SAML Security Assertion Markup Language
7.4.5 Policies
Policies contain sets of rules to express access restrictions for particular resources. At the conceptual stage no assumption about the policy language, namely „how‟ a policy is encoded, are made. The resource side basis of every access control decision is in the SensorSA policies.7.4.6 Assertion and Policy Encoding
In SensorSA the access control mechanisms rely on the usage of OASIS Security Standards. - SAML Security Assertion Markup Language is used to encode identities and related information in a SAML Assertion. - XACML eXtensible Access Control Markup Language is used to define access rules, for the above mentioned identities.7.4.6.1 SAML Security Assertion Markup Language
SAML is a language to encode security related information. In SensorSA SAML is used to encode Identity related information. SAMLS is summarised by OASIS 2006b as follows: ―SAML consists of building-block componen ts … The components primarily permit transfer of identity, authentication, attribute, and authorization information between autonomous organizations that have an established trust relationship. The core SAML specification defines the structure and content of both assertions and protocol messages used to transfer this information. SAML assertions carry statements about a principal that an asserting party claims to be true. The valid structure and contents of an assertion are defined by the SAML assertion XML schema. Assertions are usually created by an asserting party based on a request of some sort from a relying party, although under certain circumstances, the assertions can be delivered to a relying party in an unsolicited manner. SAML protocol messages are used to make the SAML- defined requests and return appropriate responses. The structure and contents of these messages are defined by the SAML-defined protocol XML schema. The means by which lower-level communication or messaging protocols such as HTTP or SOAP are used to transport SAML protocol messages between participants is defined by the SAML bindings. Next, SAML profiles are defined to satisfy a particular business use case, for example the Web Browser SSO profile. Profiles typically define constraints on the contents of SAML assertions, protocols, and bindings in order to solve the business use case in an interoperable fashion.‖ SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1 Copyright © 2007-2009 SANY Consortium Page 110 of 233 Figure 7-5: Basic SAML concepts OASIS 2006b In SensorSA SAML core assertions and protocol is used exclusively or in other words no bindings or profiles have been defined. The use of SAML in the context of the access control services is further described in section 10.5.4.7.4.6.2 XACML eXtensible Access Control Markup Language
Parts
» Specification of the Sensor Service Architecture (SensorSA)
» Executive Summary Specification of the Sensor Service Architecture (SensorSA)
» Intended Audience Abbreviations and acronyms
» General Remark Terms and Definitions
» Architectural Framework Specification of the Sensor Service Architecture (SensorSA)
» Relationship to the ORCHESTRA Architecture
» Requirements of GMES Enterprise Viewpoint
» Requirements of GEOSS Enterprise Viewpoint
» Requirements of Sensor Networks
» Overview Sensor Network User Requirements
» Data and Information User Requirements
» Data Quality Security User Requirements
» Processing and Fusion User Requirements
» Decision Support User Management
» Complex form of a Sensor Sensor System
» Overview Enterprise Viewpoint of a Sensor
» Engineering Viewpoint of a Sensor
» Service Viewpoint of a Sensor
» Information Viewpoint of a Sensor
» Overview Functional Domains Major Concepts of the Sensor Service Architecture
» Overview RequestReply Interaction Model
» Event-based Interaction Model Models of Interaction
» Event Definition Event-based Architectural Style
» Event Properties Event Model
» Event Verbosity Levels Event Model
» Form of Events Roles in Event Relationships
» Overview Event Processing Role Model
» Event Role Interfaces Event-Driven Processing System
» Resources Resources and their Identification
» URN Namespace for SANY Resources
» Naming principles Resources and their Identification
» Resource and Catalogue Types
» Sensor Planning Information Service Planning Functions
» Introduction Data and Service Integration Interpretation
» Discovery Monitoring Authentication and Authorisation
» The measurement process Uncertainty
» Access Control Service Architecture
» t Conceptual Building blocks for “Plug-and-Measure”
» Overview Information Model for Observations Measurements OM
» Information Model of the Sensor Observation Service
» Model for Subject Related Information Profiles and Identities
» SAML Security Assertion Markup Language
» XACML eXtensible Access Control Markup Language
» Event Information Model Information Viewpoint
» Resource representation Resource name
» Resource link Uniform Interface
» Introduction Relationship between Resources, Services and Features
» Overview Meta-information Schema for Discovery
» Meta-information Sections Related to Observation Discovery
» Overview Services of the OGC Sensor Web Enablement
» Sensor Observation Service Services of the OGC Sensor Web Enablement
» Web Notification Service Services of the OGC Sensor Web Enablement
» Overview Profile Management Service
» Policy Enforcement Service Access Control Services
» Overview Services of the Mediation, Processing and Application Domain
» Interfaces of WS-Base Notification Specification
» Properties of a Service Platform
» Specification of the SensorSA W3C Web Services Platform
» Specification of the SensorSA OGC Web Services Platform
» Specification of the SensorSA RESTful Web Services Platform
» Introduction Query Models Resource Discovery Policy
» Discovery of Observations Typical resource discovery policies
» Discovery of Procedures Typical resource discovery policies
» Event-based Harvesting Resource Discovery Policy
» Overview Policies for Sensor and Service Monitoring
» Policies for Sensor Planning
» “Non intrusive” at service level
» Delegate Anonymous Service Chain
» Patterns for Access Control in a Multi-Protocol Environment Usage of SAML
» Attachment of quality information
» Data flow optimization Providing alternative views to data
» Data pre-processing Multi-level sensor data storage
» Processing Chain Service Processing Chains .1 Introduction
» Approach Combining Earth Observation and In-situ data .1 Introduction
» Integration of Mobile Sensors
» Definition and Subscription of Events
» Sensor Plug In Plug-and-measure Support
» Sensor recognition and connection establishment Sensor Adapters
Show more