institute for defense analyses
play

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, - PowerPoint PPT Presentation

Jan 09, 2023 •38 likes •148 views

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Federated Trust Policy Enforcement by Delegated SAML Assertion Pruning C. Chandersekaran William R Simpson Institute for Defense Analyses (IDA) The

  1. Institute for Defense Analyses 4850 Mark Center Drive  Alexandria, Virginia 22311-1882 Federated Trust Policy Enforcement by Delegated SAML Assertion Pruning C. Chandersekaran William R Simpson Institute for Defense Analyses (IDA) The publication of this paper does not indicate endorsement by the US Department of Defense or IDA, nor should the contents be construed as reflecting the official position of these organizations. Prepared for: Security for Access to Device APIs from the Web - W3C Workshop 10-11 December 2008, London 10 December 2008

  2. Agenda Need for Federated policy enforcement. • Communication across forest boundaries. • Security Token Servers. • Proposed enforcement framework. • 10 December 2008 Slide 2

  3. Need for Federated Policy Enforcement General federation agreements between activities are being • developed in the push to information sharing. These are often negotiated at top level where the individuals • negotiating do not have a feel for the IT implications of such agreements if they are not specific enough to restrict as well as permit access. Amending such agreements may be a delicate and tedious • process when it is discovered that the general agreement to share does not apply to – IP addresses, certain identities, some attribute assertions, compromised systems etc. Firewall blocking at enterprise boundaries may have political • implications and is generally a gross level approach as opposed to fine tuning. To allow for a more precise refinement of policy, the process of • trust establishment may be delegated to the Security Token Service (STS) designated as the federation server. 10 December 2008 Slide 3

  4. The Token Server in Federation Web Services Request redirected (on behalf of Active Application Forest Users) Service: Get Published Content. Direct Directory Liaison Authorized Mobile Device Plug In Security File Forest Gateway Server Web Security Ticket Service 1 Server Identity/Authorization Mgt Identity/Authorization Mgt LDAP LDAP Security Token Service 2 Active Directory Internet Site Access Mail Server Service Provider Hello, exchange of certificates (Identity management by various means – Service Types: Discover, Read , Httpget(uri), XML Request, including Smart Cards), SQL Query Bi-lateral authentication and setup for SSL Each Forest will have a security Token Server (STS) that is used to provide an environment for bi-lateral authentication, and the production of SAML packages for authorization. 10 December 2008 Slide 4

  5. SAML 2.0 Format Item Field Usage Recommendation Notes SAML Response Version ID Version 2.0 Required ID (uniquely assigned) Required Issue Instant Timestamp Required Issuer Yes Required STS Name Signature Yes Required STS Signature Subject Yes For User A Required Must contain the X.509 Distinguished name or equivalent Attribute Assertion Subject Yes For User A edipi For Attribution Attributes, Group and Role Yes For User A Required Memberships Conditions NotBefore Yes Required TimeStamp - minutes NotAfter Yes Required TimeStamp + minutes OneTimeUse Yes Required Mandatory 10 December 2008 Slide 5

  6. SAML Resolution Across Forest Boundaries • Once the authentication is completed an SSL is established between the user device and the server, within which a WS Security package will be sent to the service. • The WS Security package contains a SAML Token generated by the Security Token Server in the requestor’s forest. The signature on this package may not be recognized in the application. • The signature may be from a federated partner or within the enterprise. Service cannot be granted under these circumstances, and in fact the SAML package will not be examined for assertions. • As a first step in granting access, the SAML package is forwarded to the local STS for resolution. 10 December 2008 Slide 6

  7. SAML Resolution Across Forest Boundaries – Con’t Application Forest Mobile Device Gate Keeper Plug-In Forest File Internet Site Security Ticket Service 1 STS 1 Server Access Web Server SSL Session Initial SAML Package Initial SAML Package STS 2 signature SAML unrecognized Redirect Mail Server Mail Server Service Provider An Unresolved SAML Package is forwarded to the local STS for resolution 10 December 2008 Slide 7

  8. SAML Resolution Across Forest Boundaries – Con’t Security Application Forest Gateway File Server Web STS 2 Server Signed by STS2 Recognized If Signature STS Re-Issue SAML Re-Map Authorizations Redirect 3 4 Mail 1 Server 2 Federation Service Store Security Provider Remap Server of Athz. Certificate Cache The local STS must evaluate both the legitimacy of the request and the mappings required by federation. 10 December 2008 Slide 8

  9. Federation Data Requirements • In order to resolve the federation issues, the STS must have access to, or maintain a data base that contains the following:  Public keys of federated servers for resolving signatures in SAML tokens.  The following data is required for each such token server. • A set of identity mapping tuples with the form identity1, intentity2. • A set of mapping tuples of the form attribute-a, attribute-b. 10 December 2008 Slide 9

  10. Delegation of Security Policy • In order to apply some fine tuning to the policy of sharing, the tuples for identity mapping can be mapped to null causing a failed authentication in the exchange for the specific identities. • Further, attribute classes can be mapped to null causing a failure in the authorization. • IP addresses should still be blocked at the enterprise boundary. • This delegation of the security policy enforcement can be accomplished without renegotiating the federation agreement. 10 December 2008 Slide 10

  11. Additional Considerations • Failed authentication and authorization may generate help desk and Enterprise Security analysis issues. • Several additional features of the STS are needed which the OASIS standards have not addressed.  When the communication is across domains, then and STS in each domain is needed and a mutual recognition of signature authority is needed.  If they are across enterprises we may need to do a remapping of the SAML assertions.  We need a good process for least privilege, delegation and attribution in each of these circumstances.  While WS-Federation standards assist; they do not specifically address attribute pruning, remapping, or multiple STS registered recognition. 10 December 2008 Slide 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 The Case

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 The Case

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 The Case for Bi-Lateral End-To-End Strong Authentication C. Chandersekaran William R Simpson Institute for Defense Analyses (IDA) The publication of this

326 views • 13 slides
Meta ta-An Analyses es a and P Pred edict cting Behavio ior: I : In D Defense of f

Meta ta-An Analyses es a and P Pred edict cting Behavio ior: I : In D Defense of f

Meta ta-An Analyses es a and P Pred edict cting Behavio ior: I : In D Defense of f Impli licit it Attitude ude M Measur ures Michael Brownstein Bertram Gawronski Alex Madva Society for Philosophy and Psychology June 30, 2017

287 views • 16 slides
A Perspective on the Future of eLoran Presentation to the Royal Institute of Navigation NAV 08

A Perspective on the Future of eLoran Presentation to the Royal Institute of Navigation NAV 08

1 A Perspective on the Future of eLoran Presentation to the Royal Institute of Navigation NAV 08 & International Loran Association ILA 37 James T. Doherty Institute for Defense Analyses 29 October 2008 2 What This Is Not & What It

486 views • 22 slides
Introduction Demands on and expectations for simulated representations of the natural

Introduction Demands on and expectations for simulated representations of the natural

Geospatial Data Quality for Analytical Command and Control Applications: Preventing the Tanker Tw o-Step Robert Richbourg and George Lukes Institute for Defense Analyses 4850 Mark Center Drive Alexandria, VA rrichbou@ida.org,

513 views • 10 slides
Combinatorial Testing Rick Kuhn Raghu Kacker National Institute of Standards and

Combinatorial Testing Rick Kuhn Raghu Kacker National Institute of Standards and

Combinatorial Testing Rick Kuhn Raghu Kacker National Institute of Standards and Technology Gaithersburg, MD Institute for Defense Analyses 6 April 2011 Outline 1. Why we are doing this? 2. Number of variables involved in actual

1.19k views • 116 slides
Magistration and Indigent Defense V.G. Young Institute of County Government College Station,

Magistration and Indigent Defense V.G. Young Institute of County Government College Station,

Magistration and Indigent Defense V.G. Young Institute of County Government College Station, TX February 20, 2019 Scott Ehlers, Special Counsel T exas Indigent Defense Commission ROADMAP Fair Defense Act & Waivers of Counsel

522 views • 50 slides
TEXAS SMART DEFENSE DATA PORTAL smart defense Public Policy Research Institute Evid

TEXAS SMART DEFENSE DATA PORTAL smart defense Public Policy Research Institute Evid

TEXAS SMART DEFENSE DATA PORTAL smart defense Public Policy Research Institute Evid vidence-Based Ju Justic ice What We Do Who We Are Thirteen-member governing board administratively attached to the Office of Court Our Mission

674 views • 30 slides
2007 Data Linear Regression Analysis Nathan Platt Dennis DeRiggi June 4, 2010 7/6/2010-1

2007 Data Linear Regression Analysis Nathan Platt Dennis DeRiggi June 4, 2010 7/6/2010-1

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311 -1882 13 th International Conference on Harmonisation within Atmospheric Modelling for Regulatory Purposes Paris, France 1-4 June 2010 Comparative

586 views • 23 slides
Human Terrain: A Tactical Issue or a Strategic C4I Problem? Dr. S. K. Numrich Institute for

Human Terrain: A Tactical Issue or a Strategic C4I Problem? Dr. S. K. Numrich Institute for

5/14/2008 Joint Advanced Warfighting Division Human Terrain: A Tactical Issue or a Strategic C4I Problem? Dr. S. K. Numrich Institute for Defense Analyses snumrich@ida.org 5/14/2008 Outline Why Human Terrain Backlash Caused by Lack

348 views • 7 slides
20160322 DEFENSE LANGUAGE INSTITUTE FOREIGN LANGUAGE CENTER Agenda Mission, Vision, and

20160322 DEFENSE LANGUAGE INSTITUTE FOREIGN LANGUAGE CENTER Agenda Mission, Vision, and

DEFENSE LANGUAGE INSTITUTE FOREIGN LANGUAGE CENTER 20160322 DEFENSE LANGUAGE INSTITUTE FOREIGN LANGUAGE CENTER Agenda Mission, Vision, and Values DLIFLC Overview and Profile Current Focus and Way Ahead Worldwide Presence 2

746 views • 29 slides
State of Indigent Defense in Texas TAPS 3 rd Annual Conference and Training Institute

State of Indigent Defense in Texas TAPS 3 rd Annual Conference and Training Institute

State of Indigent Defense in Texas TAPS 3 rd Annual Conference and Training Institute Pretrial Matters Sam Houston State University The Woodlands Center The Woodlands, TX April 7, 2016 Texas Indigent Defense Commission Don Hase,

809 views • 35 slides
Challenges of Implementing Fair Defense Act Requirements & Indigent Defense Grant

Challenges of Implementing Fair Defense Act Requirements & Indigent Defense Grant

Challenges of Implementing Fair Defense Act Requirements & Indigent Defense Grant Opportunities Effective Post-Arrest and Indigent Defense Practices Longview, TX August 10, 2018 Scott Ehlers, Special Counsel T exas Indigent Defense

676 views • 30 slides
Bro: The Network Defense Framework Comprehensive Visibility & Defense for Every Corner of

Bro: The Network Defense Framework Comprehensive Visibility & Defense for Every Corner of

Bro: The Network Defense Framework Comprehensive Visibility & Defense for Every Corner of Your Network Robin Sommer International Computer Science Institute, & Broala, Inc. robin@icsi.berkeley.edu robin@broala.com

422 views • 40 slides
The Importance of M&S in Operational Testing and the Need for Rigorous Validation Kelly

The Importance of M&S in Operational Testing and the Need for Rigorous Validation Kelly

The Importance of M&S in Operational Testing and the Need for Rigorous Validation Kelly McGinnity Institute for Defense Analyses April 13, 2016 DISTRIBUTION STATEMENT D: Distribution authorized to DoD and DoD contractors only; 4/25/2016-1

587 views • 43 slides
Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years Later Dr. David A. Wheeler

Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years Later Dr. David A. Wheeler

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Core Infrastructure Initiative (CII) Best Practices Badge: 1.5 Years Later Dr. David A. Wheeler 2017-09-12 dwheeler @ ida.org Personal: dwheeler @

819 views • 50 slides
Core Infrastructure Initiative (CII) Best Practices Badge: One Year Later Dr. David A. Wheeler

Core Infrastructure Initiative (CII) Best Practices Badge: One Year Later Dr. David A. Wheeler

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Core Infrastructure Initiative (CII) Best Practices Badge: One Year Later Dr. David A. Wheeler 2017-02-08 dwheeler @ ida.org Personal: dwheeler @

982 views • 42 slides
Toward Ubiquitous Web Hirotaka UEDA, Tahar CHERIF Sharp Corporation March 9, 2006 Whats

Toward Ubiquitous Web Hirotaka UEDA, Tahar CHERIF Sharp Corporation March 9, 2006 Whats

Toward Ubiquitous Web Hirotaka UEDA, Tahar CHERIF Sharp Corporation March 9, 2006 Whats Ubiquitous Web? Our Definition Web environment that is available anytime, anywhere, from any devices. Although standards such as CC/PP

555 views • 16 slides
st Prss st Prss rt

st Prss st Prss rt

st Prss st Prss rt rt r trst st rs t tr

647 views • 38 slides
Nonlinear Dimension Reduction to Improve Predictive Accuracy in Genomic and Neuroimaging Studies

Nonlinear Dimension Reduction to Improve Predictive Accuracy in Genomic and Neuroimaging Studies

Nonlinear Dimension Reduction to Improve Predictive Accuracy in Genomic and Neuroimaging Studies Maxime Turgeon June 5, 2018 McGill University Department of Epidemiology, Biostatistics, and Occupational Health 1/21 Acknowledgements This

514 views • 25 slides
Choosing a microscope John Rubinstein Molecular Structure and Function Program The Hospital for

Choosing a microscope John Rubinstein Molecular Structure and Function Program The Hospital for

Choosing a microscope John Rubinstein Molecular Structure and Function Program The Hospital for Sick Children Research Institute Departments of Biochemistry and Medical Biophysics The University of Toronto The questions: What do you need?

532 views • 25 slides
STS for NLG Christian Chiarcos chiarcos@uni-potsdam.de Natural Language Generation Natural

STS for NLG Christian Chiarcos chiarcos@uni-potsdam.de Natural Language Generation Natural

STS for NLG Christian Chiarcos chiarcos@uni-potsdam.de Natural Language Generation Natural Language Generation (NLG) (...) is a subfield of artificial intelligence and computational linguistics that is concerned with building computer

557 views • 10 slides
Learning and Interpreting STS with Structural Kernels Alessandro Moschitti Department of

Learning and Interpreting STS with Structural Kernels Alessandro Moschitti Department of

Learning and Interpreting STS with Structural Kernels Alessandro Moschitti Department of Information Engineering and Computer Science University of Trento Email: moschitti@disi.unitn.it STS 13, 2012 CCLS, NY Motivations ! " Learning STS

598 views • 42 slides
Automatic Performance Tuning and Analysis of Sparse Triangular Solve Richard Vuduc, Shoaib Kamil,

Automatic Performance Tuning and Analysis of Sparse Triangular Solve Richard Vuduc, Shoaib Kamil,

Automatic Performance Tuning and Analysis of Sparse Triangular Solve Richard Vuduc, Shoaib Kamil, Jen Hsu, Rajesh Nishtala James W. Demmel, Katherine A. Yelick June 22, 2002 Berkeley Benchmarking and OPtimization (BeBOP) Project

868 views • 33 slides
Retrofitting Contextualized Word Embeddings with Paraphrases Weijia Shi 1* , Muhao Chen 1 * , Pei

Retrofitting Contextualized Word Embeddings with Paraphrases Weijia Shi 1* , Muhao Chen 1 * , Pei

Retrofitting Contextualized Word Embeddings with Paraphrases Weijia Shi 1* , Muhao Chen 1 * , Pei Zhou 2 , Kai-Wei Chang 1 1 University of California, Los Angeles 2 University of Southern California Contextualized Word Embeddings Representations

770 views • 14 slides

More recommend