SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 144 of 233
8.3. Access Control Services
8.3.1 Overview
Service and Interface Type
Name Overview Description
Reference
Profile Management Service
Creates and maintains user profiles and their associations to identities.
section 8.3.2
Identity Management- and
Authentication Service
Creates and maintains identities. Supports the management of groups of identities as a special kind of
identity. Proves the genuineness of identities using a set of given credentials and issues session information IdP.
section 8.3.3
Policy Management- and Authorisation
Service Acts as an external policy decision point PDP and
policy administration point PAP. The service provides a decision on whether some identity e.g. a user or a
service is authorised to access a certain resource. Allows the management create, update, delete of XACML
policies. section
8.3.4
Policy Enforcement Service
A dedicated policy enforcement point PEP that handles authentication and sends authorisation requests to the
PDP for non-security enabled web services. section
8.3.5
Table 8-6: Access Control Services
Note: The abstract access control pattern specified in section 6.8.2 introduces the concept of a Policy Enforcement Point as the entity that enforces an access control policy. The
SensorSA introduces a “Policy Enforcement Service” to handle policy enforcement as mainly a coordination of the authentication and authorisation request tasks. A Service Proxy Service Side
Façade in conjunction with a Policy Enforcement Service should be used if the Policy Enforcement task should be performed in a non intrusive manner. This implementation pattern is
described in section 10.5.1.1.
8.3.2 Profile Management Service
Name Profile Management Service
Standard Specifications
The following RFC has been used as a template to define profile attributes in the SANY implementation of the Profile Management Service:
IETF RFC 2251-RFC2256 Lightweight Directory Access Protocol LDAP v3
IETF RFC 2256 - A Summary of the X.50096 User Schema for use with LDAPv3
Description The Profile Management Service is used to create and maintain profiles. In
general, profiles of users, services, etc. represent entities that need to be authenticated. They are not authenticated themselves but rather represent a
point of contact and management feature for authentication and authorisation
SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 145 of 233
purposes. A profile is decoupled from authentication. This decoupling is done by separating identities from profiles. An identity of a profile is defined in an
Identity Management Interface instance. Management of profiles includes the association to identities as well as storage of profile attributes. Profile
attributes can be arbitrary key value-list pairs and are currently defined by an LDAP schema
The Profile Management Service provides its functionality through the following interfaces:
ServiceCapabilities ProfileManagement
. Interface ServiceCapabilities
getCapabilities Informs the client about both common and specific capabilities of a Profile
Management Service instance, e.g. the supported LDAP schemas. Interface ProfileManagementInterface
createProfile Creates a profile.
deleteProfile Deletes a profile including the deletion of all associations to identities and
profile attributes. updateProfile
Updates a profile. Can be used to change profile related information, e.g. profile attributes.
addIdentityTo Profile
Associates an existing identity to an existing profile. removeIdentity
FromProfile Removes a previously assigned identity from a profile.
getProfiles Enumerates all profiles of the current service instance. Accepts a query
parameter to narrow the list of returned profiles. Example usage The Profile Management Service provides the functionality to register and
update user profiles. The result of a successful registration is a profile entry in the Profile Management information base. Moreover, the Profile Management
Service‟s information base contains information about the profile‟s identities whereas authentication of associated identities and the provision of session
information is provided by an Authentication Interface instance. Comments
The Profile Management Service replaces the former User Management Service described in the RM-OA 2007.
Table 8-7: Description of the Profile Management Service 8.3.3
Identity Management and Authentication Service
Name Identity Management and Authentication Service
Standard Specifications
The Authentication Interface uses the following standard for the encoding of session information:
OASIS Security Assertion Markup Language SAML v2 Description
Identities and their attributes are managed created, deleted, etc. using an Identity Management Interface instance. The Identity Management Interface
SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 146 of 233
acts as an identity provider IdP. The manner in which identity information is managed is up to the particular identity provider as different authentication
mechanisms e.g. asymmetric public keysecret infrastructure or loginpassword require different identity related information. In this way
Identity Management can be independent of authentication methods. Please note that the association between profiles and identities is performed using an
instance of the Profile Management Service. In this way authentication remains independent of Profile Management tasks related to identities.
The Authentication Interface verifies genuineness of identities using a given set of credentials. The authentication mechanism, which means the way
authentication is performed, is up to the service implementation. The kind of credentials an Authentication Interface needs as well as the way they are
passed is specific to the authentication mechanism used. The present specification of the Identity Management and Authentication Service supports
a username password authentication mechanism.
A SAML ticket session information returned after a successful authentication can be used to invoke services demanding authenticated
identities.
The Identity Management and Authentication Service provides its functionality through the following interfaces:
ServiceCapabilities Authentication
. IdentityManagement
Interface ServiceCapabilities getCapabilities
Informs the client about both common and specific capabilities of an Identity Management and Authentication Service instance.
Interface Authentication login
Performs a login using the credentials and identity e.g. username password supported by this Authentication Interface instance. Returns a SAML ticket
that contains the authenticated identity and related attributes and possibly a set of authenticated group identities that is associated to the authenticated
identity. Note: a SAML ticket serves as a asserted and temporarily valid
record of a subject‟s identity including identity properties e.g. age that can serve as a basis for an authorisation decision.
verifySession Information
Verifies the SAML ticket session information previously issued by the same Authentication Interface instance. Returns a status value indicating the
validity of the SAML assertion stated in the SAML ticket.
Interface IdentityManagement addIdentity
Creates an identity. The identity‟s representation is specific to the supported
authentication mechanism. The present specification of the Identity Management and Authentication Service supports UserNamePassword
Identities apart from the obligatory GroupIdentities.
delete Identity
Deletes an existing identity. Deletion of identities implies the need to update the corresponding Profile Management Service instance as well as any policy
SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 147 of 233
referring to it. update
Identity Updates an existing identity. The identity to be updated as well as information
to be changed, e.g. a new username, additional or modified attributes, shall be provided as input.
add Credentials
Adds credentials to a certain identity. Credentials are specific to the authentication mechanism used. For a usernamepassword authentication the
credential is a password.
update Credentials
Updates credentials e.g. password for a certain identity e.g. username. deactivate
Identity Deactivates an identity without removing it. The identity, e.g. username to be
deactivated and additional information, e.g. a time period for deactivation, shall be provided as input.
activate Identity
Activates an existing, formerly deactivated identity. The identity, e.g. username to be activated and additional information, e.g. a point of time for
activation, shall be provided as input.
getIdentities Executes a query and returns Identities that match the query conditions. The
query language depends on the different implementations of the service instance.
addItentityTo Group
Associates an existing group with an existing idnetity. The identity must reside in the same Identity Management Interface instance.
removeIdentity FromGroup
Removes the association between a given identity and a given group. The removed identity is not deleted.
Example usage Multiple instances of Identity Management and Authentication Services may coexist in a network and each organisation may maintain their own instance
of the Identity Management and Authentication Service. This favours cross- organisational sign-on or single-sign-on SSO since identities represent only
the identity of a user profile and one profile may refer to multiple identities, each registered at different instances.
Comments The Identity Management and Authentication Service replaces the former
Authentication Service described in the RM-OA 2007.
Table 8-8: Description of the Identity Management and Authentication Service 8.3.4
Policy Management and Authorisation Service
Name Policy Management and Authorisation Service
Standard Specifications
The following standards are used for the definition of policies and authorisation request and responses:
OASIS Security Assertion Markup Language SAML v2.0 OASIS eXtensible Access Control Markup Language XACML TC v2.0
OASIS SAML 2.0 profile of XACML v2.0
SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 148 of 233
Description The Authorisation Interface evaluates an authorisation request of a policy
enforcement point PEP and returns the authorisation decision. The authorisation decision is based on an XACML authorisation request passed
from the PEP or a security-enabled service. The authorisation request comprises the authenticated identities of the service requestor including all
identity attributes relevant for an authorisation decision as well as specific environment attributes, for example individual state variables of the service.
The Policy Management Interface is responsible for the management of access policies and thus plays the role of a policy information point PIP and
policy administration point PAP. Access policies can be expressed in the XACML access control policy language.
The Policy Management and Authorisation Service provides its functionality through the following interfaces:
ServiceCapabilities Authorisation
PolicyManagement Interface ServiceCapabilities
getCapabilities Informs the client about common and specific capabilities of a Policy
Management and Authorisation Service instance. Interface Authorisation
authorise This operation uses the SAML 2.0 profile of XACML 2.0 to request an
authorisation decision. The authorisation decision is currently provided as a compliance value indicating how to treat the request e.g. permit or deny.
Interface Policy Management createPolicy Creates a new policy.
deletePolicy Deletes an existing policy. getPolicy Retrieves a policy identified by a unique ID.
getPolicies Retrieves a sequence of policies maintained by the Policy Management
Interface instance.. updatePolicy
Updates an existing policy. Example usage Access policies can be expressed in the XACML access control policy
language. XACML allows the definition of very flexible policies that can be evaluated against any kind of environment attributes. Such environment
attributes may be derived from boundary conditions of a service request as well as from the underlying data source. By defining an appropriate policy for
e.g. a WMS and a SOS the Policy Management and Authorisation Service may restrict access to a certain layer or offering.
Comments The Policy Management and Authorisation Service replaces the former
Authorisation Service described in the RM-OA 2007.
Table 8-9: Description of the Policy Management and Authorisation Service
SANY D2.3.4 Specification of the Sensor Service Architecture V3 Doc.V3.1
Copyright © 2007-2009 SANY Consortium Page 149 of 233
8.3.5 Policy Enforcement Service