European Workshop on Trust & Identity

In cooperation with GeantLogo184x80

EIW 2013 Tue Session 5A

Scaleable & comprehensive attributes design (authN & authZ)

Would like a standard for defining the urn namespace

Could send an encrypted signed packet in an encrypted tunnel.

Andalucia is using urns for students. Hub filters on urn and students get added to learning system at receiving institution. A urn with defined fields.

Austrian government is using parameter lists for roles; similar to scoped attributes, but having providing a list of key-value pairs instead of a single value.

Rules based approach e.g. user, administrator, power user.. with or without permission sets. Historically use huge permission set. Want to move to role based approach but wary this isn't granular enough

Permissions brings us into the realm of xacml

STS is like pgp and issue permission set that a customer that gets forwarded by idp.
Idp defines authZ policy.

Context gets more complicated within federations (and between)

Saml2 request includes authZ so sends xacml request that gets forwarded to Pdp

Context involves the identity and what it is doing.
Much easier to ask if a user is allowed to access something rather than making decisions at endpoint based on attributes

The pdp needs attributes to make the decision.

Xacml has pip to resolve attributes wherever they're from

In trying to solve single log out a central point is helpful for authorization but scalability is an issue.

Could be distributed with load balancer...


PDP = policy decision point
PIP= policy information point
RBAC = role based access control

PDP/PIP could be with the AP or the RP.

The further you store data from the source the quicker it rots

AuthZ in context of applications will be role based. Avoid context in federated infrastructure, stick on RBAC, use central repository to manage the access tokens (long term token)

Provide rbac but won't discard permission sets to reduce dependency
Will use pdp to be more flexible

Talking about saml2 bearer tokens