identity managemet and access control

IDENTITY MANAGEMET AND ACCESS CONTROL

مهرگان مهدوی

استادیارگروه مهندسی کامپیوتر دانشگاه گیالنmahdavi@guilan.ac.ir

فهرست مطالب

Authentication مقدمه در خصوص • مدیریت هویت متمرکز•• Single Sign On• Federated Identity Management• SAML• Shibboleth نتیجه گیری•

مقدمه

• Authentication ودیتAک موجAفت از یAک صAتی یAدیق درسAنی تصAه معAب میباشد.

ممکن است تصدیق هویت یک شخص یا یک برنامه باشد.•

• Token-based“ :هAی کAوال اساسAر این سAنی بAمبتWhat you have”?• Key card• Bank card• Smart Card

• Biometric“ :مبتنی بر این سوال اساسی کهWho you are”?

• Knowledge-based“ :هAی کAوال اساسAر این سAنی بAمبتWhat you know”?• Textual• Graphical

IDENTITY MANAGEMENT

• There are different systems at institutionsE.g. Email, Finance, Student portal, etc.

• Currently, Identity Management often fragmented (several directories or databases)

SunOne

OraclePeople Data

System

eDir

eDirStudent Portal

Web AuthNMail

Calendar

Password Management

Forgot passwordHelpdesk

Printer service

Finance System

SunOne

OraclePeople Data

System

eDir

eDirStudent Portal

Web AuthNMail

Calendar

Password Management

Forgot passwordHelpdesk

Printer service

Finance System

Sync

Sync Password

Sync

Sync

حل راه

•Same Sign On ( یک از و UseridاستفادهPassword) سیستمها همه در

•Key Ring) کلید ) دسته•Single Sign On

SINGLE SIGN-ON پیاده سازی

Authentication استفاده از یک دایرکتوری مرکزی جهت •

تصدیق کاربران بر اساس این دایرکتوری مرکزی•

اسAاس • بAر کAاربران مجوزهAای تعAیین Credential اربرAک هAای مربوطه

SINGLE SIGN-ON پیاده سازی

بین چند سازمان چگونه عمل خواهد کرد؟Single Sign Onسوال:

SAML (Security Assertion Markup Language)استفاده از

Federation

Federation

SAML

• Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).

• SAML is a product of the OASIS Security Services Technical Committee.

• SAML assumes the principal (often a user) has enrolled with at least one identity provider.

• This identity provider is expected to provide local authentication services to the principal

SAML ASSERTIONS

<saml:Assertion ...> ... </saml:Assertion>

• SAML assertions are usually transferred from identity providers to service providers. • Assertions contain statements that service providers use to make access-control decisions. • Three types of statements are provided by SAML:

• Authentication statements• Attribute statements• Authorization decision statements

SAML ASSERTIONS

• Authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication.

• An attribute statement asserts that a subject is associated with certain attributes. An attribute is simply a name-value pair. Relying parties use attributes to make access-control decisions.

• An authorization decision statement asserts that a subject is permitted to perform action A on resource R given evidence E. The expressiveness of authorization decision statements in SAML is intentionally limited. More-advanced use cases are encouraged to use XACML instead.

XACML (eXtensible Access Control Markup Language)• An Attribute Based Access Control system

(ABAC)

• Attributes associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way.

• Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.

Shibboleth

• Shibboleth is an Internet2 Middleware Initiative project

• An architecture and open-source implementation for Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML

• Federated identity allows for information about users in one security domain to be provided to other organizations in a federation

• This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords.

• Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and give access to secure content.

XML

<bibliography><paper ID= "object-fusion">

<authors><author>Y. Papakonstantinou</author><author>S. Abiteboul</author><author>H. Garcia-Molina</author>

</authors><fullPaper source="fusion"/><title>Object Fusion in Mediator

Systems</title><booktitle>VLDB 96</booktitle>

</paper></bibliography>

Advantages of XML

• Human-readable• Machine-readable • Standard format for data interchange• Possible to validate• Extensible• can represent any data• can add new tags for new data formats

Well-Formed vs. Valid

• Well-Formed: Structure follows XML syntax rules

• Valid: Structure conforms to a DTD

Adding Structure and Semantics

• XML Document Type Definitions (DTDs)

• XML Schema• defines structure and data types• allows developers to build their own libraries

of interchanged data types

گیری نتیجه

مشکالت • از بسیاری میتواند متمرکز هویت مدیریتچندین را Passwordو Usernameنگهداری

دهد کاهشکاریردهایی • در هویت مدیریت جهت مکانیزمی به نیاز

نطایر و دیجیتال های داده گذاشتن اشتراک به نظیرآن

•SAML هویت مدیریت جهت مکانیزم یک•Shibboleth از سازی پیاده SAMLیک