The world of Assertions in XML - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

The world of Assertions in XML

Description:

Grid ? Context. What is SAML ? XML based Framework. A set of XML vocabularies for : ... interests include Adaptive Networking, Grid computing, XML & web services ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 28
Provided by: cis979
Category:
Tags: xml | assertions | grid | world

less

Transcript and Presenter's Notes

Title: The world of Assertions in XML


1
The world of Assertions in XML Web Services
  • Krishna Sankar
  • ksankar_at_cisco.com

2
Agenda
  • Introduction
  • SAML
  • Scenario

3
Assertions (SAML)
AuthC
AuthZ
Authorizations (XACML)
AccessC
Policies
SPML
XrML
DRM
WS-Security
Web Svcs
4
(No Transcript)
5
WS-XXX Processing ModelPutting it on the wire is
not enough
Trust Model
Web Service End Point Policy
WS-Policy
WS-Trust
WS-Privacy
Secure Conversation Federation Authorization
Privacy Model
6
19th Annual Tech Ex Awards November 19, 2002
Protocols Winners SAML WS-Security Securing
Web services is no easy task. The same virtues
that make Web services so promising for
e-businessthey're platform-independent,
text-based, and self-describingcreate major
security concerns, giving pause to businesses
considering a move to the hot new
interoperability technology. Two standards are
emerging to secure Web services Security
Assertion Markup Language (SAML) and WS-Security,
both proposals submitted to OASIS.
7
(No Transcript)
8
Definition Description Discovery
Blocks Processing rules Extensibility Security
Grid ?
9
Context
10
What is SAML ?
  • XML based Framework
  • A set of XML vocabularies for
  • Authentication Assertion
  • Attribute Assertion
  • AuthZ decision Assertion
  • Session Assertion (Future)
  • Credential Assertion (Future)
  • So that data traveling on the wire is standardized

11
What is SAML ?
  • A standard message exchange protocol
  • Clarity in orchestrating how you ask for and get
    the information you need
  • Rules for how the messages ride on and in
    transport protocols
  • For better interoperability

12
In Short SAML is
  • A standard way of exchanging security related
    data across heterogeneous, distributed systems
    crossing domain (geographical, namespace,
    temporal, spatial, organizational,) boundaries

13
Policies Models
Authentication Authority
Attribute Authority
Session Authority
Policy Decision Point
Credentials Collector
Session Assertion
Credential Assertion
AuthZ Decision AssrN
Attribute Assertion
Authentication Assertion
Credentials
System/ Entity/ Principal
Policy Enforcement Point
14
SAML assertions
  • Assertions are declarations of fact, according to
    someone
  • SAML assertions are compounds of one or more of
    three kinds of statement about subject (human
    or program)
  • Authentication
  • Attribute
  • Authorization decision
  • You can extend SAML to make your own kinds of
    assertions and statements
  • Assertions can be digitally signed

15
All statements in an assertion share common
information
  • Issuer ID and issuance timestamp
  • Assertion ID
  • Subject
  • Name plus the security domain
  • Optional subject confirmation, e.g. public key
  • Conditions under which assertion is valid
  • SAML clients must reject assertions containing
    unsupported conditions
  • Special kind of condition assertion validity
    period
  • Additional advice
  • E.g., to explain how the assertion was made

16
Assertion structure
17
(No Transcript)
18
JSR 155 Web Services Security Assertions
  • Distributed Assertion Framework
  • Elements
  • Assertions (SAML) SPI
  • Req/Response (SAML)
  • Authorities (Model, SPI)
  • Protocol (SOAP, JAX-RPC)
  • Web Services Security
  • Use cases (Distributed Security)

19
Scenario
20
Widely Distributed AuthC AuthZ
  • Collaboration across multiple, independent and
    geographically dispersed stakeholders
  • Stakeholders able to enforce policies even when
    controlled by different administrative domains
  • Traditional ACLs
  • Cannot scale. Cause too many errors
  • Multiple layers of management would impose
    restrictions

Courtsey DOE report LBNL-42928
Certificate-based Access Control for widely
distributed resources
21
Effective permission
22
SAML
XACML
Courtsey DOE report LBNL-41349
Authorization Attribute Certificates for Widely
Distributed Access Control
23
Hot From the Press
  • Web-Services Security Quality of Protection
  • How actors are to be authenticated, using what
    mechanisms and with what parameter value ranges,
  • Which XML elements are to be encrypted, for what
    individual recipients, recipient roles or keys,
    using what algorithms and key sizes,
  • Which XML elements are to be integrity protected,
    using what mechanisms, with which algorithms and
    key sizes, and
  • What additional qualifications the service
    consumer must demonstrate in order to
    successfully access the API".

24
Web-Services Security Quality of Protection
  • This is a relatively restrictive use of the term
    "security policy". A more comprehensive
    definition addresses such requirements as
  • Privacy (retention period, intended usage,
    further disclosure),
  • Trust (initial parameters of the signature
    validation procedure, including those keys or
    authorities that are trusted directly, policy
    identifiers, maximum trust path length), and
  • Non-repudiation (requirements for notarization
    and time-stamping).

25
Extensible Name Service (XNS) Technical Committee
  • The purpose of this committee is to continue work
    on the XNS digital identity protocol
  • The goal of XNS is to provide an open,
    extensible, federated Web services infrastructure
    for digital identity and relationship management
    including naming, addressing, describing,
    asserting, and linking of digital identities and
    their attributes. XNS can be used to represent
    all participants in Web services, including
    people, organizations, applications, devices,
    documents, schemas, and other digital objects.
  • The XNS specifications are based on the IETF
    URI/URN specifications, the W3C XML and Web
    services specifications, and the OASIS Security
    Services TC

26
Introduction
  • Krishna Sankar is currently with Cisco Systems as
    a Distinguished Engineer in their Customer
    Advocacy Organization. He has about 20 years of
    experiences ranging from software architecture
    development to industrial engineering to author,
    speaker, entrepreneur and technology evangelist.
    He has worked with many organizations incl US Air
    Force, Navy, HP, Qantas, Air Canada and Ford.
  • His security experiences include work in
    information infrastructure security, role based
    access control systems, distributed services
    framework and the CISSP security certification.
    He has been speaking in conferences on XML
    Security as well as contributing to security (and
    XML) standards.
  • He is an elected member of OASIS Technical
    Advisory Board, elected member of Java Executive
    Committee, Editor of Grid Authorization working
    group, Editor of the Digital Signature Services
    technical committee
  • He is also involved in European Union Network and
    Information Security Infrastructure initiatives.
  • His technology interests include Adaptive
    Networking, Grid computing, XML web services
    standards, distributed security, Linux kernel
    security, web service/web process networks
    e-commerce - dynamic configurable multi-partner
    trading networks. Krishna lives in Silicon Valley
    with his wife Usha and son Kaushik.

27
Questions ?
Write a Comment
User Comments (0)
About PowerShow.com