cs 5511 introduction to ws authorization brian p. barrett
TRANSCRIPT
![Page 1: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/1.jpg)
CS 551 1
Introduction to WS Introduction to WS AuthorizationAuthorization
Introduction to WS Introduction to WS AuthorizationAuthorization
Brian P. Barrett
![Page 2: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/2.jpg)
CS 551 2
AuthorizationAuthorization WS-Authorization –
Complete? Steps of Authorization Security Token Acquisition SAML Authorization in Firewall Map of Authorization Authorization in Code References
![Page 3: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/3.jpg)
CS 551 3
Where does Authorization fit in?Where does Authorization fit in? Authorization is an aspect of security that falls in
with other categories:Secure ConversationFederationPolicyTrustFederationPrivacy
Is this Authorized?
![Page 4: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/4.jpg)
CS 551 4
Security Security Authentication Determine identity of a person/object Authorization Determine what the person is allowed to do Integrity Ensure the data was not altered on its way to you Signature Validate the source of the data Confidentiality Limit the people allowed to view the data Privacy Make sure no one abuses your data Digital Rights Management Limit users from doing whatever
they want
Authentication Determine identity of a person/object Authorization Determine what the person is allowed to do Integrity Ensure the data was not altered on its way to you Signature Validate the source of the data Confidentiality Limit the people allowed to view the data Privacy Make sure no one abuses your data Digital Rights Management Limit users from doing whatever
they want
![Page 5: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/5.jpg)
CS 551 5
How does Authorization work with other services?How does Authorization work with other services? If Authorization were to be on a layer working with other Services. It would
work in conjunction with the Federation layer.
WS-FederationWS-Secure
ConversationWS-Authorization
![Page 6: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/6.jpg)
CS 551 6
Authorization with other WSAuthorization with other WS
![Page 7: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/7.jpg)
CS 551 7
![Page 8: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/8.jpg)
CS 551 8
PMI or Privilege Management Infrastructure
PMI or Privilege Management Infrastructure Privilege Management Infrastructure:
Source of Authority (SOA) = The topmost root of trust, sometimes also referred to as trust anchor Attribute Authority (AA) (also Privilege Allocator, Authoritative Entity) = The issuer of an attribute certificate Certificate Holder / Privilege Holder = The User or Subject of an Attribute Certificate
![Page 9: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/9.jpg)
CS 551 9
Security Token AuthorizedSecurity Token Authorized
The Web ServiceObtains security
Token
The Data and policies will beValidated for thatParticular client
Requestor Issues a request.
Web Service Trusts Established. Request was
Processed and response returned
Auth and Trust are Validated. Service must find
Data and policies that are authorized for the user.
![Page 10: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/10.jpg)
CS 551 10
SAML – Security Assertion Markup LanguageSAML – Security Assertion Markup Language
SAML’s purpose was to be a Security language that could be used as an industry standard for security. It uses XML digital signatures with XML encryption.
The languages uses assertions made in the code that can convey information about authentication functions, and authorization decisions.
![Page 11: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/11.jpg)
CS 551 11
SAML Authorization MapSAML Authorization Map
![Page 12: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/12.jpg)
CS 551 12
PEP- Policy Enforcement PointPEP- Policy Enforcement Point
Definition Dependence upon the
resource PDP-Policy Decision
Point
![Page 13: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/13.jpg)
CS 551 13
Authorization in Firewall ProcessingAuthorization in Firewall Processing
Claims officer/ Customer
Insurance Co.
Web-Service
![Page 14: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/14.jpg)
CS 551 14
Authorization Process MapAuthorization Process Map
Client-Give server trust-Invocate policy-consult policy
Authorization Process
Role based AuthorizationInstance based Authorization
Capability listings
Server-Access Policy
-Give client resource-Policy authority
![Page 15: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/15.jpg)
CS 551 15
How does the the Authorization code fit?How does the the Authorization code fit?
![Page 16: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/16.jpg)
CS 551 16
Authorization in codeAuthorization in code
Show SAML code and explain.
SAML doc
Authorization decision: by subject S, for access type A, to resource R, given evidence E.
![Page 17: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/17.jpg)
CS 551 17
Code ExampleCode Example<Rule RuleId="//medico.corules/rule3" Effect="Permit">
<Target> <Subjects> <saml:Attribute AttributeName="RFC822Name" AttributeNamespace="//medico.com"> <saml:AttributeValue>*</saml:AttributeValue> </saml:Attribute> </Subjects> <Resources> <saml:Attribute AttributeName="documentURI" AttributeNamespace="//medico.com"> <saml:AttributeValue>//medico.com/records.*</saml:AttributeValue> </saml:Attribute> </Resources> <Actions> <saml:Action>read</saml:Action> </Actions> </Target> <Condition> <Equal> <AttributeDesignator AttributeName="urn:oasis:names:tc:xacml:identifiers:AccessSubject" /> <AttributeDesignator AttributeName="patientName" /> </Equal> </Condition></Rule>
![Page 18: CS 5511 Introduction to WS Authorization Brian P. Barrett](https://reader030.vdocuments.net/reader030/viewer/2022020122/551b4d4d550346dd1a8b5d18/html5/thumbnails/18.jpg)
CS 551 18
ReferencesReferences Primary
www.Globus.org– Globus is a resource to see the latest changes with WS-Authorization and other new standards.
http://www.cs.huji.ac.il/course/2002/sdbi/– If you go here and choose XML Security under Lecture slides you will find some detail about coding
with SAML and its interaction for Authorization processes.
Secondaryhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/
securitywhitepaper.asp– Here you will fine some significant images that detail security over the web.
http://www.lightshipinc.com/lightship/resourcecenter/Etips.aspx– At this site you can learn new technology dealing with XML, SAML and
XMACL.