identity managemet and access control
DESCRIPTION
IDENTITY mANAGEMET and Access Control. مهرگان مهدوی استادیارگروه مهندسی کامپیوتر دانشگاه گیلان [email protected]. فهرست مطالب. مقدمه در خصوص Authentication مدیریت هویت متمرکز Single Sign On Federated Identity Management SAML Shibboleth نتیجه گیری. مقدمه. - PowerPoint PPT PresentationTRANSCRIPT
IDENTITY MANAGEMET AND ACCESS CONTROL
مهرگان مهدوی
استادیارگروه مهندسی کامپیوتر دانشگاه گیالن[email protected]
فهرست مطالب
Authentication مقدمه در خصوص • مدیریت هویت متمرکز•• Single Sign On• Federated Identity Management• SAML• Shibboleth نتیجه گیری•
مقدمه
• Authentication ودیتAک موجAفت از یAک صAتی یAدیق درسAنی تصAه معAب میباشد.
ممکن است تصدیق هویت یک شخص یا یک برنامه باشد.•
• Token-based“ :هAی کAوال اساسAر این سAنی بAمبتWhat you have”?• Key card• Bank card• Smart Card
• Biometric“ :مبتنی بر این سوال اساسی کهWho you are”?
• Knowledge-based“ :هAی کAوال اساسAر این سAنی بAمبتWhat you know”?• Textual• Graphical
IDENTITY MANAGEMENT
• There are different systems at institutionsE.g. Email, Finance, Student portal, etc.
• Currently, Identity Management often fragmented (several directories or databases)
SunOne
OraclePeople Data
System
eDir
eDirStudent Portal
Web AuthNMail
Calendar
Password Management
Forgot passwordHelpdesk
Printer service
Finance System
SunOne
OraclePeople Data
System
eDir
eDirStudent Portal
Web AuthNMail
Calendar
Password Management
Forgot passwordHelpdesk
Printer service
Finance System
Sync
Sync Password
Sync
Sync
حل راه
•Same Sign On ( یک از و UseridاستفادهPassword) سیستمها همه در
•Key Ring) کلید ) دسته•Single Sign On
SINGLE SIGN-ON پیاده سازی
Authentication استفاده از یک دایرکتوری مرکزی جهت •
تصدیق کاربران بر اساس این دایرکتوری مرکزی•
اسAاس • بAر کAاربران مجوزهAای تعAیین Credential اربرAک هAای مربوطه
SINGLE SIGN-ON پیاده سازی
بین چند سازمان چگونه عمل خواهد کرد؟Single Sign Onسوال:
SAML (Security Assertion Markup Language)استفاده از
Federation
Federation
SAML
• Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).
• SAML is a product of the OASIS Security Services Technical Committee.
• SAML assumes the principal (often a user) has enrolled with at least one identity provider.
• This identity provider is expected to provide local authentication services to the principal
SAML ASSERTIONS
<saml:Assertion ...> ... </saml:Assertion>
• SAML assertions are usually transferred from identity providers to service providers. • Assertions contain statements that service providers use to make access-control decisions. • Three types of statements are provided by SAML:
• Authentication statements• Attribute statements• Authorization decision statements
SAML ASSERTIONS
• Authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication.
• An attribute statement asserts that a subject is associated with certain attributes. An attribute is simply a name-value pair. Relying parties use attributes to make access-control decisions.
• An authorization decision statement asserts that a subject is permitted to perform action A on resource R given evidence E. The expressiveness of authorization decision statements in SAML is intentionally limited. More-advanced use cases are encouraged to use XACML instead.
XACML (eXtensible Access Control Markup Language)• An Attribute Based Access Control system
(ABAC)
• Attributes associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way.
• Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.
Shibboleth
• Shibboleth is an Internet2 Middleware Initiative project
• An architecture and open-source implementation for Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML
• Federated identity allows for information about users in one security domain to be provided to other organizations in a federation
• This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords.
• Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and give access to secure content.
XML
<bibliography><paper ID= "object-fusion">
<authors><author>Y. Papakonstantinou</author><author>S. Abiteboul</author><author>H. Garcia-Molina</author>
</authors><fullPaper source="fusion"/><title>Object Fusion in Mediator
Systems</title><booktitle>VLDB 96</booktitle>
</paper></bibliography>
Advantages of XML
• Human-readable• Machine-readable • Standard format for data interchange• Possible to validate• Extensible• can represent any data• can add new tags for new data formats
Well-Formed vs. Valid
• Well-Formed: Structure follows XML syntax rules
• Valid: Structure conforms to a DTD
Adding Structure and Semantics
• XML Document Type Definitions (DTDs)
• XML Schema• defines structure and data types• allows developers to build their own libraries
of interchanged data types
گیری نتیجه
مشکالت • از بسیاری میتواند متمرکز هویت مدیریتچندین را Passwordو Usernameنگهداری
دهد کاهشکاریردهایی • در هویت مدیریت جهت مکانیزمی به نیاز
نطایر و دیجیتال های داده گذاشتن اشتراک به نظیرآن
•SAML هویت مدیریت جهت مکانیزم یک•Shibboleth از سازی پیاده SAMLیک