1 / 24

IDENTITY mANAGEMET and Access Control

IDENTITY mANAGEMET and Access Control. مهرگان مهدوی استادیارگروه مهندسی کامپیوتر دانشگاه گیلان mahdavi@guilan.ac.ir. فهرست مطالب. مقدمه در خصوص Authentication مدیریت هویت متمرکز Single Sign On Federated Identity Management SAML Shibboleth نتیجه گیری. مقدمه.

susan
Télécharger la présentation

IDENTITY mANAGEMET and Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IDENTITY mANAGEMET and Access Control مهرگان مهدوی استادیارگروه مهندسی کامپیوتر دانشگاه گیلان mahdavi@guilan.ac.ir

  2. فهرست مطالب مقدمه در خصوص Authentication مدیریت هویت متمرکز Single Sign On Federated Identity Management SAML Shibboleth نتیجه گیری

  3. مقدمه Authentication به معنی تصدیق درستی یک صفت از یک موجودیت میباشد. ممکن است تصدیق هویت یک شخص یا یک برنامه باشد. Token-based مبتنی بر این سوال اساسی که: “What you have?” Key card Bank card Smart Card Biometric مبتنی بر این سوال اساسی که: “Who you are?” Knowledge-based مبتنی بر این سوال اساسی که: “What you know?” Textual Graphical

  4. Identity Management There are different systems at institutions E.g. Email, Finance, Student portal, etc. Currently, Identity Management often fragmented (several directories or databases)

  5. eDir Finance System Student Portal Web AuthN Mail Calendar SunOne eDir Password Management Forgot password Helpdesk Printer service Oracle People Data System

  6. eDir Finance System Student Portal Web AuthN Mail Calendar Sync Sync Password SunOne eDir Password Management Forgot password Helpdesk Printer service Sync Sync Oracle People Data System

  7. راه حل • Same Sign On (استفاده از یک Userid و Password در همه سیستمها) • Key Ring (دسته کلید) • Single Sign On

  8. Single Sign-On پیاده سازی استفاده از یک دایرکتوری مرکزی جهت Authentication تصدیق کاربران بر اساس این دایرکتوری مرکزی تعیین مجوزهای کاربران بر اساس Credential های کاربر مربوطه

  9. Single Sign-On پیاده سازی سوال: Single Sign On بین چند سازمان چگونه عمل خواهد کرد؟ استفاده ازSAML (Security Assertion Markup Language)

  10. Federation

  11. Federation

  12. SAML Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee. SAML assumes the principal (often a user) has enrolled with at least one identity provider. This identity provider is expected to provide local authentication services to the principal

  13. SAML Assertions <saml:Assertion ...> ... </saml:Assertion> SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions. Three types of statements are provided by SAML: Authentication statements Attribute statements Authorization decision statements

  14. SAML Assertions Authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. An attribute statement asserts that a subject is associated with certain attributes. An attribute is simply a name-value pair. Relying parties use attributes to make access-control decisions. An authorization decision statement asserts that a subject is permitted to perform action A on resource R given evidence E. The expressiveness of authorization decision statements in SAML is intentionally limited. More-advanced use cases are encouraged to use XACML instead.

  15. XACML (eXtensible Access Control Markup Language) • An Attribute Based Access Control system (ABAC) • Attributes associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. • Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.

  16. Shibboleth • Shibboleth is an Internet2Middleware Initiativeproject • An architecture and open-source implementation for Identity management and federated identity-based authentication and authorization (or Access control) infrastructure based on SAML • Federated identity allows for information about users in one security domain to be provided to other organizations in a federation • This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords. • Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and give access to secure content.

  17. XML <bibliography> <paper ID= "object-fusion"> <authors> <author>Y. Papakonstantinou</author> <author>S. Abiteboul</author> <author>H. Garcia-Molina</author> </authors> <fullPaper source="fusion"/> <title>Object Fusion in Mediator Systems</title> <booktitle>VLDB 96</booktitle> </paper> </bibliography>

  18. Advantages of XML • Human-readable • Machine-readable • Standard format for data interchange • Possible to validate • Extensible • can represent any data • can add new tags for new data formats

  19. Well-Formed vs. Valid • Well-Formed: Structure follows XML syntax rules • Valid: Structure conforms to a DTD

  20. Adding Structure and Semantics • XML Document Type Definitions (DTDs) • XML Schema • defines structure and data types • allows developers to build their own libraries of interchanged data types

  21. نتیجه گیری • مدیریت هویت متمرکز میتواند بسیاری از مشکلات نگهداری چندین Username و Password را کاهش دهد • نیاز به مکانیزمی جهت مدیریت هویت در کاریردهایی نظیر به اشتراک گذاشتن داده های دیجیتال و نطایر آن • SAML یک مکانیزم جهت مدیریت هویت • Shibbolethیک پیاده سازی از SAML

  22. با تشکر! ؟؟؟

More Related