1 july 2005© 2005 university of kent1 seamless integration of permis and shibboleth – development...
Post on 22-Dec-2015
212 Views
Preview:
TRANSCRIPT
1 July 2005 © 2005 University of Kent 1
Seamless Integration of PERMIS and Shibboleth
– Development of a Flexible PERMIS Authorisation Module
for Shibboleth and Apache Server
Wensheng Xu, David Chadwick, Sassa Otenko
Computing Laboratory, University of Kent, Canterbury, UK
1 July 2005 © 2005 University of Kent 2
Outline What Shibboleth is proud of
Why Shibboleth need to be further improved
How we integrate Shibboleth and PERMIS
What we have achieved
1 July 2005 © 2005 University of Kent 3
Shibboleth An architecture to link resource web sites and
authentication systems (http://shibboleth.internet2.edu)
Based on PKI, multiple parties form a federation in Shibboleth
Can securely transfer attributes between home sites and resource sites (SAML 1.1)
1 July 2005 © 2005 University of Kent 4
Shibboleth
Authentication is the responsibility of the user's home site
Requests to authenticate the user will be routed back to the home site and take place there
Authorisation is the responsibility of the resource target site
Based on attributes supplied by the home site
1 July 2005 © 2005 University of Kent 5
Shibboleth
1 July 2005 © 2005 University of Kent 6
Shibboleth is proud of:
Web resources and Web services can be shared
Single sign-on is achieved
User privacy is well protected
1 July 2005 © 2005 University of Kent 7
Weaknesses in Shibboleth
-- Simple trust model in Shibboleth
The target site relies on the origin site to return the correct attributes
Plain attributes are relatively easy to be tampered with
Only one attribute authority is supported
1 July 2005 © 2005 University of Kent 8
Weaknesses in Shibboleth
-- Only basic access control capability
Access control rules are defined in the Apache configuration file
Complex access control rules (RBAC, Dynamic separation of duty, delegation of authority, combination of rules, etc.) are not supported
The Apache administrator has to manage the access control rules, the resource owner can’t directly specify the rules
1 July 2005 © 2005 University of Kent 9
PERMIS
A PMI software system: A privilege allocation (PA) component
A policy management GUI
A privilege verification (PV) component
A policy decision point (PDP)
1 July 2005 © 2005 University of Kent 10
PERMIS
Policy-based RBAC is supported Policy expressed in XML (compliance with
the OASIS XACML standard planned) Role Allocation Policy (RAP) Target Access Policy (TAP) Subject sub-policy Role hierarchy sub-policy Source of Authority sub-policy Target sub-policy Action sub-policy
Complex access control policies supported
1 July 2005 © 2005 University of Kent 11
PERMIS
Decisions are based on roles or attributes
Attributes are stored in X.509 attribute certificates
Supports multiple sources of authority
1 July 2005 © 2005 University of Kent 12
Shibboleth and PERMIS SAAMUser
User Home Site
Resource Target Site
SHIRE
WAYF
Handle Service
SHAR
AttributeAuthority
Attributes
and ACs
Authentication System
Attributesand ACs
ShibAuthz
JNI
conn
ecto
r
PV/PDP sub system
Policy LDAP
mod_permis PERMIS PV
PERMIS PDP
Policy management sub system
SoA
Policy management GUI
PERMIS RBAC policy
Retrieving ACs (pull mode)
AC LDAP
Privilege Allocator
PERMIS PA sub system
SoA
ACStorage Site
ACs (in push mode)
SoA
AC
s
Retrieving attributes andPERMIS PA sub system
Attribute certificate manager
Origin LDAP
1 July 2005 © 2005 University of Kent 13
Shibboleth and Apache authentication and authorisation
Apache
module 1
Apache
module 2
Apache
module 3
URI to
Filename
translation
phase
Authentication
identity check
phase
Authorisation
access check
phase
Module- specific
access check
phase
Response
phase
Handling
function A
Handling
function B
Handling
function E Handling
function D
Handling
function F
Handling
function C
Handling
function G
HTTP request
HTTP response
1 July 2005 © 2005 University of Kent 14
PERMIS SAAM in push mode with X.509 ACs
The origin site stores digitally signed attribute certificates in its LDAP repository
The target site is willing to trust different attribute authorities at the origin site
So the origin site can to distribute attribute assignments to different managers
ShibbolethOrigin
Domain
ShibbolethTargetDomainTransfer ACs
RAP/TAP
1 July 2005 © 2005 University of Kent 15
PERMIS SAAM in push mode with plain attributes
The target site trusts the origin’s attribute repository and the origin as a single AA
The origin can store plain attributes in its repository
--- standard Shibboleth
Shibboleth
Origin
Domain
Shibboleth
Target
DomainTransfer attributes
TAP
1 July 2005 © 2005 University of Kent 16
PERMIS SAAM in pull mode
The target trusts different attribute authorities elsewhere
PERMIS SAAM should work in pull mode to fetch the ACs itself
An example might be: an engineer is issued with a “certified MS engineer” by a Microsoft accredited agency
Various distributed LDAP repositories may sit in various places and should be accessible by the PERMIS PV component
1 July 2005 © 2005 University of Kent 17
PERMIS SAAM in pull mode
ShibbolethOrigin
Domain
ShibbolethTargetDomain
Transfer DN
RAP/TAP
1 July 2005 © 2005 University of Kent 18
PERMIS SAAM with Apache and without Shibboleth Resource Web Site
HTTP request mod_auth_ldap
User
User DN
mod_permis
PERMIS PA and Policy management sub system
JNI connector
PERMIS PV/PDP subsystem
SOA
PERMI S RBAC pol i cy
AC LDAP Policy LDAP
ACs Returned response
Authentication LDAP
GetCreds Decision
PERMIS PV
PERMIS PDP
Retrieving ACs (pull mode) RAP
TAP
Policy management GUI
Attribute certificate manager
1 July 2005 © 2005 University of Kent 19
User Privacy issues in PERMIS SAAM
When plain attributes are adopted Standard Shibboleth + PERMIS PDP
When ACs are adopted DN must be provided to target site to
match X.509 ACs But DN can be a pseudonym or a group
name
1 July 2005 © 2005 University of Kent 20
The PERMIS SAAM Apache Directives
Directives in the Apache configuration file: PermisPolicyIdentifier PermisPolicyIssuer PermisPolicyLocation PermisAuthorisation PermisPullMode (optional) PermisACLocation (optional)
1 July 2005 © 2005 University of Kent 21
Conclusions:
PERMIS SAAM can work fine with Shibboleth + Apache No Shibboleth source code needs to be modified More fine-grained access control can be
achieved More flexibility for resource managers
PERMIS SAAM can work fine with Apache server
Potentially PERMIS can work any authentication systems (providing user DN is released for ACs)
1 July 2005 © 2005 University of Kent 22
Thank you!
Question?
top related