Authorization Scenarios with Signet

1

• Authorization Scenarios with Signet
• RL Bob Morgan
• University of Washington
• Internet2 Member Meeting, September 2004

2
The Authorization Space

• As everyone knows by now
• Authentication says who you are, authorization
  says what you can do. OK as a tag line, but not
  for architecture ...
• A higher-level definition
• configuration and operation of systems so actions
  in support of organizational goals are permitted
  and other actions are prohibited ... or
• representation and enforcement of organizational
  policy in software systems
• covers all scales from macro-level policy
  (comply with HIPAA) tomicro-level (user X can
  access file Y)

3
The Infrastructure Portfolio

• Today's common core infrastructure components
• Base identity management (for persons/subjects)
• Authentication service
• Directory/attribute service
• The coming generation
• Organization and group management
• Privilege/authority management
• Authorization service
• Provisioning service
• Event service (aka message-oriented middleware)
• Workflow ...

4
Core Middleware
5
The Basic Access-control Scenario

• client-server access, session-based
• server controls access to resource
• client (or peer) connects to server,
  authenticates as some subject
• result of authentication is security context
• and a session associated with that context
• further operations in session take place in that
  context
• security attributes of subject are obtained,
  added to context
• for example, group memberships
• userid (or subject name) is one among many
  possible attributes
• client requests operation on a resource
• server must answer the access-control question
• is this operation on this resource by this
  subject permitted?

6
The Access-control Decision

• Inputs are
• the session security context
• the policy applicable to the resource
• any other relevant security attributes of the
  subject
• environment (time of day, load, etc)
• Output is yes or no
• there are more complicated policy scenarios too
• e.g., output is how much or yes, and also do
  X
• Where do all these policies and attributes come
  from?
• this is authorization (or policy) management
• many components support server's ability to make
  its decision

7
Outsourced App Example (Signet Shibboleth)

• Classic outsourcing hard on both ASP and campus
• ASP must provide admin interface, campus must
  enter data
• Shibboleth provides campus-based SSO to ASP
• use of campus-managed attributes negotiable
• With Shib Signet
• campus, ASP decide on attributes sent via SAML
• atomic attribute-value pairs, or full XML
  documents
• campus manages these with Signet
  infrastructure-rich services
• delegation, proxy, auditing, common UI, org
  structure, conditions
• ASP gets user attributes at sign-on
• no batch delays, but app must be dynamic

8
Signet Grouper

• Group and privilege management why separate?
• groups not just about authorization
• privilege management useful without groups
• campus may have existing group or privilege
  service
• defining interaction via API is good discipline
• Why together?
• seamless user experience
• potentially complicated interactions between them
• Signet manages permissions on Grouper directories
• show what can this user do in Signet, including
  group-based perms
• generate per-user permissions for provisioning
  including group-based

9
Signet Provisioning

• Provisioning
• refers to setup of user accounts, etc, in
  application systems
• if all apps were fully dynamic and
  infra-service-reliant,provisioning might not be
  necessary ...
• Signet-managed privileges typically are
  provisioned
• e.g., conditions evaluated, rules checked,
  translations donebefore the priv info is pushed
  into the app
• how much to cook in Signet is per-application
  issue
• Signet may also feed directory, accessed
  dynamically by app

10
Signet Authorization Service

• authorization decision service or policy
  decision point
• app sends request-for-decision, including
  context, etc
• decision engine accesses policy, attributes,
  etc,produces and returns yes/no decision
• examples Spocp, XACML
• no one can or should write authz expressions
  manually
• Signet can export permission document
• transformable into native expression format
• supplemented by other decision-time info
• Signet-gtSpocp translator available

11
PEP-PDP Model
Policy Enforcement Point
Attribute Store(s)
Resource
Request
Decision Response
Policy Store(s)
Decision Request
Policy Decision Point
Context
12
Signet Workflow

• Popular current admin-space requirement
• define business processes
• route work items through processes
• assign people to roles in processes
• integrate processes into app systems
• If workflow is mostly about privilege management
  ...
• good privilege management system may fill the
  need instead
• Privilege-management can provision workflow
• role in business process assigned in PM system
• Event/MOM services may be part of solution also

13
Conclusion

• Many powerful tools available
• More than one right way to do it
• Architecture more important than ever
• Best-practices sharing of experience is crucial
• Common infra components promotesharing at higher
  levels