Introduction to WS Authorization

1
Introduction to WS Authorization

• Brian P. Barrett

2
Authorization

• WS-Authorization Complete?
• Steps of Authorization
• Security Token Acquisition
• SAML
• Authorization in Firewall
• Map of Authorization
• Authorization in Code
• References

3
Where does Authorization fit in?

• Authorization is an aspect of security that falls
  in with other categories
• Secure Conversation
• Federation
• Policy
• Trust
• Federation
• Privacy

Is this Authorized?
4
Security

• Authentication Determine identity of a
  person/object
• Authorization Determine what the person is
  allowed to do
• Integrity Ensure the data was not altered on
  its way to you
• Signature Validate the source of the data
• Confidentiality Limit the people allowed to
  view the data
• Privacy Make sure no one abuses your data
• Digital Rights Management Limit users from
  doing whatever they want

5
How does Authorization work with other services?

• If Authorization were to be on a layer working
  with other Services. It would work in
  conjunction with the Federation layer.

WS-Federation
WS-Secure Conversation
WS-Authorization
6
Authorization with other WS
7
(No Transcript)
8
PMI or Privilege Management Infrastructure

• Privilege Management Infrastructure
• Source of Authority (SOA) The topmost root of
  trust, sometimes also referred to as trust anchor
  
• Attribute Authority (AA) (also Privilege
  Allocator, Authoritative Entity) The issuer of
  an attribute certificate
• Certificate Holder / Privilege Holder The User
  or Subject of an Attribute Certificate

9
Security Token Authorized
10
SAML Security Assertion Markup Language

• SAMLs purpose was to be a Security language that
  could be used as an industry standard for
  security. It uses XML digital signatures with
  XML encryption.
• The languages uses assertions made in the code
  that can convey information about authentication
  functions, and authorization decisions.

11
SAML Authorization Map
12
PEP- Policy Enforcement Point

• Definition
• Dependence upon the resource
• PDP-Policy Decision Point

13
Authorization in Firewall Processing
Insurance Co.
Claims officer/ Customer
Web-Service
14
Authorization Process Map
Client -Give server trust -Invocate
policy -consult policy

• Server
• Access Policy
• Give client resource
• Policy authority

Authorization Process Role based
Authorization Instance based Authorization Capabil
ity listings
15
How does the the Authorization code fit?
16
Authorization in code
Show SAML code and explain. SAML
doc Authorization decision by subject S, for
access type A, to resource R, given evidence E.
17
Code Example

• ltRule RuleId"//medico.corules/rule3"
  Effect"Permit"gt ltTargetgt ltSubjectsgt
  ltsamlAttribute AttributeName"RFC822Name"
  AttributeNamespace"//medico.com"gt
  ltsamlAttributeValuegtlt/samlAttributeValuegt
  lt/samlAttributegt lt/Subjectsgt
  ltResourcesgt ltsamlAttribute
  AttributeName"documentURI"
  AttributeNamespace"//medico.com"gt
  ltsamlAttributeValuegt//medico.com/records.lt/saml
  AttributeValuegt lt/samlAttributegt
  lt/Resourcesgt ltActionsgt
  ltsamlActiongtreadlt/samlActiongt lt/Actionsgt
  lt/Targetgt ltConditiongt ltEqualgt
  ltAttributeDesignator AttributeName"urnoa
  sisnamestcxacmlidentifiersAccessSubject" /gt
  ltAttributeDesignator AttributeName"patientNa
  me" /gt lt/Equalgt lt/Conditiongtlt/Rulegt

18
References

• Primary
• www.Globus.org
• Globus is a resource to see the latest changes
  with WS-Authorization and other new standards.
• http//www.cs.huji.ac.il/course/2002/sdbi/
• If you go here and choose XML Security under
  Lecture slides you will find some detail about
  coding with SAML and its interaction for
  Authorization processes.
• Secondary
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/dnwssecur/html/securitywhitepaper.a
  sp
• Here you will fine some significant images that
  detail security over the web.
• http//www.lightshipinc.com/lightship/resourcecent
  er/Etips.aspx
• At this site you can learn new technology dealing
  with XML, SAML and XMACL.