Flexible Access Middleware Extensions to PERMIS
Robust authentication and authorisation services are keys to the deployment of a secure virtual organisational (VO) environment where students, researchers, staff with different roles and responsibilities from different institutions are expected to share resources distributed in the Internet environment with components administered locally and independently.
Executive Summary
Entity authentication is the first line of defence in this VO environment, which is required to assure a service provider (SP) that a resource access is only granted to users whose identities have been verified. The level of assurance (LoA) in identifying a user, also referred to as the quality of an entity authentication process, reflects the degree of confidence in identifying the entity to which the credential was issued, and the degree of confidence that the entity using the credential is indeed the entity that the credential was issued to.
Different authentication services and tokens provide different LoA. NIST (the US National Institute of Standard and Technology) [NIST06] has defined four levels of authentication assurance versus different authentication services and tokens. Resources with varying sensitivity and/or risk levels are better served by different authentication methods. With this risk-based authentication/authorisation approach, an SP may specify a minimum LoA depending upon the resource sensitivity and/or risk levels, and require that the access is granted only if the LoA derived from an authentication instance satisfies the minimum LoA.
This project is aimed at designing and developing middleware extensions to realise this vision of riskbased authentication and LoA linked fine-grained access control. The extensions are in three parts, FAME [FAME], PERMIS [PERMIS] and GridSite [GridSite], linked by SHIBBLOLETH – an open source solution to support inter-institutional sharing of Web resources subject to access control Shib04]. FAME integrates a wide range of standard authentication services that support the use of various authentication credentials including IP addresses, username/password pairs, and certificatebased soft as well as hard tokens such as smart/Java cards. FAME can easily be integrated with any authentication services with a Web front-end, e.g. Kerberos, NIS (Network Information Service), and authentication systems that use LDAP (Lightweight Directory Access Protocol) or Mysql. Upon successful authentication, FAME derives a LoA value based upon the authentication method/token used in the process, and passes it to an authorisation decision engine as a user attribute value, via the SHIBBLOLETH SAML message. PERMIS is a risk based authorisation decision engine that uses the LoA in the authorisation decision making process. PERMIS supports hierarchical role based access controls (RBAC). By converting the LoA into a user attribute, and defining the LoA as a hierarchical role in the PERMIS authorisation policy, PERMIS will make risk based authorisation decisions that are dependent upon the LoA value of the user. The PERMIS Policy Editor has been enhanced to allow managers to easily create policies that include the LoA as a hierarchical role. In other words, PERMIS now makes authorisation decisions based on the tuple: {Subject, LoA, Target, Action}.
The third component, GridSite, builds extensions to allow the integration of FAME-PERMIS into the GridSite infrastructure so that the GridSite community can also benefit from LoA lined fine-grained access control to Grid resources. Thus GridSite can not only use the X.509 DN to identify a user, but also, with the support for SHIBBOLETH, tie a username/password to that DN, using the certificate to create the account. The use of FAME in this context allows the representation of the quality of the authentication. The expressing requirements about this in GACL/XACML policies are also supported. Both the software design and implementation adhere to relevant international standards [NIST06, Shib04]. Case studies are performed to ensure that the developed middleware satisfy both functional and non-functional requirements, including security, interoperability, portability, reliability, and usability. A live demo showing the integrated operation of FAME, PERMIS, GridSite, and SHIBBOLETH is available on the project website.
The project has achieved all the aims and objectives initially set, i.e. those outlined above. In addition, the project also addressed an additional important issue that was identified during the design stage, i.e. the SSO (single-sign-on) property. Furthermore, we also identified an additional use case scenario during the case studies, in which a user may opt to use a standalone application (rather than a web browser) to access remote resources. Again, we have designed and built an extended solution making use of a software-configurable firewall. This extended solution, called FAME-CLEF, allows the use of FAME-PERMIS to protect resources accessed via standalone clients. Last but not least, in addition to the software development, the project team has also published 5 academic papers, 3 in international refereed conferences and 2 in academic journals.