Application of the PAPI authn and authz system to the TJ-II Remote Participation environment. Madrid, 21 March 2003



Similar documents
A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

TF-AACE. Deliverable B.2. Deliverable B2 - The Authentication Component =============================================

Lync SHIELD Product Suite

Flexible Identity Federation

OpenHRE Security Architecture. (DRAFT v0.5)

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

LBSEC.

Salesforce1 Mobile Security Guide

Building Secure Applications. James Tedrick

Secure Web Access Solution

Interwise Connect. Working with Reverse Proxy Version 7.x

Configuration Worksheets for Oracle WebCenter Ensemble 10.3

Getting Started with AD/LDAP SSO

Authentication in OpenStack

Web Applications Access Control Single Sign On

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu

ADFS Integration Guidelines

Agenda. How to configure

Single Sign-on (SSO) technologies for the Domino Web Server

A Generic Database Web Service

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Security Policy Revision Date: 23 April 2009

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Enterprise Access Control Patterns For REST and Web APIs

Adding Federated Identity Management to OpenStack

Introduction to SAML

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Evaluation of different Open Source Identity management Systems

The increasing popularity of mobile devices is rapidly changing how and where we

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Server based signature service. Overview

Vidder PrecisionAccess

How to Implement Enterprise SAML SSO

Single Sign On. SSO & ID Management for Web and Mobile Applications

Criteria for web application security check. Version

IBM WebSphere Application Server

Axway API Gateway. Version 7.4.1

CMDBuild Authentication (file auth.conf)

An Oracle White Paper Dec Oracle Access Management OAuth Service

CUSTOMER Android for Work Quick Start Guide

Perceptive Experience Single Sign-On Solutions

Active Directory Validation - User Guide

Crawl Proxy Installation and Configuration Guide

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Siteminder Integration Guide

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Reliable & Secure . Professional, Dependable, Complete Easy to Learn, Use and Grow

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

Copyright: WhosOnLocation Limited

Secure Web Appliance. Reverse Proxy

Business Banking Customer Login Experience for Enhanced Login Security

JVA-122. Secure Java Web Development

Deploying RSA ClearTrust with the FirePass controller

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

Figure 41-1 IP Filter Rules

Web Based Single Sign-On and Access Control

Cornerstones of Security

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

SAML-Based SSO Solution

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?

2014 IBM Corporation

Pre Sales Communications

How To Understand And Understand The Security Of A Key Infrastructure

Transport Layer Security Protocols

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Web Application Development

Device Fingerprinting and Fraud Protection Whitepaper

Check list for web developers

Authentication Methods

USING FEDERATED AUTHENTICATION WITH M-FILES

Robert Honeyman Honeyman IT Consulting.

Leverage Active Directory with Kerberos to Eliminate HTTP Password

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Leveraging SAML for Federated Single Sign-on:

Single Sign-On Implementation Guide

Webmail Using the Hush Encryption Engine

Safewhere*Identify 3.4. Release Notes

nexus Hybrid Access Gateway

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Federated Identity and Single Sign-On using CA API Gateway

Attestation and Authentication Protocols Using the TPM

Enhancing Web Application Security

Authentication and Single Sign On

OpenLDAP Oracle Enterprise Gateway Integration Guide

How To Take Advantage Of Active Directory Support In Groupwise 2014

Transcription:

Application of the PAPI authn and authz system to the TJ-II Remote Participation environment Madrid, 21 March 2003

Outline An introduction to PAPI A short tour on PAPI internals Applying PAPI in the TJ-II Remote Participation

Basic requirements Mobility has to be guaranteed A user should be able to access any resource (s)he has right to, anytime, anywhere Not only hardware mobility Transparency to the user Seamless integration with existing usage paradigms Do not require extra technologies at the user side Web oriented, although extensible to other access technologies Grids, multimedia contents and interactions,...

What is PAPI PAPI is a distributed access control system for Internet information resources Usable for intra- an interrealm scenarios Based on the federated administration and active privacy principles Based on standard HTTP procedures and public key cryptography Is the only system able to support federated authn/authz currently in operation

The components of PAPI The Authentication Server (AS) Provides users with a (local) single authentication point The Point of Access (PoA) Performs actual access control by means of temporary cryptographic tokens, encoded as HTTP cookies The Group-wide Point of Access (GPoA) Combines a group of PoAs with similar access policies Intended to simplify AS-PoA interactions

The Authentication Server Verifies user identity and rights Each of these verifications is independently performed Multiple authentication methods: POP-3, LDAP, X.509 certificates, databases,... Builds a set of digitally signed assertions about the user According to privacy preservation rules Sends the assertions to the appropriate (G)PoAs By means of references to objects embedded in HTML

The Point of Access Evaluates assertions received from the AS Verifying the signature and matching against any defined filter If the assertion is acceptable, produces a initial couple of access tokens If the request comes with access tokens, evaluates them Access is granted only to requests carrying valid tokens Two classes of tokens (long- and short-lived) to avoid unauthorized access by cookie copying The PoA is able to work as a proxy to access a plain Web server

The PAPI base protocol Authentication Data Authentication Server Signed Assertions Signed Assertion Access Tokens Point of Access Browser Access Tokens PoA1 Access Tokens PoA2 Access Tokens Signed Assertion Point of Access

The Group-wide Point of Access A PoA that receives a request without access tokens can redirect it to a GPoA The GPoA analyzes these requests If valid, the PoA receives a signed assertion from its GPoA The PoA processes it as coming from any other AS The hierarchy may be indefinitely extended Trust management is simplified An AS needs only to know about the GPoA PoAs may be added under a GPoA without configuring them for valid ASes

GPoA and PoA interactions Authentication Data Authentication Server Browser Keys Access Tokens GPoA Access Tokens PoA HTTP Request (no access cookies) Web page Redirect (+access cookies for PoA) GPoA (+ access cookies for GPoA) Point of Access Redirect + data for PoA

Support for attribute-based authz The AS builds an assertion string to be sent to (G)PoAs it knows about Inside the assertion string, the AS can substitute Connection variables: username, a nonce, anything else in HTML forms or the configuration Attributes of the user entry When a (G)PoA receives a request for tokens can apply filters Even (and specially) when it comes from a parent GPoA

Support for attribute-based authz Directory Server memberof=ati membersince=1999 GPoA ATI memberof=ati Assertion Formats AuthServer PoA ATI memberof=ati membersince=1999 PoA Pioneers X AuthN Data uid: drlopez pass: ****** uid=drlopez role=admin a3f545e1... GPoA RedIRIS uid=drlopez role=admin PoA Intranet PoA Admin

Application scenario TJ-II Remote Participation username/password User DB userid+privileges Authentication Server userid+privileges username/password GPoA subset 1 of userid+privileges subset N of userid+privileges PoA1 PoAN Application software user data

Going further - AuthZ engines and WS AuthZ engines are external elements, performing decissions according to user attributes and defined policies Richer semantics Out of the strict Web server scope SPOCP, University of Umea (integrated) PERMIS Web Services constitute the base of new generation Grids Collaborative scientific computing Require distributed AA more than ever Experiments on PAPI/WS interactions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information