Federated Access Manager TOI, Session 2

This morning was the second session for the Federated Access Manager TOI. Following are the topics covered (with notes).

Session 1

Secure Attribute Exchange
Emily
SAMLv2 profiles
Bina
  • Assertion Query/Request Profile
    • Query existing SAML2 assertions based on specific criteria (authentication context, assertion identifier, etc.)
    • Query initiator is the SAML Requester
      Initiates the profile by sending a query message to SAML authority
    • Responder is the SAML Authority
      Validates and processes the query to issue a response
    • Supports:
      • Attribute Query (request attributes from a specific identity - successful response is assertion containing requested attributes) Basic Attribute and X509 Subject Attribute Queries
      • Authentication Query (request assertion for a principal based on the authentication context - successful response is assertion(s) containing the authentication statements available to the principal)
        Supports SOAP only
      • Assertion Query (request existing assertion(s) using assertion(s) identifier - assertion must be cached)
      • Authorization Decision Query (asks if a certain resource is accessible to a particular principal - made to authorization authority/policy engine)
        XACML authzn decision is an extension of this

  • Enhanced Client or Proxy (ECP)
    • Specifies interactions between enhanced clients or proxies (eg. HTTP proxy) and SPs and IDPs
    • ECP acts as a SOAP intermediary between the SP and IDP
    • SSO Profile with PAOS Binding
    • FAM 8.0 SAMLv2 IDP and SP are able to process request received from ECP
    • Arrow of step 6 should be going the other way and some type of authentication is required between 5 and 6
    • FAM 8.0 SAMLv2 IDP and SP can process request received from ECP
    • ECP Client included as part of Opensso Extensions not FAM - can be used for testing
      • Proxy Version (HTTP)
      • Java Based Version (HTTPs)
  • Name Identifier Management
    Allows the change of principal's name identifier (shared between IDP and SP) after federation (possibly for security purposes or maybe IDP has a timing rule)
    • IDP can issue a ManageNameIDRequest to the SP to change the name identifier shared between them from a previous SSO
    • SP can issue a ManageNameIDRequest to attach an alias to its Principal
    • ManageNameIDResponse is returned after processing the request
    • Subsequent communication between SP & IDP will use the new name identifier
  • Name Identifier Mapping
  • POST Binding
    Added support for POST binding for a number of profiles
    • Web SSO Profile
    • Single Logout Profile
    • Name Identifier Management
    • Name Identifier Termination
  • Affiliations is a feature not a profile - will be implemented with SAML2 but will be very close to what we already have for IDFF
WS-Federation
Pat
XACML
Dilli
  • Represents access control policies, requests and response to get polices and authzn decisions
  • XACMLv2.0 current standard
  • Support SAML2 profile of XACML
    • XACMLAuthzDecisionQuery
    • XACMLAuthzDecisionStatement
  • Aravindan says should be doc'ed under Policy
  • Sample in path-to-context-root/fam/samples/sdk directory
  • XACML Design Doc
IDP Proxy
Wei
  • IDP proxy is one entity that acts as both IDP and SP
  • In wei -> ping -> jamie example, ping is IDP proxy
  • Supports:
    • SSO
    • SSO with IDP disco service
    • SLO
  • IDP proxy supports chaining
  • useIntroductionforIDPproxy attribute is to turn on Disco Service
  • #1 use case in slides is the default
Multi Protocol Support
Wei

Support for IDFF, SAML2, WS-Fed in one circle of trust
  • Enables a circle-of-trust to contain entities supporting different kind of federation protocols
  • Enables SSO and SLO to work across heterogeneous protocols within the same circle-of-trust - mainly to enable SSO and SLO for the same session shared among different ID-FF/SAML2/WS-Federation IDPs hosted on the same FAM instance
  • Sample included in which user will create a circle of trust containing one multi-federation protocol Identity Provider instance and three Service Provider instances speaking ID-FF, SAMLv2 and WS-Federation protocol

Identity Services
Aravindan
  • Allow developers to invoke FAM without knowledge of product
  • Developer uses php et al and may not need our client API
  • Use IDE to implement in your application
  • WSDL URL used in IDE
  • REST URL used with scripting languages
  • Change name of feature
Comments:

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today