Embed Size (px)
DESCRIPTION
conventional access control. read policy for submitOrder(). submitOrder () requires [ name,password ] cred. application. client. 2. call submitOrder() including [planky, ****]. claims-based access control: authentication service. submitOrder () requires {role} from sts_authentication. - PowerPoint PPT Presentation
Citation preview
11
2
1. read policy for submitOrder()
conventional access control
client
application
2. call submitOrder() including [planky, ****]
submitOrder() requires [name,password] cred
3
1. read policy for submitOrder()
claims-based access control:authentication service
2. read policy for request security token
3. request securitytoken passing [planky, ****]
submitOrder() requires {role} from sts_authentication
{role} requires [name,password] credsecurity tokenservicests_authentication
application
4
5. call “submit order” with security token
security tokenservicests_authentication
4. request security token response
{role=purchaser}signed sts_authentication
{role=purchaser}signed sts_authentication
mapping: (planky,****) {role = purchaser}
“submit order” requires {role} from sts_authentication
claims-based access control:authentication service
application
5
1. read policy forsubmitOrder()
security token servicests_authorization“authorization claimsprovider”
security token servicests_authentication“identity claimsprovider”
2. read policy for request security
token4. request security token
passing [planky’s kerb ticket]
3. read policy for request security
token
submitOrder() requires {submit order} from
sts_authorization
{submit order} requires {role} claim from sts_authentication
{role} requires[kerb ticket] or
[name/pwd] cred
client
claims-based access controldelegated authentication and authorization
application
6
call submitOrder()
client
security tokenservicests_authorization
security tokenservicests_authentication
mapping: planky {role = purchaser}
mapping: {role = purchaser} {submit order = true}
{role=purchaser}signed sts_authentication
{submit order = true}signed sts_authorization
{submit order = true}signed sts_authorization
{role=purchaser}signed sts_authentication
submitOrder() requires {submit order} claim from
sts_authorization
submitOrder() requires {role} claim from sts_authentication
claims-based access controldelegated authentication and authorization
application
