[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: PassThruAuthNMayHarmInterop
>>>>> "SF" == Stephen Farrell <stephen.farrell@baltimore.ie> writes:
SF> To give an example, think about a "typical" scenario: using
SF> the password associated with an LDAP entry to authenticate a
SF> user and storing some authorization information related to
SF> that user (there may well be additional authorization
SF> information elsewhere) in the same LDAP entry. The decision
SF> made at the F2F means that both the PEP and PDP
SF> *independently* have to access the same LDAP entry.
I think you're ignoring the role played by the attribute authority in
the domain model. It seems to me -- and I may be way off here -- that
per our domain model, one sample scenario would go something like
this:
1. The user passes a user name and password to an entity
acting as an Authentication Authority -and- as an Attribute
Authority.
2. The Authentication Authority checks the LDAP directory to
assure the correct username/password, and returns an AuthC
assertion expressing the identity of the user as well as an
Attribute assertion giving authorization attributes for the
user (such as group membership, role, etc.), retrieved from
the LDAP entry.
3. When trying to access a resource protected by a PEP, the
user presents the AuthC and Attribute assertions.
4. The PEP sends a request message to the PDP asking for a
decision on the user's authority to access the resource. In
the message, it includes the AuthC and Attribute
assertions.
5. The PDP returns an AuthZ decision assertion giving a yes or
no on the user's authorization to access the resource.
6. Based on the AuthZ decision assertion, the PEP allows or
denies access to the resource.
This seems fairly straightforward and doesn't seem to require passing
the username/password along with the assertions. One problem, of
course, is that the Attribute Authority needs to know -which-
attributes to put in the attribute assertion early on in the
flow. If we presume that the attribute assertion is directed towards a
particular PEP, this is probably OK. However, it's also possible to
have it work without prior knowledge of which attributes the PDP will
need:
1. User passes user name and password to an AuthC authority.
2. AuthC authority checks username and password against an
LDAP entry, returns an AuthC assertion identifying the
user.
3. When trying to access a resource protected by a PEP, the
user presents the AuthC assertions.
4. The PEP sends a request message to the PDP asking for a
decision on the user's authority to access the resource. In
the message, it includes the AuthC assertion.
5. The PDP sends a request message to the attribute authority
for the user, requesting particular authorization
attributes. It includes the AuthC assertion to identify the
user.
6. The attribute authority checks the LDAP directory and
returns an attribute assertion with the requested
attributes.
7. The PDP returns an AuthZ decision assertion giving a yes or
no on the user's authorization to access the resource.
8. Based on the AuthZ decision assertion, the PEP allows or
denies access to the resource.
Note that in step 6, the attr authority does not have the username and
password of the user, so it can't retrieve entries from the LDAP
directory under the user's authority, but instead uses its own
authority to check the attributes. This may be a good or bad thing,
depending on your point of view.
~ESP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC