Difference between revisions of "CLARIN/Security for web services"
From PDP/Grid Wiki
Jump to navigationJump to search (add SAML STS) |
(more clarity in lay-out) |
||
(42 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {{CLARIN}} | |
− | + | '''This page has been superseded by a [[Media:Clarin-security_for_web_services-research-report010.pdf|report]].''' <br /> | |
− | { | + | A conclusion was to look into [[CLARIN/OAuth2|OAuth2]], which is being looked at [[CLARIN/OAuth2|here]]. |
− | |||
− | |||
− | '' | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ---- | |
− | |||
− | |||
− | + | Notes after the report was finished: | |
− | + | * [https://forge.switch.ch/redmine/projects/sts/wiki/Wiki EMI STS] is a new contender, but uses SAML ECP, which not many IdPs support | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Links == | == Links == | ||
=== Standards === | === Standards === | ||
− | * [http://kantarainitiative.org/confluence/display/uma/UMA+Explained User Managed Access] (UMA) has some overlap with this work | + | * [http://kantarainitiative.org/confluence/display/uma/UMA+Explained User Managed Access] (UMA) has some overlap with this work; [http://www.ietf.org/mail-archive/web/oauth/current/msg08556.html seems to be] useful for person-to-person sharing |
* [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss OASIS Web Services Security]: [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.pdf WS-Security], [http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf username], [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-x509TokenProfile.pdf X.509], [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SAMLTokenProfile.pdf SAML] | * [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss OASIS Web Services Security]: [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.pdf WS-Security], [http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf username], [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-x509TokenProfile.pdf X.509], [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SAMLTokenProfile.pdf SAML] | ||
* [https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml/ A SASL and GSS-API Mechanism for SAML], uses base64 encoded SAML request in URL | * [https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml/ A SASL and GSS-API Mechanism for SAML], uses base64 encoded SAML request in URL | ||
+ | * [http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security4.html ways to use SAML] (and [http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/docs/1.6/tutorial/doc/XWS-SecuritySamples7.html#wp580431 SAML interop scenarios]) | ||
* [http://tools.ietf.org/html/draft-ietf-oauth-v2-10 OAuth 2.0], and [http://iiw.idcommons.net/SAML_Profiles_for_OAuth with SAML assertions] | * [http://tools.ietf.org/html/draft-ietf-oauth-v2-10 OAuth 2.0], and [http://iiw.idcommons.net/SAML_Profiles_for_OAuth with SAML assertions] | ||
=== Libraries === | === Libraries === | ||
* [http://www.rediris.es/oauth2/ OAuth 2 assertion profile library] | * [http://www.rediris.es/oauth2/ OAuth 2 assertion profile library] | ||
− | * Shibboleth [https:// | + | * Shibboleth [https://wiki.shibboleth.net/confluence/display/SHIB2/ECP ECP] [https://spaces.internet2.edu/display/ShibuPortal/IdPDelegationExtension IdPdelegation], [https://forge.switch.ch/redmine/projects/idwsfecp/wiki web-service client], and [https://spaces.internet2.edu/display/ShibuPortal/Configuring+Shibboleth+Delegation+for+a+Portal configuring it]. |
=== Federations === | === Federations === | ||
* [http://www.geant.net/Services/EndUserApplicationServices/Pages/eduGAIN.aspx eduGAIN] | * [http://www.geant.net/Services/EndUserApplicationServices/Pages/eduGAIN.aspx eduGAIN] | ||
* [http://code.google.com/apis/opensocial/ OpenSocial] | * [http://code.google.com/apis/opensocial/ OpenSocial] | ||
− | * [http://www.surfnet.nl/nl/Thema/SURFfederatie/diensten | + | * [http://www.surfnet.nl/nl/Thema/SURFfederatie/diensten/ SURFfederatie diensten] |
=== Other === | === Other === | ||
* [http://saml.xml.org/forum/n-tier-usage-of-saml-in-the-backend N-tier usage of SAML in backend] | * [http://saml.xml.org/forum/n-tier-usage-of-saml-in-the-backend N-tier usage of SAML in backend] | ||
+ | * [http://www.omg.org/news/meetings/workshops/Web_Services_USA_Manual/02-3_K_Smith.pdf Similar project] in US' department of defense | ||
+ | * [http://portabilitypolicy.org/ Data portability], and [http://dataportability.org/ blog] | ||
+ | * OAuth 2 uses bearer tokens and misses signatures, which [http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/ may become a problem]. | ||
+ | * Nice [http://davidlyness.com/post/twitter-oauth OAuth 1] and [http://www.independentid.com/2011/03/oauth-flows-extended.html OAuth 2] diagrams | ||
+ | * [http://profsandhu.com/zhang/pub/sacmat11-xdauth.pdf xDAuth] | ||
+ | * [http://contentdm.lib.byu.edu/ETD/image/etd2515.pdf SimpleAuth]: adaptation of OpenID to support delegation (though this might be something entirely different) | ||
+ | * [http://ndg-security.ceda.ac.uk/wiki/MashMyData MashMyData security model] |
Latest revision as of 11:28, 26 February 2013
<sidebar>
- CLARIN web service security
- CLARIN/Security_for_web_services|Analysis
- CLARIN/OAuth2|OAuth2
- CLARIN/OAuth2 use case|OAuth2 use-case
- CLARIN/OAuth2_real_world_usage|OAuth2 elsewhere
- resources
</sidebar>
This page has been superseded by a report.
A conclusion was to look into OAuth2, which is being looked at here.
Notes after the report was finished:
- EMI STS is a new contender, but uses SAML ECP, which not many IdPs support
Links
Standards
- User Managed Access (UMA) has some overlap with this work; seems to be useful for person-to-person sharing
- OASIS Web Services Security: WS-Security, username, X.509, SAML
- A SASL and GSS-API Mechanism for SAML, uses base64 encoded SAML request in URL
- ways to use SAML (and SAML interop scenarios)
- OAuth 2.0, and with SAML assertions
Libraries
- OAuth 2 assertion profile library
- Shibboleth ECP IdPdelegation, web-service client, and configuring it.
Federations
Other
- N-tier usage of SAML in backend
- Similar project in US' department of defense
- Data portability, and blog
- OAuth 2 uses bearer tokens and misses signatures, which may become a problem.
- Nice OAuth 1 and OAuth 2 diagrams
- xDAuth
- SimpleAuth: adaptation of OpenID to support delegation (though this might be something entirely different)
- MashMyData security model