinorVersion="28" IssueInstant="2002-03-22T08:23:47-05:00" xmlns="" xmlns="" xmlns:ds="" xmlns:saml="" xmlns:xsi="" xsi:schemaLocation="\MYDOCU~1\Standards\XACML\V12SCH~1\draft-sstc-schema-protocol-28.xsd"> <AuthorizationDecisionQuery Resource="//[@patientName/first='Bartholomew'][@patientName/last='Simpson']/patientDoB"><saml:Subject><saml:NameIdentifier NameQualifier="\\">Julius Hibbert</saml:NameIdentifier> </saml:Subject> <saml:Action>read</saml:Action> <saml:Evidence> <saml:Assertion AssertionID="64578390" Issuer="" IssueInstant="2002-03-08T08:23:47-05:00" MajorVersion="0" MinorVersion="28" xmlns="" xmlns:ds="" xmlns:xsi=""xsi:schemaLocation="http://www.oasis- D:\MYDOCU~1\Standards\XACML\V10SCH~1\draft-sstc-schema-assertion-28.xsd"> <saml:AuthenticationStatement AuthenticationInstant="2002-03-08T08:23:45-05:00" AuthenticationMethod=""> <saml:Subject> <saml:NameIdentifier NameQualifier="\\">Julius Hibbert</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod></saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject> <saml:AuthenticationLocality IPAddress=""/> </saml:AuthenticationStatement> </saml:Assertion> <saml:Assertion MajorVersion="0" MinorVersion="28" AssertionID="68938960" Issuer="" IssueInstant="2000-06- 15T15:02:39-05:00" xmlns="http://www.oasis-" xmlns:ds="" xmlns:xsi="" xsi:schemaLocation="http://www.oasis- D:\MYDOCU~1\Standards\XACML\V10SCH~1\draft-sstc-schema-assertion-28.xsd"> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier NameQualifier="\\">Julius Hibbert</saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="role" AttributeNamespace="//"> <saml:AttributeValue>physician</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </saml:Evidence> </AuthorizationDecisionQuery> </Request>
spocp query
  • (spocp (resource record (patient Bartholomeus Simson) patientDoB )(action read)(subject (name Julius Hibbert)))
project status
Project Status
  • Source code available
    • Two server implementations
      • Apache module (SAML/SOAP/HTTP)
      • Standalone (uses the SPOCP protocol)
    • Server as library
    • PAM module
    • Modified Exim
    • Documentation