Peter Sylvester - EdelWeb

Transcription

1 Peter Sylvester - EdelWeb A standard for authorization management for secure interoperability of multi-organisation information systems 6th European Forum on Electronic Signatures June 7-9, 2006, Amber Baltic Hotel, Miedzyzdroje peter.sylvester@edelweb.fr EdelWeb, 2005 Page N 1

2 The actors in the play The French social security organisations distributed services for retirement management CNAM, CNAF, CANAM, MSA, CANCAVA/ORGANSIC ACOSS, Ministry of health and social Security The Prime Minister s Agency for the Development of the Electronic Administration ADAE now DGME EdelWeb Page N 2

3 EdelWeb Spin-off from French INRIA and German GMD, created in consultants, experts or engineers Branch of ON-X Group (220 people) One of the first French companies specialized in IT Security Technical audits and penetration tests Security architecture and technology experts Cryptography R&D lab for operational evaluations and specific developments Many references within telecom operators, banks, organizations, administrations, civil and military industries Quality certification ISO9001:2000 Page N 3

4 The problem space Implement client/server applications between consenting but independent organisations Allow certain persons determined by one organisation access to applications in other organisations Each organisation is responsible for its personnel and rights and duty attribution Authentication techniques, roles, access management are specific in each organisation A radical change or harmonisation is not a realistic approach Centralized management does not work. Distance between interested parties to large Problem of responsibility in case of errors Page N 4

5 Interactions between organisations Communication between two different information systems consumer and provider Two types of interactions Web portals Application to application web services Context of explicit and controllable trust Professional actors (persons) are clearly identified Vs federation of identity of «clients» Roles, rights, application profiles are specific and not compatible in each organisation Page N 5

6 Objectif of the standard Establishment of a service and a contract among organisations permitting each partner to remain «master at home» and to assume his responsibilities. The consumer organisation manages the attribution of rights to access an application. An assertion/attestation of this attribution is propagated to the producer Guaranty of a sufficient general security level Authentication, traceability A priori trust with a posterior control Page N 6

7 Web Portal Scenario Consumer Organisation Employee Org A Portal Authentication Producer Organisation Application 1 Resource Employee OrgB Portal Authentication Portal producer Application 2 Resource Employee OrgC Portal Authentication Application 3 Rssource Page N 7

8 Scenarion Web Services Consumer Organisation Provider Organisation Application 1 Application 1 Resource Employee Application 2 Application 2 Resource Page N 8

9 Communication scenarii Org. A Appli 1 Org. B Appli z 1 to 1 Org. A Appli 1 Org. B Appli 3 Org. C Appli 5 Org. X Appli z N to 1 The real scenario is Many to Many Org. N Appli p Org. A Appli 1 Org. X Appli z Org. B Appli 3 Org. C Appli 5 Org. Y Appli s N to P Org. N Appli p Org. Z Appli t Page N 9

10 Roles and profiles Org. A Appli 1 Org. X Appli z Many Different Roles Org. B Appli 3 Org. C Appli 5 Org. N Appli p Org. Y Appli s Org. Z Appli t N to P Many Different Application Profiles Org. A Appli 1 Org. B Appli 3 Org. C Appli 5 Org. N Appli p Generic Applicatiion Profile 1 Generic Application Profile 2 Org. X Appli z Org. Y Appli s Org. Z Appli t N to P Generic Application Profile (PAGM) Profil Applicatif Générique Métier Page N 10

11 The selected approach Séparation of duties and responsibilities in a context of trust delegation Right management Towards target service Identification vector transmission of a commonly defined PAGM Asserted by l'organisation A Application profile Access rights Authentication Responsability organisation A Responsibility organisation B Right 1 Resource 2 Agent Organisme A Application Organisme B Ressources Page N 11

12 The Indentification Vector SAML 2.0 AuthAssertion Identification Vector Issuer Subject NameID NameID / Encrypted ID Client organisation ID Client ID Validity period Target organisation ID Target Service PAGM (one or more) Other attributs Level of authentication Conditions Conditions SAMLAuthzStatement AuthenticationDecision Evidence NotOnOrAfter AudienceRestriction Audience Ressource SAML Assertion AttributStatement Attribute Name=PAGM AtttributeValue Attribute Name AtttributeValue Attribute value AuthContextClassRef Page N 12

13 Data flow scenario web portals client Right and Attribute management Security infrastructure PAGM attribution assertion SAML creation Client gateway SSL client certificat transmission of Request and SAML assertion Producer proxy Right verification and user mapping Application vérification of SAML assertion reception All security control is done in the two organisations no third party using gateways (client) et proxies (producer) Page N 13

14 Functional decomposition Configuration and contract preparation Administration of contracts EbXML Opérational Systems Client Gateway Apache and modules Producer Proxy Security Infrastructures Right management SSO, etc. Creation and verifictaion Identification vector service Traces IGC Existing Open SAML Dedicated for Gateway to proxy authentication Page N 14

15 Technical choices summary Base technologies SAML for the format of the identification vector SSL between organisations gateways and proxies Study ebxml for the administration of the contracts Simple interface to tracing and journaling service No need to change the local authentication and authorisation systems For the client add PAGM management (role mapping) For the consumer mapping to some local user. Preference for open source technologies and standards Page N 15

16 Creation of identification vector traces Gestion PAGM Gestion d'application traces Vecteur d'identification Requête Attribution Authentification SAML Assertion d'authentification Attribution PAGM SAML Assertion d'attribut PAGM Attribution Application SAML Assertion d'autorisation Authentification mutuelle et chiffrement Requête HTTP Cookie SAML traces Application ou Proxy départ WS - SOAP Requête limite de l'organisme client Assertion d'autorisation SAML Page N 16

17 Consumer Treatment of Identification Vector Authentification mutuelle et chiffrement Requête HTTP Cookie SAML traces Proxy arrivée SAML Assertion d'autorisation Gestion PAGM et profils applicatif Attribution profil applicatif profil applicatif Application WS - SOAP Assertion Requête d'autorisation SAML Application traces limite de l'organisme fournisseur Page N 17

18 Actual situation Standard and detailed description defined and published Comments from the public included ADAE/DGME supports activity as a possible solution for the whole administration Social sphere actors have started implementation experiment Large parts of the standard can be implemented with existing open source technology Page N 18