Difference between revisions of "CLARIN/Security for web services"
From PDP/Grid Wiki
Jump to navigationJump to search (include images) |
|||
| Line 5: | Line 5: | ||
== Approaches == | == Approaches == | ||
| + | <div style="clear:right"></div>[[Image:Approaches_open.png|150px|right|Open diagram]] | ||
=== Open === | === Open === | ||
All services trust each other. No technical security measures (other than, possibly, blocking complete strangers); managable upto ~15 services [TODO ref needed] | All services trust each other. No technical security measures (other than, possibly, blocking complete strangers); managable upto ~15 services [TODO ref needed] | ||
| + | <div style="clear:right"></div> | ||
=== Shibboleth + delegation === | === Shibboleth + delegation === | ||
[http://shibboleth.internet2.edu/ Shibboleth] is already used for federated authentication. It has [https://spaces.internet2.edu/display/SHIB2/ECP#ECP-Directvs.DelegatedAuthentication ECP] support with [https://spaces.internet2.edu/display/ShibuPortal/Configuring+Shibboleth+Delegation+for+a+Portal delegation], though only through a plugin. The next major IdP release [https://spaces.internet2.edu/display/SHIB2/ECP#ECP-CodeAvailability may] include it though. | [http://shibboleth.internet2.edu/ Shibboleth] is already used for federated authentication. It has [https://spaces.internet2.edu/display/SHIB2/ECP#ECP-Directvs.DelegatedAuthentication ECP] support with [https://spaces.internet2.edu/display/ShibuPortal/Configuring+Shibboleth+Delegation+for+a+Portal delegation], though only through a plugin. The next major IdP release [https://spaces.internet2.edu/display/SHIB2/ECP#ECP-CodeAvailability may] include it though. | ||
| Line 16: | Line 18: | ||
(see Shibboleth) [TODO would there be other SAML ECP options than Shibboleth?] | (see Shibboleth) [TODO would there be other SAML ECP options than Shibboleth?] | ||
| + | <div style="clear:right"></div>[[Image:Approaches_oauth1.png|150px|right|OAuth 1.0 diagram]] | ||
=== OAuth 1.0 === | === OAuth 1.0 === | ||
| + | <div style="clear:right"></div>[[Image:Approaches_oauth2.png|150px|right|OAuth 2.0 diagram]] | ||
=== OAuth 2.0 === | === OAuth 2.0 === | ||
| + | <div style="clear:right"></div> | ||
== Links == | == Links == | ||
Revision as of 15:55, 23 March 2011
Approaches
Open
All services trust each other. No technical security measures (other than, possibly, blocking complete strangers); managable upto ~15 services [TODO ref needed]
Shibboleth + delegation
Shibboleth is already used for federated authentication. It has ECP support with delegation, though only through a plugin. The next major IdP release may include it though.
One cannot expect each IdP to install this plugin, or to have the latest version installed [TODO check if this is the case with Shibboleth version policies]. Therefore this option is not viable.
SAML ECP
(see Shibboleth) [TODO would there be other SAML ECP options than Shibboleth?]
OAuth 1.0
OAuth 2.0
Links
Standards
- User Managed Access (UMA) has some overlap with this work
- OASIS Web Services Security: WS-Security, username, X.509, SAML
- A SASL and GSS-API Mechanism for SAML, uses base64 encoded SAML request in URL
- OAuth 2.0, and with SAML assertions
Libraries
- OAuth 2 assertion profile library
- Shibboleth ECP delegation, web-service client, and configuring it.
