1. No category

120919-STS-EGITF-AAI

Security Token Service (STS)
Transforming the Existing User Credentials For the Grid
Henri Mikkonen, Helsinki Institute of Physics
EGI Technical Forum 2012 (AAI Workshop)
19.9.2012, Prague, Czech Republic
EMI is partially funded by the European Commission under Grant Agreement RI-261611
Terminology
• Security Token?
–WS-Security: A collection of statements (claims)
about a user or resource
• Any digital identity that can be attached into a SOAP
message: X.509, SAML assertion, Kerberos ticket, …
• Security Token Service?
• Establishes a trust relationship between different
application / security domains
19/09/2012
Henri Mikkonen @ EGI Technical Forum 2012
2
EMI INFSO-RI-261611
–WS-Trust: A Web service used to issue, renew,
validate and cancel security tokens
SAML token -> X.509 token
Username, Password, Home Institute
Home
Institute
Username, Password
SAML assertion
SAML assertion -token
STS
Client
Tool
Requests a certificate
(public key + proof)
STS
CA
Issues a certificate
X.509 & Private key
to the filesystem
19/09/2012
Henri Mikkonen @ EGI Technical Forum 2012
3
EMI INFSO-RI-261611
X.509 certificate -token
SAML token -> X.509 token
SAML
Trust Domain
Username, Password, Home Institute
Home
Institute
Username, Password
SAML assertion
X.509 Trust Domain
SAML assertion -token
STS
Client
Tool
Requests a certificate
(public key + proof)
STS
CA
Issues a certificate
X.509 & Private key
to the filesystem
19/09/2012
Henri Mikkonen @ EGI Technical Forum 2012
4
EMI INFSO-RI-261611
X.509 certificate -token
19/09/2012
Henri Mikkonen @ EGI Technical Forum 2012
5
EMI INFSO-RI-261611
SAML token -> X.509 token
SAML token into a VOMS token
SAML
Trust Domain
Username, Password, Home Institute
Home
Institute
Username, Password
X.509 Trust Domain
SAML assertion
Requests a certificate
CA
SAML assertion -token
(public key + proof + VO-info)
Issues a certificate
STS
Requests attributes
X.509 proxy certificate -token
X.509 proxy certificate chain &
private key to the filesystem
19/09/2012
Issues an attribute
certificate
Henri Mikkonen @ EGI Technical Forum 2012
VOMS
6
EMI INFSO-RI-261611
STS
Client
Tool
19/09/2012
Henri Mikkonen @ EGI Technical Forum 2012
7
EMI INFSO-RI-261611
SAML token into a VOMS token
SAML token into a VOMS token
SAML
Trust Domain
Username, Password
Home
Institute
Web browser access
X.509 Trust Domain
SAML assertion
Requests a certificate
CA
SAML assertion -token
(public key + proof + VO-info)
Issues a certificate
STS
Requests attributes
X.509 proxy certificate -token
Access Grid Services using
the user’s proxy
19/09/2012
Issues an attribute
certificate
Henri Mikkonen @ EGI Technical Forum 2012
VOMS
8
EMI INFSO-RI-261611
Grid
Portal
19/09/2012
Henri Mikkonen @ EGI Technical Forum 2012
9
EMI INFSO-RI-261611
SAML token into a VOMS token
More details tomorrow
• Thursday 20.9.2012, 14:00 – 15:30, EMI
Security for Grids and Clouds
19/09/2012
Henri Mikkonen @ EGI Technical Forum 2012
10
EMI INFSO-RI-261611
–Henri Mikkonen: “STS Status Update”
–Carolina Lindqvist: “Exploring the SAML 2.0 ECP
Profile”
Thank you! Questions?
Henri Mikkonen
<[email protected]>
EMI is partially funded by the European Commission under Grant Agreement RI-261611

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz