Autorisation et gestion de accréditations



Documents pareils
Instructions Mozilla Thunderbird Page 1

Application Form/ Formulaire de demande

Formation SSO / Fédération

Instructions pour mettre à jour un HFFv2 v1.x.yy v2.0.00

Archived Content. Contenu archivé

Quick Start Guide This guide is intended to get you started with Rational ClearCase or Rational ClearCase MultiSite.

How to Login to Career Page

Paxton. ins Net2 desktop reader USB

AIDE FINANCIÈRE POUR ATHLÈTES FINANCIAL ASSISTANCE FOR ATHLETES

WEB page builder and server for SCADA applications usable from a WEB navigator

MELTING POTES, LA SECTION INTERNATIONALE DU BELLASSO (Association étudiante de lʼensaparis-belleville) PRESENTE :

Forthcoming Database

APPENDIX 2. Provisions to be included in the contract between the Provider and the. Holder

Les marchés Security La méthode The markets The approach

SERVEUR DÉDIÉ DOCUMENTATION

DOCUMENTATION - FRANCAIS... 2

Discours du Ministre Tassarajen Pillay Chedumbrum. Ministre des Technologies de l'information et de la Communication (TIC) Worshop on Dot.

AUDIT COMMITTEE: TERMS OF REFERENCE

FÉDÉRATION INTERNATIONALE DE NATATION Diving

INVESTMENT REGULATIONS R In force October 1, RÈGLEMENT SUR LES INVESTISSEMENTS R En vigueur le 1 er octobre 2001

INDIVIDUALS AND LEGAL ENTITIES: If the dividends have not been paid yet, you may be eligible for the simplified procedure.

HAUTE DISPONIBILITÉ DE MACHINE VIRTUELLE AVEC HYPER-V 2012 R2 PARTIE CONFIGURATION OPENVPN SUR PFSENSE

Compléter le formulaire «Demande de participation» et l envoyer aux bureaux de SGC* à l adresse suivante :

RULE 5 - SERVICE OF DOCUMENTS RÈGLE 5 SIGNIFICATION DE DOCUMENTS. Rule 5 / Règle 5

Cedric Dumoulin (C) The Java EE 7 Tutorial

COUNCIL OF THE EUROPEAN UNION. Brussels, 18 September 2008 (19.09) (OR. fr) 13156/08 LIMITE PI 53

calls.paris-neuroscience.fr Tutoriel pour Candidatures en ligne *** Online Applications Tutorial

CONVENTION DE STAGE TYPE STANDART TRAINING CONTRACT

Acce s aux applications informatiques Supply Chain Fournisseurs

Mon Service Public - Case study and Mapping to SAML/Liberty specifications. Gaël Gourmelen - France Telecom 23/04/2007

Développement logiciel pour le Cloud (TLC)

PHOTO ROYAUME DE BELGIQUE /KINDOM OF BELGIUM /KONINKRIJK BELGIE. Données personnelles / personal data

IDENTITÉ DE L ÉTUDIANT / APPLICANT INFORMATION

VTP. LAN Switching and Wireless Chapitre 4

DOCUMENTATION - FRANCAIS... 2

ETABLISSEMENT D ENSEIGNEMENT OU ORGANISME DE FORMATION / UNIVERSITY OR COLLEGE:

Shibboleth. David Verdin - JOSY "Authentification centralisée pour les applications web" - Paris - 4 février mai

Exercices sur SQL server 2000

Package Contents. System Requirements. Before You Begin

APPENDIX 6 BONUS RING FORMAT

Practice Direction. Class Proceedings

NORME INTERNATIONALE INTERNATIONAL STANDARD. Dispositifs à semiconducteurs Dispositifs discrets. Semiconductor devices Discrete devices

SHAREPOINT PORTAL SERVER 2013

affichage en français Nom de l'employeur *: Lions Village of Greater Edmonton Society

Acronymes et abréviations. Acronymes / Abbréviations. Signification

Plan. Department of Informatics

Qualité et ERP CLOUD & SECURITY (HACKING) Alireza MOKHTARI. 9/12/2014 Cloud & Security

Contents Windows

Le passé composé. C'est le passé! Tout ça c'est du passé! That's the past! All that's in the past!

Cheque Holding Policy Disclosure (Banks) Regulations. Règlement sur la communication de la politique de retenue de chèques (banques) CONSOLIDATION

LE FORMAT DES RAPPORTS DU PERSONNEL DES COMMISSIONS DE DISTRICT D AMENAGEMENT FORMAT OF DISTRICT PLANNING COMMISSION STAFF REPORTS

Utiliser une WebCam. Micro-ordinateurs, informations, idées, trucs et astuces

that the child(ren) was/were in need of protection under Part III of the Child and Family Services Act, and the court made an order on

Oauth : un protocole d'autorisation qui authentifie?

NIMBUS TRAINING. Administration de Citrix NetScaler 10. Déscription : Objectifs. Publics. Durée. Pré-requis. Programme de cette formation

DOCUMENTATION MODULE BLOCKCATEGORIESCUSTOM Module crée par Prestacrea - Version : 2.0

Règlement sur le télémarketing et les centres d'appel. Call Centres Telemarketing Sales Regulation

Paris Airports - Web API Airports Path finding

Stakeholder Feedback Form January 2013 Recirculation

valentin labelstar office Made-to-measure label design. Conception des étiquettes sur mesure. Quality. Tradition. Innovation DRUCKSYSTEME

Get Instant Access to ebook Cest Maintenant PDF at Our Huge Library CEST MAINTENANT PDF. ==> Download: CEST MAINTENANT PDF

ROYAUME DE BELGIQUE / KINGDOM OF BELGIUM / KONINKRIJK BELGIE

Lesson Plan Physical Descriptions. belle vieille grande petite grosse laide mignonne jolie. beau vieux grand petit gros laid mignon

Sécurisation des architectures traditionnelles et des SOA

CEST POUR MIEUX PLACER MES PDF

EN UNE PAGE PLAN STRATÉGIQUE

Support Orders and Support Provisions (Banks and Authorized Foreign Banks) Regulations

This is a preview - click here to buy the full publication NORME INTERNATIONALE INTERNATIONAL STAN DARD. Telecontrol equipment and systems

Academic Project. B2- Web Development. Resit Project. Version 1.0 Last update: 24/05/2013 Use: Students Author: Samuel CUELLA

UML : Unified Modeling Language

Solutions technologiques d authentification électronique Architecture et spécifications de l interface Version 2.0 : Profil de mise en place

Bienvenue. #TwitterMobile

POLICY: FREE MILK PROGRAM CODE: CS-4

Nouveautés printemps 2013

Institut français des sciences et technologies des transports, de l aménagement

I. COORDONNÉES PERSONNELLES / PERSONAL DATA

Urbanisation des SI Conduite du changement IT 20/03/09. Patrick CHAMBET

AMENDMENT TO BILL 32 AMENDEMENT AU PROJET DE LOI 32

Once the installation is complete, you can delete the temporary Zip files..

Exemple PLS avec SAS

PRACTICE DIRECTION ON THE LENGTH OF BRIEFS AND MOTIONS ON APPEAL

et Active Directory Ajout, modification et suppression de comptes, extraction d adresses pour les listes de diffusion

Formulaire d inscription (form also available in English) Mission commerciale en Floride. Coordonnées

The assessment of professional/vocational skills Le bilan de compétences professionnelles

Evolution et architecture des systèmes d'information, de l'internet. Impact sur les IDS. IDS2014, Nailloux 26-28/05/2014

Folio Case User s Guide

Grandes tendances et leurs impacts sur l acquisition de produits et services TI.

Formulaire de candidature pour les bourses de mobilité internationale niveau Master/ Application Form for International Master Scholarship Programme

Notice Technique / Technical Manual

Frequently Asked Questions

Supervision et infrastructure - Accès aux applications JAVA. Document FAQ. Page: 1 / 9 Dernière mise à jour: 15/04/12 16:14

The new consumables catalogue from Medisoft is now updated. Please discover this full overview of all our consumables available to you.

La solution idéale de personnalisation interactive sur internet

Institut d Acclimatation et de Management interculturels Institute of Intercultural Management and Acclimatisation

Confirmation du titulaire de la carte en cas de contestation de transaction(s) Cardholder s Certification of Disputed Transactions


Comprendre l impact de l utilisation des réseaux sociaux en entreprise SYNTHESE DES RESULTATS : EUROPE ET FRANCE

lundi 3 août 2009 Choose your language What is Document Connection for Mac? Communautés Numériques L informatique à la portée du Grand Public

Transcription:

XACML Autorisation et gestion de accréditations Romain Laborde laborde@irit.fr Standard OASIS (Organization for the Advancement of Structured Information Standards) extensible Access Control Markup Language Basé sur XML Langage de politique de contrôle d accès Attribute based access control Architecture de gestion du contrôle d accès Type Gestion à base de politique Protocole de Requête/Décision Architecture XACML Politiques XACML Access Requester PDP 1. PAP Service de 2. Access Request PEP 12. Obligations mise en oeuvre des obligations 3. Request 11. Decision 4. Request Notification 5. Attributes Queries 9. Attributes Context 10. Response Context 6. Attribute Query 8. Attribute PIP 7c. Attributes 7b. Environment Attributes 7a. Subject Attributes Environment Subject Attribute Based Access Control Attribut caractéristique pertinente en terme de sécurité associée à un sujet, une action, une ressource ou l environement Exemple rôle du sujet, nom de l action, type de la ressource, Attributs regroupés par catégories: Quatre catégories classiques : Sujet Ressource Action Environement XACML par l exemple Name, age, size, country, organization, gps location, User Request = { <attr-id, attr-dt, value> } Name, parameters, Action Enforcement Decision Decision= Permit/Deny/NotApplicable Administration Name, role, sensitivity, location, status, POLICY XACML par l exemple Name, age, size, country, organization, gps location, User Request = { <name, string, romain > } Name, parameters, Action Enforcement Decision Decision= Permit/Deny/NotApplicable Name, role, sensitivity, location, status, AND STRING-EQUAL name Administration romain 1

Un nouvel attribut? Un nouveau type de données? Name, age, size, country, organization, gps location, userid MySQL User Request = { <name, string, romain > } Information MYSQL PIP Address of mysql server Login/passwd SQL request Name, parameters, Action Enforcement Decision Name, role, sensitivity, location, status, AND STRING-EQUAL userid Administration ABCD1234 Name, age, size, country, organization, gps location, User Request = { <name, string, romain >, <gps-location, gml, gml-coordinates>} userid MySQL MYSQL PIP Address of mysql server Login/passwd SQL request Name, parameters, Action Enforcement Code Decision IS- INSIDE Name, role, sensitivity, location, status, AND STRING-EQUAL userid ABCD1234 IS-INSIDE gps-location <gml:coordinates> Administration Etc.. Exemple de politique XACML Tout utilisateur dont l identifiant, de type RFC 822, appartient à users.example.com (ex: laborde@users.example.com) peut effectuer l action commit sur le serveur CVS server.example.com s il fait parti du groupe developers. Seul l adminitrateur admin@users.example.com peut définir qui fait parti du groupe des développeurs. Exemple de politique XACML Tout utilisateur dont l identifiant, de type RFC 822, appartient à users.example.com (ex: laborde@users.example.com) peut effectuer l action commit sur le serveur CVS server.example.com s il fait parti du groupe developers. Seul l adminitrateur admin@users.example.com peut définir qui fait parti du groupe des développeurs. 3 objets Sujet (S) Nom groupe Action (A) Nom Ressource (R) Nom Exemple de politique XACML Tout utilisateur dont l identifiant, de type RFC 822, appartient à users.example.com (ex: laborde@users.example.com) peut effectuer l action commit sur le serveur CVS server.example.com s il fait parti du groupe developers. Seul l adminitrateur admin@users.example.com peut définir qui fait parti du groupe des développeurs. Nom(S) users.example.com et groupe(s) [admin@users.example.com] =developers et nom(a)=commit et nom(r)=http://server.example.com Politiques XACML Cible Expression booléenne Condition Expression booléenne plus complexe Obligation Doit être exécutée par le PEP (obligatoire) Conseil Peut être exécuté par le PEP (non obligatoire) Politique Algorithme de résolution de conflits Cible de la politique (a et b et c) ou (d et e et f) ou... Règle Effet = PERMIT ou DENY Cible de la règle (a et b et c) ou (d et e et f) ou... Condition de la règle Obligations de la règle Conseils de la règle Obligations de la politique Conseils de la politique 2

XACML Request context XACML Request context Requête Catégorie1 Catégorie2 CatégorieN {Attribut = valeur, attribut=valeur, } Élément XML {Attribut = valeur, attribut=valeur, } Élément XML {Attribut = valeur, attribut=valeur, } Élément XML XACML Decision context Décisions possibles Réponse Décision Statut Obligations Conseils Politique Algo: first-match Cible Nom(S) users.example.com Group(S)=developers Issuer=admin@users.exa mple.com Règle => Permit Nom(A)=commit Nom(R)=http:// server.example.com Règle => Deny Réponse? Si nom(a) commit Si group(s) developers Si issuer de group(s) admin@users.example.com exercice s X.509 et PKI A collaboration is formalized by a contract that states: Company A provides analyzers, Company B provides designers, And company C provides validators. The contract doesn t report anything about who should perform the job. Each company is responsible for managing its people. The contract also specifies the four access control policies that control accesses to the shared documents at each steps of the design process: design-policy states that only designers can read and write on the shared design. analysis-policy states that only analyzers can read and write on the shared design. validation-policy states that only validators can read and write on the shared design, And end-policy states that any member of the collaboration, i.e. the designers, the analyzers or the validators, can read the final results. The technical document has to be created by a designer, then analyzed and finally validated. This sequence of tasks is structured in a workflow and managed by a conductor. A WorkFlow Engine (WFE) acts as a conductor. During the design step, it enables design-policy and disables the other policies. When this task is completed, it disables design-policy and enables analysispolicy. Etc. Finally, when the process terminates, the workflow engine informs the participants and grants read access to the shared documents to them by enabling end-policy. Comment faire le lien entre un nom et une clé publique? s X.509 Comment gérer ces liens? PKI = Public Key Infrastructure En résumé = Carte d identité électronique, composée de la clé publique du porteur et d informations relatives à ce dernier. Délivré par une autorité appelée autorité de certification, qui, par sa signature, en garantit l authenticité des informations contenues dans le certificat. 3

s X.509 s X.509 Version du certificat (certificate format version) Numéro de série du certificat (certificate serial number) Faire le lien entre un nom et une clé publique Description de l algorithme de signature de l AC (signature algorithm identifier for CA ) Nom de l AC qui a généré le certificat (issuer X.500 name) Période de validité (validity period) Nom de l utilisateur auquel appartient le certificat (subject X.500 name) Clé publique (subject public key) Description de l algorithme à utiliser avec la clé publique (subject public key information) Identification possible de l AC (optionnel) (issuer public key information) Identification possible de l utilisateur (optionnel) Extensions (optionnel) Signature de l AC (CA signature) s X.509 PKI PKI 2 documents très importants!!! The e states what assurance can be placed in a certificate issued by the CA. The ion Practices Statement (CPS) states how the CA establishes that assurance. PKI Interconnexion Architecture plate AC racine Alice Bob Samer 4

PKI - Interconnexion PKI - Interconnexion Architecture hiérarchique a trusted root CA issues a certificate to subordinate CAs. Those CAs may, depending on the relevant policy, certify other CAs. Each CA is trusted because the higher CA that certifies it is trusted. Only the root CA must be trusted on its own. AC racine AC fille1 AC fille2 AC fille3 ion croisée CAs issue cross-certificates to each other not easy for a single pair of CAs to co-ordinate their policies and technical systems not an ideal approach to establishing a broad, multinational PKI most suited where two or three related CAs are required to interoperate with each other AC1 AC2 AC fille4 agent1 agent2 agent3 agent4 AC3 AC4 PKI - Interconnexion PKI - Interconnexion Bridge CA central (bridging) CA which cross-certifies with each CA. It functions as a communication channel between each of the Cas centralise the management of interoperability problems in the one authority that can develop and promote the best solutions Reconnaissance croisée individual CA or an entire PKI domain agrees to recognise another CA or domain, rather than building from a lower lever technical solution foreign CA may be regarded as trustworthy if they have been licensed/accredited by a formal licensing/accreditation body or they have been audited by a trusted independent party AC2 AC3 Bridge CA AC1 AC4 AC5 PKI Interconnexion Liste d autorité de confiance s d attributs X.509 Il est signé par une autorité d attributs qui n est pas nécessairement une autorité de certification Il ne permet pas d identifier un utilisateur ou un process Il spécifie les attributs d un utilisateur Rôle (objet (permission)*)* Il est associé à un certificat d authentification Unification des DN 5

Architecture PMI PKI et PMI Principe arborescence PMI une Source d Autorité de confiance SOA plusieurs Autorités d Attributs AA s d Attributs signés par les AA la validation d un certificat d attribut par la validation du chemin menant au SOA A 1 SOA AA 1 AA 2 A 2 A 3 A 4 Fédération d identité Identification: when they know your identity Its mapping to you in the real world can vary Sometimes a strong mapping is undesirable or illegal People, groups of people, and non-people can have identity Authentication: verifying your credentials The method can be weak or strong An RP could be satisfied knowing you've been authenticated without requiring a strong identification mapping Authorization: a decision an RP makes about which info resources to let you use and actions to let you take Its judgment can be based on anything at all A LIRE!!! présentation de Eve Maller XML summer school 2007 SAML Security Assertion Markup Language (SAML) an XML-based framework for marshaling security and identity information and exchanging it across domain boundaries SAML est défini par OASIS Security Services Technical Committee:http://www.oasis-open.org/committees/security/ SAML Définit: Assertions: Authentication, Attribute and Authorization information Protocol: Request and Response elements for packaging assertions Bindings: How SAML Protocols map onto standard messaging or communication protocols Profiles: How SAML protocols, bindings and assertions combine to support a defined use case 6

SAML Assertions An assertion contains a packet of security information: <saml:assertion > </saml:assertion> How to interpret the assertion: Assertion A was issued at time t by issuer R subject to conditions C Assertion Example A typical SAML 2.0 assertion: <saml:assertion xmlns:saml= urn:oasis:names:tc:saml:2.0:assertion Version="2.0" 3: IssueInstant="2005-01-31T12:00:00Z"> <saml:issuer Format=urn:oasis:names:SAML:2.0:nameid-format:entity> http://idp.example.org </saml:issuer> <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress"> j.doe@example.com </saml:nameid> </saml:subject> <saml:conditions NotBefore="2005-01-31T12:00:00Z NotOnOrAfter="2005-01-31T12:10:00Z > </saml:conditions>... </saml:assertion> The value of the Issuer attribute is the unique identifier of the SAML authority SAML Statements Authentication Statement SAML assertions contain statements Three types of SAML statements: 1. Authentication statements 2. Attribute statements 3. Authorization decision statements (better XACML) Although statements are the meat of assertions, the assertion remains the atomic unit of SAML A typical authentication statement asserts: Subject S authenticated at time t using authentication method m A NameId refers to subject S The NameId has properties: transparent or opaque persistent or transient SAML Subject Statement Example 7

Attribute Statement Attribute statement Similarly, an attribute statement asserts: Subject S is associated with attributes A,B,C having values a, b, c Relying parties use attributes to make access control decisions Standard attribute names with well understood values are of course highly desirable Web browser SSO It picks specific protocols, usage and interpretation of assertion statements, and bindings - but still offers flexibility This profile includes basic federation (account linking) but not ongoing name identifier management Single Logout 8

OPEN ID an open, decentralized, free framework for user-centric digital identity Deeply rooted in World Wide Web philosophy: You identify yourself with a URL (or XRI) a single universal namespace Example: http://www.openidfrance.fr/labordetestopenid Authentication consists of proving you own the corresponding web resource Deeply committed to Internet-scale adoption Lots of scripty open source Driven by Web 2.0 scenarios: Blog commenting, contributing to wikis, social networking Windows CardSpace a Microsoft.NET Framework version 3.0 component that provides the consistent user experience required by the identity metasystem Uses software cards to let users manage identities Card selector mediates a trust no one IdP/RP relationship Serves up claims authentication and attribute data associated with a card Driven by web authentication security concerns Hardened against tampering and phishing attempts Prepared to tie closely into OS and hardware platform Functions as an identity agent Autres standards importants 9

2026 © DocPlayer.fr Politique de confidentialité | Conditions de service | Feed-back