Ocean Observatories Initiative

Download Report

Transcript Ocean Observatories Initiative

Ocean Observatories Initiative
Cyberinfrastructure Component
CI Design Workshop
17-19 October 2007
OOI-CI–Ragouzis–2007.10.15
Core Interaction Patterns of an
Identity Federation Framework
OASIS
SAMLv2.0
Liberty Alliance
ID-WSF2.0
OOI-CI–Ragouzis–2007.10.15
Core Interaction Patterns of an Identity
Federation Framework
• Explore general interaction aspects
• Using Interactions to integrate an architecture
– By example
OOI-CI–Ragouzis–2007.10.15
OASIS SAML v2.0
OOI-CI–Ragouzis–2007.10.15
OASIS SAML v2.0
OOI-CI–Ragouzis–2007.10.15
COI-Core
Connectivities
– Data Network
• Messages from
& about interactions
– Control Network
• Realizes interactions
for Observations
– Process Network
• Plays and constrains
interactions to plan
OOI-CI–Ragouzis–2007.10.15
Interaction: Messages of Authn
• The Message “Object”
• Evolution of semantic
richness
OOI-CI–Ragouzis–2007.10.15
Interaction: Exchanges of Authn
• The art of the coddle:
–
–
–
–
Bootstrapping
Referrals
Proxy
Hiding
OOI-CI–Ragouzis–2007.10.15
Identity Federation Framework
•
•
•
•
•
•
•
•
•
•
•
Identity-enabled …
Privacy-respecting …
Regulatory/Governance-tractable …
Composable …
Domain-cognizant …
Dynamically-configurable …
Resource-aware …
Deployment-time extensible …
Process-instantiating …
Network services …
Framework
OOI-CI–Ragouzis–2007.10.15
Key Characteristics
•
•
•
•
•
•
•
•
•
•
•
Identity as organizing principle
Subject identification +[transient | persistent, opaque]
Sharing identifiers across trust domains
Confirming rights to authenticate
Authentication context
Discovery
Interaction
Attributed as first class objects
Privacy preferences, and policies
General application-level services framework
Extensible metadata for description & verification
OOI-CI–Ragouzis–2007.10.15
Liberty ID-WSF v2.0
http://projectliberty.org/liberty/specifications__1
OOI-CI–Ragouzis–2007.10.15
OASIS SAML v2.0
Stylized from: http://projectliberty.org/liberty/specifications__1
OOI-CI–Ragouzis–2007.10.15
SAML v2.0
context: assertion
The Subject
Subject
• Subject’s Identifier | implied
• SubjectConfirmation
– Who are you to talk to me
about this subject? … now?
– You know what I want to hear
– Encryption options
• Extensible
OOI-CI–Ragouzis–2007.10.15
SAML v2.0
The Principal
Name Identifiers
• Abstract and Concrete types
– Extend your own
• Pair-wise semantics
– Peering-mechanics
• Extensible Typing (Format)
• Privacy-preserving
– EncryptedID
– Pseudonyms
OOI-CI–Ragouzis–2007.10.15
SAML v2.0
SAML v2.0 Assertions
•
•
•
•
•
Statements
From SAML authority
About the Subject (or application-implied Subject(s))
And other coordination (conditions, advice, encrypt)
Extensible
• Kinds of Statements from SAMLAuthority about Subject:
–
–
–
–
Authentication Statement
Attribute Statement
Authorization Decision Statement
Statement (Extension point)
OOI-CI–Ragouzis–2007.10.15
SAML v2.0
Authentication Context
• Context Class or Specific Context Declarations
• Data Model:
–
–
–
–
–
Identification
Technical Protection
Operational Protection
Authentication Method
Governing Agreements
• Authentication Contexts, before your extensions:
–
–
–
–
–
IP, IP password, Kerberos, time sync token, XML Signature, X.509
mobile [one|two]-factor [contract|unregistered]
[authenticated] telephony, nomadic telephony, personal telephony
password-protected transport, SSL certificate, [secure remote] password
previous session, PGP, software PKI, SPKI, smartcard [PKI]
OOI-CI–Ragouzis–2007.10.15
SAML v2.0
SAML v2.0 Protocols*
•
•
•
•
•
Statements
From SAML authority
About the Subject (or application-implied Subject(s))
And other coordination (conditions, advice, encrypt)
Extensible
• Kinds of Statements from SAMLAuthority about Subject:
–
–
–
–
Authentication Statement
Attribute Statement
Authorization Decision Statement
Statement (Extension point)
* and Bindings, and Profiles
OOI-CI–Ragouzis–2007.10.15
OASIS SAML v2.0
OOI-CI–Ragouzis–2007.10.15
OASIS SAML v2.0
OOI-CI–Ragouzis–2007.10.15
Liberty ID-WSF v2.0
http://projectliberty.org/liberty/specifications__1
OOI-CI–Ragouzis–2007.10.15
Modern Authentication Architectures
•
•
•
•
•
General interaction architectures
Decorated for identity
Attractive for specialization
At level of message exchange, and
At level of message object
OOI-CI–Ragouzis–2007.10.15
Core Interaction Patterns of an Identity
Federation Framework
• Explore general interaction aspects
• Using Interactions to integrate an architecture
– By example
OOI-CI–Ragouzis–2007.10.15