Ocean Observatories Initiative

Download Report

Transcript Ocean Observatories Initiative

Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007 OOI-CI–Ragouzis–2007.10.15

Core Interaction Patterns of an Identity Federation Framework OASIS SAMLv2.0

Liberty Alliance ID-WSF2.0

OOI-CI–Ragouzis–2007.10.15

Core Interaction Patterns of an Identity Federation Framework • Explore general interaction aspects • Using Interactions to integrate an architecture – By example OOI-CI–Ragouzis–2007.10.15

OASIS SAML v2.0

OOI-CI–Ragouzis–2007.10.15

OASIS SAML v2.0

OOI-CI–Ragouzis–2007.10.15

COI-Core Connectivities – Data Network • Messages from & about interactions – Control Network • Realizes interactions for Observations – Process Network • Plays and constrains interactions to plan OOI-CI–Ragouzis–2007.10.15

Interaction: Messages of Authn • The Message “Object” • Evolution of semantic richness OOI-CI–Ragouzis–2007.10.15

Interaction: Exchanges of Authn • The art of the coddle: – Bootstrapping – Referrals – Proxy – Hiding OOI-CI–Ragouzis–2007.10.15

Identity Federation Framework • Identity-enabled … • Privacy-respecting … • Regulatory/Governance-tractable … • Composable … • Domain-cognizant … • Dynamically-configurable … • Resource-aware … • Deployment-time extensible … • Process-instantiating … • Network services … • Framework OOI-CI–Ragouzis–2007.10.15

Key Characteristics • Identity as organizing principle • Subject identification +[transient | persistent, opaque] • Sharing identifiers across trust domains • Confirming rights to authenticate • Authentication context • Discovery • Interaction • Attributed as first class objects • Privacy preferences, and policies • General application-level services framework • Extensible metadata for description & verification OOI-CI–Ragouzis–2007.10.15

Liberty ID-WSF v2.0

http://projectliberty.org/liberty/specifications__1 OOI-CI–Ragouzis–2007.10.15

OASIS SAML v2.0

Stylized from: http://projectliberty.org/liberty/specifications__1 OOI-CI–Ragouzis–2007.10.15

SAML v2.0

The Subject Subject context: assertion • Subject’s Identifier | implied • SubjectConfirmation – Who are you to talk to me about this subject? … now?

– You know what I want to hear – Encryption options • Extensible OOI-CI–Ragouzis–2007.10.15

SAML v2.0

The Principal Name Identifiers • Abstract and Concrete types – Extend your own • Pair-wise semantics – Peering-mechanics • Extensible Typing (Format) • Privacy-preserving – EncryptedID – Pseudonyms OOI-CI–Ragouzis–2007.10.15

SAML v2.0

SAML v2.0 Assertions • Statements • From SAML authority • About the Subject (or application-implied Subject(s)) • And other coordination (conditions, advice, encrypt) • Extensible • Kinds of Statements from SAMLAuthority about Subject: – Authentication Statement – Attribute Statement – Authorization Decision Statement – Statement (Extension point) OOI-CI–Ragouzis–2007.10.15

SAML v2.0

Authentication Context • Context Class or Specific Context Declarations • Data Model: – Identification – Technical Protection – Operational Protection – Authentication Method – Governing Agreements • Authentication Contexts, before your extensions: – IP, IP password, Kerberos, time sync token, XML Signature, X.509

– mobile [one|two]-factor [contract|unregistered] – [authenticated] telephony, nomadic telephony, personal telephony – password-protected transport, SSL certificate, [secure remote] password – previous session, PGP, software PKI, SPKI, smartcard [PKI] OOI-CI–Ragouzis–2007.10.15

SAML v2.0

SAML v2.0 Protocols* • Statements • From SAML authority • About the Subject (or application-implied Subject(s)) • And other coordination (conditions, advice, encrypt) • Extensible • Kinds of Statements from SAMLAuthority about Subject: – Authentication Statement – Attribute Statement – Authorization Decision Statement – Statement (Extension point) * and Bindings, and Profiles OOI-CI–Ragouzis–2007.10.15

OASIS SAML v2.0

OOI-CI–Ragouzis–2007.10.15

OASIS SAML v2.0

OOI-CI–Ragouzis–2007.10.15

Liberty ID-WSF v2.0

http://projectliberty.org/liberty/specifications__1 OOI-CI–Ragouzis–2007.10.15

Modern Authentication Architectures • General interaction architectures • Decorated for identity • Attractive for specialization • At level of message exchange, and • At level of message object OOI-CI–Ragouzis–2007.10.15

Core Interaction Patterns of an Identity Federation Framework • Explore general interaction aspects • Using Interactions to integrate an architecture – By example OOI-CI–Ragouzis–2007.10.15