Identity Manager in Software Defined NetMohammad FarajiEmail: ms.faraji@utoronto.ca

SAVI Identity Manager Design Requirements

SAVI is a federation of autonomous systems: Testbeds Cloud Datacenters Information Providers (e.g. Identity providers)

Researcher needs a fine-grained Access Control to have flexibility: Policy negotiation Attribute Assertion

SAVI Federation Architecture

SAVI Federation OversightTrust Anchor (Keystone)

SAVI Core node

SAVI edge node

Testbed

Remote Datacent

ers

Domain Admin

User 1

User 2

User 3

Identity Provider

s

Service Accounting (Beacon)

Repository

AuthenticationOAUTHOpen IDSAML

AuthorizationXACML

Authentication Interoperability Standard Security Assertion Markup Language - SAML

SAML

AuthenticationAssertion

AttributeAssertion

AuthorizationDecisionAssertion

AuthenticationAuthority

AttributeAuthority

Policy DecisionPoint

Policy EnforcementPoint

Policy Policy Policy

CredentialsCollector

SystemEntity

ApplicationRequest

Source: OASIS SAML Standard

5

Authorization Interoperability StandardseXtensible Access Control Markup Language – XACML

Policy server distributes policy changes to all network elements using XACML

Federation Layer Virtualization

Openflow Switch

Firewall

Policy

XML

XACML

XML

XACML

XML

XACML

XML

XACML

Policy Serve in SAVI

XACML

6

SAVI Access Control Technologies

Responsibility•Owner•Custodian •User

Security Policy

Determines Access Control

Digital certificates and access control

Can store subjects roles and permissions

Accountability vs. Enforcement

Log-analysis vs. Strict control

Role-Based Access Control - (RBAC)Access based on users roles. Role assignment. Role

authentication. Action authorization

Attribute-Based Access Control - (ABAC)On user attributes and object metadata

Access-control lists (ACL)Lists of specific users and groups and permissions

Under Development

Empty Role Contains just roles without any associated role

Explicit Capability MappingRoles have capabilities not in the context of any given resource

Restricted RolesThe role, capability, resource collection will be complete

Attribute Based Access Control (ABAC)

Subject Attributes Related to a subject (e.g. user, application, process) that

defines the identity and characteristics of the subject E.g. identifier, name, job title, role

Resource Attributes Associated with a resource (web service, system function, or

data) E.g. Dublin Core metadata elements

Environment Attributes Describes the operational, technical, or situational environment

or context in which the information access occurs E.g. current date time, current threat level, network security

classification

ABAC Policy Formulation

N

M

K

EAEAEAeATTR

RARARArATTR

SASASAsATTR

...)(

...)(

...)(

21

21

21

1. S, R, and E are subjects, resources, and environments, respectively;

2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre-defined attributes for subjects, resources, and environments, respectively;

3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for subject s, resource r, and environment e, respectively:

ABAC in SAVIEdge Node

Attribute& PolicyServices

Resources APIs

Con

trol

W

eb

Serv

ice

Policy Unit

Access Control

Service Catalog (Beacon)Trust Anchor

Researcher

SOAP Msg

SA

RA

1 3

2

PolicyAdmin.Service

SA

EA

Identity Provider

SA

1