Ticket #1090 (closed task: fixed)

Opened 11 years ago

Last modified 10 years ago

[S] ESG SAML Authorisation Service Interface

Reported by: pjkersha Owned by: pjkersha
Priority: required Milestone: CMIP5 Security
Component: security Version:
Keywords: security, ESG, SAML Cc:


For ESG, a SAML interface is planned to enable a Data Node to callout to the Authorisation Service on a Gateway to get an access control decision for a given secured resource. This replaces the existing ticket based system. ANL are prototyping a Java implementation.

The NDG Security architecture currently uses WSGI filters configured to call a local PDP within the middleware stack. This means policy is governed in a policy file one per application.

  • Extend the NDG Security SAML package to include Authz Decision statements and serialisation for SOAP interface.
  • Write Authorisation Service (Standalone PDP)
  • Extend policy file syntax to handle the identity of the application that has made the request as well as the URI requested.
  • Make a new PEP filter interface to callout to the Authorisation Service over the SAML SOAP interface.
  • Test against ANL implementation to check for interoperability.

Writing this interface will enable NDG Security secured code to be deployed on a data node controlled by an ESG s/w stack based Authorisation Service on a Gateway. Likewise, an ESG Data Node could be deployed secured against a NDG Security based Authorisation Service.

It will also enable access policy for CEDA services to be centrallised in one place.

Change History

comment:1 Changed 10 years ago by pjkersha

  • Status changed from new to closed
  • Resolution set to fixed

Completed for NDG Security 2.0.0

Note: See TracTickets for help on using tickets.