UNIT-IV

INTER-CLOUDRESOURCEMANAGEMENT
CloudofClouds(Inter cloud)
Intercloudor'cloudofclouds’-refertoatheoreticalmodelforcloudcomputingservices.
Combining many different individual clouds into one seamless mass in terms of on-
demand operations.
Theintercloudwouldsimplymakesurethatacloudcoulduseresources beyondits reach.
Takingadvantageofpre-existingcontracts withothercloud providers.
Eachsingleclouddoesnothaveinfinitephysicalresourcesorubiquitousgeographic footprint.
Acloudmaybesaturatedtothecomputationalandstorageresourcesofitsinfrastructure. It
would still be able satisfy such requests for service allocations sent from its clients.
Asinglecloud cannotalwaysfulfill therequestsorproviderequiredservices.
Whentwoormorecloudshavetocommunicatewitheachother,oranotherintermediary comes
into play and federates the resources of two or more clouds.
Inintercloud, intermediaryis knownas“cloudbroker”orsimply“broker.”
Brokeristheentitywhichintroducesthecloudservicecustomer(CSC)tothecloud service
provider (CSP)

Inter-CloudResourceManagementConsists of

 ExtendedCloudComputingServices
 ResourceProvisioningandPlatform Management
 VirtualMachineCreationandManagement
 GlobalExchangeofCloud Resources
ExtendedCloudComputingServices

Fig:Sixlayersofcloudservicesand theirproviders

Sixlayersofcloudservices
 SoftwareasaService(SaaS)

 PlatformasaService(PaaS)

 InfrastructureasaService(IaaS)
 Hardware/Virtualization CloudServices(HaaS)
 NetworkCloudServices(NaaS)

 CollocationCloudServices(LaaS)
 ThetoplayeroffersSaaSwhichprovidescloudapplication.

 PaaSsitsontopofIaaS infrastructure.

 Thebottomthreelayersaremorerelatedtophysicalrequirements.

 ThebottommostlayerprovidesHardwareasaService(HaaS).

 NaaSisusedforinterconnectingall thehardwarecomponents.
 LocationasaService(LaaS),providessecuritytoallthephysicalhardwareandnetwork resources.
This service is also called as Security as a Service.
 Thecloudinfrastructurelayercanbe furthersubdividedas
 DataasaService (DaaS)
 CommunicationasaService(CaaS)
 InfrastructureasaService(IaaS)
 Cloudplayersaredividedintothreeclasses:
 Cloudserviceprovidersand IT administrators

 Softwaredevelopersorvendors
 Endusersorbusiness users.

CloudPlayers IaaS PaaS SaaS

IT MonitorSLAs MonitorSLAs and MonitorSLAs and
administrators/ enable service deploy
CloudProviders platforms software

Software Todeploy and Enabling Developand

developers store data platforms deploy
(Vendors) software
End users or Todeploy and Todevelopand test Usebusiness
businessusers store data software software

Table:CloudDifferencesinPerspectiveofProviders,Vendors,and Users

CloudServiceTasksandTrends
 SaaS ismostlyused forBusiness Applications
 Eg:CRM(CustomerRelationshipManagement)usedforbusinesspromotion,direct sales, and
marketing services
 PaaSisprovidedbyGoogle,Salesforce.com,andFacebook etc.
 IaaSisprovidedbyAmazon,WindowsAzure,andRackRack etc.
 CollocationservicesProvidessecuritytolower layers.
 Networkcloudservicesprovidecommunications.
SoftwareStackforCloud Computing
 Thesoftwarestack structureofcloudcomputingsoftwarecanbeviewedaslayers.
 Eachlayerhasitsownpurposeandprovides theinterfacefortheupper layers.
 Thelowerlayersarenotcompletelytransparent totheupper layers.

RuntimeSupportServices
 Runtimesupportreferstosoftwareneededinapplications.
 TheSaaSprovidesthesoftwareapplicationsasaservice,ratherthanallowingusers purchase the
software.
 Onthecustomerside,thereis noupfront investmentin servers.

Resource Provisioning (Providing) and Platform

DeploymentTherearetechniquestoprovisioncomputerresourcesorVMs.Par
allelism is exploited at the cluster node level.
ProvisioningofComputeResources(VMs)
 Providerssupplycloudservices bysigningSLAswith end users.
 TheSLAsmust specifyresourcessuch as
 CPU
 Memory
 Bandwidth
Userscanusetheseforapreset(fixed) period.
 Underprovisioningofresourceswill leadtobrokenSLAsandpenalties.
 Overprovisioning of resources will lead to resource underutilization, and consequently,a
decrease in revenue for the provider.
 Provisioningof resources to users is a challenging problem. The difficulty comes fromthe
following
o Unpredictabilityofconsumerdemand
o Softwareandhardwarefailures
o Heterogeneityofservices
 o Power management
o ConflictinsignedSLAs between consumersandserviceproviders.

ProvisioningMethods
Threecasesofstaticcloudresourceprovisioningpoliciesare considered.
Staticcloudresourceprovisioning case
(a)
 over provisioning(Providing)withthepeakloadcausesheavy resourcewaste(shaded area).

..

case (b)
Under provisioning of resources results in losses byboth user and provider. Users have paid for
the demand (the shaded area above the capacity) is not used by users.

case (c)
 Declininginuserdemandresultsinworseresourcewaste.

Constant provisioning
Fixed capacity to a declining user demand could result in even worse resource waste.
Theusermaygiveuptheservicebycancelingthedemand,resultinginreducedrevenue for the
provider.
Both theuserand provider maybelosers in resourceprovisioningwithout elasticity.
Resource-provisioningmethodsare
 Demand-drivenmethod- Providesstaticresourcesandhasbeenusedingridcomputing
 Event-drivenmethod-Basedonpredictedworkloadbytime.
 Popularity-DrivenResourceProvisioning–BasedonInternettrafficmonitored

DemandDrivenMethods
 ProvidesStaticresources
 This method adds or removes nodes (VM) based on the current utilization(Use) level of
the allocated resources.
 When a resource has surpassed (exceeded) a threshold (Upperlimit) for a certain amount
of time, the scheme increases the resource (nodes) based on demand.
 When a resource is below a threshold for a certain amount of time, then resources could
be decreased accordingly.
 This method is easyto implement.
 Thescheme doesnot workout properlyif theworkloadchangesabruptly.
Event-DrivenResourceProvisioning
 Thisschemeaddsorremovesmachineinstancesbasedonaspecifictimeevent.
 The scheme works better for seasonal or predicted events such as Christmastime in
theWest and the Lunar New Year in the East.
 During these events, the number of users grows before the event period and then
decreasesduringtheeventperiod.Thisschemeanticipatespeaktrafficbeforeithappens.
 Themethodresultsina minimallossofQoS,iftheeventis predicted correctly

Popularity-DrivenResourceProvisioning
 Internet searches for popularity of certain applications and allocates resources
bypopularity demand.
  Thisschemehasaminimalloss of QoS,ifthepredictedpopularityis correct.
 Resourcesmaybewastediftrafficdoesnot occuras expected.
 Again,thescheme hasaminimal lossofQoS,ifthepredictedpopularityiscorrect.
 Resourcesmaybewastediftrafficdoesnot occuras expected.

DynamicResourceDeployment
 ThecloudusesVMsasbuildingblockstocreateanexecutionenvironmentacross
multiple resource sites.
 Dynamicresourcedeployment canbeimplemented toachievescalabilityin performance.
 Peeringarrangementsestablishedbetweengatewaysenabletheallocationofresources
from multiple grids to establish the execution environment.
 Dynamicresourcedeployment canbeimplemented toachievescalabilityin performance.
 InterGridisusedforinterconnectingdistributedcomputing infrastructures.
 InterGridprovidesanexecutionenvironmentontopoftheinterconnectedinfrastructures.
 IGG(InterGridGateway)allocatesresourcesfroman
Organization’s local cluster (Or)
Cloud provider.
 Underpeakdemands,IGGinteractswithanotherIGGthatcanallocateresourcesfroma cloud
computing provider.
 ComponentcalledtheDVEmanagerperformsresourceallocationandmanagement.
 Intergridgateway(IGG)allocatesresourcesfrom alocalclusterthreesteps:
(1) RequestingtheVMs(Resources)
(2) Enacting(Validate)theleases
(3) Deploying(install) theVMs asrequested.

Fig:CloudresourcedeploymentusinganIGG(intergridgateway)toallocatetheVMs from a
Local cluster to interact with the IGG of a public cloud provider.
Underpeakdemand,thisIGGinteractswithanotherIGGthatcanallocateresourcesfrom a cloud
computing provider.
Agridhaspredefinedpeeringarrangementswithothergrids,whichtheIGGmanages. Through
multiple IGGs, the system coordinates the use of InterGrid resources.
AnIGGisawareofthepeeringtermswithothergrids,selectssuitablegridsthatcan provide the
required resources, and replies to requests from other IGGs.
RequestredirectionpoliciesdeterminewhichpeeringgridInterGridselectstoprocessa request
and a price for which that grid will perform the task.
An IGGcanalsoallocate resourcesfromacloudprovider.
TheInterGridallocates andprovidesadistributedvirtualenvironment (DVE).
 Thisisavirtual clusterofVMs thatrunsisolatedfromothervirtual clusters.
AcomponentcalledtheDVEmanagerperformsresourceallocationandmanagementon behalf
of specific user applications.
ThecorecomponentoftheIGGisaschedulerforimplementingprovisioningpolicies and
peering with other gateways.
Thecommunicationcomponentprovidesanasynchronousmessage-passingmechanism.

ProvisioningofStorageResources
 Storagelayerisbuilt ontopofthephysical orvirtualservers.
 Dataisstoredin theclustersofthecloud provider.
 Theservicecanbeaccessedanywhereintheworld.
 Eg:
 E-mailsystem might have millions ofusers and each user can have thousands of e-mails
and consume multiple gigabytes of disk space.
 Websearchingapplication.
 Tostorehugeamountofinformationsolid-statedrivesareusedinsteadofharddisk drives
In storagetechnologies, harddisk drivesmaybe augmented(increased) withsolid-statedrives in the
future.
4.5.3VirtualMachineCreationandManagement

Themanagers provideapublicAPIforusers to submitand control the VMs

IndependentServiceManagement:
 Independentservicesrequest facilitiestoexecutemanyunrelated tasks.
 Commonly, the APIs provided are some web services that the developer can use
conveniently.

RunningThird-PartyApplications
 Cloud platforms have to provide support for building applications that are constructed by
third-party
applicationprovidersor programmers.

 TheAPIsareofteninthe formofservices.
 Webserviceapplicationenginesareoftenusedbyprogrammersforbuildingapplications.
 Thewebbrowsers aretheuserinterfaceforend users.

VirtualMachineManager
ThemanagermanageVMsdeployedonasetof physical resources
 VIEs(Virtual InfrastructureEngine)cancreateandstopVMsonaphysical cluster
 Userssubmit VMsonphysicalmachinesusingdifferentkindsof hypervisors
  Todeploya VM, themanager needsto useits template.
 Virtual Machine Templates contains a description for a VM with the following static
information:
o Thenumberofcoresor processors to beassignedtotheVM
o Theamount of memorytheVMrequires
o Thekernelusedto boottheVM’soperating system.
o Thepriceper hour ofusingaVM
 OAR/Kadeployis adeployment tool
 API(ApplicationProgrammingInterface)-AnAPI isasoftwareintermediarythat makes it
possible for application programs to interact with each other and share data

VirtualMachineTemplates
 AVMtemplateis analogousto acomputer’s configuration andcontains a description for
a VM with the following static information:
 Thenumberof cores orprocessorsto beassignedto the VM
 TheamountofmemorytheVMrequires
 Thekernel usedto boottheVM’soperating system
 Thedisk imagecontainingtheVM’sfilesystem
 Thepriceper hour ofusingaVM

DistributedVMManagement
 AdistributedVMmanagermakesrequestsforVMsandqueriestheir status.
 ThismanagerrequestsVMsfromthegatewayonbehalfoftheuser application.
 Themanagerobtainsthe listofrequestedVMsfromthegateway.
 This list contains a tuple of public IP/private IP addresses for each VM with
SecureShell (SSH) tunnels.
4.1.4 GlobalExchangeofCloud Resources

 Cloud infrastructure providers (i.e., IaaS providers) have established data centers in
multiplegeographicallocationstoprovideredundancyandensurereliabilityincaseofsite
failures.
 Amazon does not provide seamless/automatic mechanisms for scaling its hosted services
across multiple geographically distributed data centers.
 Thisapproach has manyshortcomings
 First,itisdifficultforcloudcustomerstodetermineinadvancethebestlocationfor hosting their
services as they may not know the origin of consumers of their services.
 Second,SaaSprovidersmay notbeabletomeettheQoSexpectationsoftheirservice consumers
originating from multiple geographical locations.
 Thefigurethehigh-levelcomponentsoftheMelbournegroup’sproposedInterCloud
architecture

Fig:Inter-cloudexchangeofcloudresourcesthrough brokering

 It isnotpossiblefor a cloud infrastructure provider toestablishitsdatacentersatall possible

locations throughout the world.
 Thisresults indifficultyinmeetingtheQOS expectations oftheir customers.
 Hence,servicesofmultiplecloudinfrastructureserviceprovidersareused.
 Cloudcoordinatorevaluatestheavailableresources.
 TheavailabilityofabankingsystemensuresthatfinancialtransactionsrelatedtoSLAsare
carried out in a securely.
 By realizing InterCloud architectural principles in mechanisms in their offering, cloud
providerswill be able to dynamicallyexpand or resizetheirprovisioning capabilitybased on
sudden spikes in workload demands by leasing available computational and storage
capabilities from other cloud.
 They consist of client brokering and coordinator services that support utility-driven
federation of clouds:
o applicationscheduling
o resourceallocation
o migrationofworkloads.
 Thearchitecturecohesivelycouplestheadministrativelyandtopologicallydistributed
storageand computecapabilitiesofcloudsaspartofasingleresourceleasingabstraction.
 Thesystemwilleasethecrossdomaincapabilityintegrationforon-demand,flexible, energy-
efficient,andreliableaccesstotheinfrastructurebasedonvirtualizationtechnology
 TheCloudExchange(CEx)actsasamarketmakerforbringingtogetherserviceproducers and
consumers.
 Itaggregatestheinfrastructuredemandsfromapplicationbrokersandevaluatesthem against
the available supply currently published by the cloud coordinators.
 Itsupportstradingofcloudservicesbasedoncompetitiveeconomicmodelssuchas commodity
markets and auctions.
 CExallowsparticipantstolocateprovidersandconsumerswithfitting offers.
 Identityandaccessmanagementarchitecture(IAM)
Basicconceptanddefinitions ofIAMfunctionsforanyservice:
Authentication–isaprocessofverifyingtheidentityofauserorasystem.Authentication usually
connotes a more roburst form of identification. In some use
casessuchasservice–to-serviceinteraction,authenticationinvolvesverifyingthe network
service.
Authorization–isaprocessofdeterminingtheprivilegestheuserorsystem is
entitled to once the identity is established. Authorization usually follows theauthentication step
and is used to determine whether the user or service has the
necessaryprivileges toperformcertainoperations.
Auditing–Auditingentailstheprocessofreviewandexaminationofauthentication,authorization
recordsandactivitiestodeterminetheadequacyofIAMsystemcontrols,toverifycomplaintswith
established security policies and procedure,to detect breaches insecurity services and to
recommend any changes that areindicated for counter measures
IAMArchitectureand Practice
IAM is not a monolithic solution that can be easily deployed to gain capabilitiesimmediately. Itis
as much an aspect of architectureas it is acollection oftechnologycomponents, processes, and
standard practices. Standardenterprise IAM architecture encompasses several layers of
technology, services, andprocesses. At the core of the deployment architecture is a directory
service (such as
LDAPorActiveDirectory)thatactsasarepositoryfortheidentity,credential,anduserattributes
oftheorganization’suserpool.Thedirectoryinteractswith IAM technologycomponentssuchas
authentication, user management, provisioning, and federation services that support the standard
IAM practice and processes within the organization.
The IAMprocessestosupportthebusiness canbebroadlycategorized as follows:
Usermanagement:Activitiesfortheeffectivegovernanceandmanagementofidentitylifecycles
Authentication management: Activities for the effective governance and management of the
process for determining that an entity is who or what it claims tobe.
Authorization management: Activities for the effective governance and management of the
process for determining entitlement rights that decide what resources an entity is permitted to
access in accordance with the organization’s policies.
Accessmanagement:Enforcementofpoliciesforaccesscontrolinresponsetoarequestfroman entity
(user, services) wanting to access an IT resource within the organization.
Data management and provisioning: Propagation of identity and data for authorization to IT
resources via automated or manual processes.
Monitoring and auditing: Monitoring, auditing, and reporting compliance by users regarding
access to resources within the organization based on the defined policies.
IAMprocessessupportthefollowingoperationalactivities:
Provisioning:Provisioningcanbethought ofasa combinationofthedutiesofthe
humanresourcesandITdepartments,whereusersaregivenaccesstodatarepositoriesorsystems,
applications,anddatabasesbasedonauniqueuseridentity.Deprovisioningworksintheopposite
manner,resultinginthedeletionordeactivationofanidentityorofprivilegesassignedtotheuser identity.
Credential and attribute management: These processes are designed to manage the life cycle
of credentials and user attributes— create, issue, manage, revoke—to inappropriate account use.
Credentials are usuallybound to an individual and are verified duringthe authentication process.
The processes include provisioning of attributes, static (e.g., standard text password) and
dynamic(e.g., one-time password) credentials that comply with a password standard (e.g.,
passwordsresistanttodictionaryattacks),handlingpassword expiration,encryptionmanagement
ofcredentialsduringtransitandatrest,andaccesspoliciesofuserattributes(privacyand
handlingofattributesforvariousregulatoryreasons).Minimizethebusinessriskassociatedwith
identityimpersonation

Figure5.7EnterpriseIAMfunctionalarchitecture
Entitlement management: Entitlements are also referred to as authorization policies. The
processes in this domain address the provisioning and deprovisioning of privileges needed forthe
user to access resources including systems, applications, and databases. Proper entitlement
management ensures that users are assigned only the required privileges.
Compliance management: This process implies that access rights and privileges are monitored
and tracked to ensure the security of an enterprise’s resources. The process also helps auditors
verify compliance to various internal access control policies, and standards that include practices
such as segregation of duties, access monitoring, periodic auditing, and reporting. An example is
ausercertificationprocessthatallowsapplicationownerstocertifythatonlyauthorizedusershave the
privileges necessary to access business-sensitive information.
Identity federation management: Federation is the process of managing the trust relationships
established beyond the internal network boundaries or administrative domain boundaries among
distinct organizations. A federation is an association of organizations that come together to
exchange information about their users and resources to enable collaborations and transactions.
Centralization of authentication (authN)and authorization (authZ): A central authentication
and authorization infrastructure alleviates the need for application developers to build custom
authentication and authorization features into theirapplications. Furthermore, it promotes aloose
coupling architecture where applications become agnostic to the authentication methods and
policies. This approach is also called an ―externalization of authN and authZ from applications

Figure5.8IdentityLifecycle

IAMStandardsandSpecificationsforOrganisations
Thefollowing IAM standards and specifications will help organizations implement effective and
efficientuser accessmanagementpractices andprocessesinthe cloud.Thesesections areordered by
four major challenges in user and access management faced by cloud users:
1. HowcanIavoidduplicationofidentity,attributes,andcredentialsandprovideasinglesign-on user
experience for my users? SAML.
2. Howcan Iautomaticallyprovisionuseraccountswithcloudservices andautomatetheprocess of
provisoning and deprovisioning? SPML.

IAMPracticesin theCloud
Whencomparedtothetraditionalapplicationsdeployment modelwithinthe
enterprise, IAM practices in the cloud are still evolving. In the current state of IAM technology,
standards support by CSPs (SaaS, PaaS, and IaaS) is not consistent across providers. Although
largeproviderssuchasGoogle,Microsoft,andSalesforce.comseemtodemonstratebasicIAM
capabilities,ourassessmentisthattheystillfallshortofenterpriseIAMrequirementsformanaging
regulatory, privacy, and data protection requirements. The maturitymodel takes into account the
dynamic nature of IAM users, systems, and applications in the cloud and
addressesthe fourkeycomponentsofthe IAM automation process:
• UserManagement,NewUsers
• UserManagement,UserModifications
• AuthenticationManagement
• AuthorizationManagement
IAMpracticesandprocessesareapplicabletocloudservices;theyneedtobeadjustedtothecloud
environment. Broadly speaking, user management functions in the cloud canbe categorized as
follows:
• Cloudidentityadministration, FederationorSSO

• Authorizationmanagement
• Compliancemanagement

Cloud Identity Administration: Cloud identity administrative functions should focus on life
cycle management of user identities in the cloud—provisioning, deprovisioning, identity
federation, SSO, password or credentials management, profile management, and administrative
management. Organizations that are not capable of supporting federation should explore cloud-
based identity management services. This new breed of services usually synchronizes an
organization’s internal directories with its directory (usually multitenant) and acts as a proxy IdP
for the organization.
FederatedIdentity(SSO): Organizationsplanningto implementidentityfederationthatenables SSO
for users can take one of the following two paths (architectures):
• ImplementanenterpriseIdPwithinanorganization perimeter.
• Integratewithatrustedcloud-basedidentitymanagementserviceprovider.
Both architectures have pros and cons.
Enterprise identity provider: In this architecture, cloud services will delegate authentication to
an organization’s IdP. In this delegated authentication architecture, the organization federates
identities within a trusted circle of CSP domains. A circle of trust can be created with all the
domainsthatareauthorizedtodelegate authentication totheIdP.Inthisdeploymentarchitecture,
where the organization will provide and support an IdP, greater control can be exercised over
user identities, attributes, credentials, and policies for authenticating and authorizing users to a
cloud service.

IdPdeploymentarchitecture.

Securitystandards
Security standards define the processes, procedures, and practices necessary for
implementing a security program. These standards also apply to cloud-related IT activities and
include specific steps that should be taken to ensure a secure environment is maintained that
provides privacy and security of confidential information in a cloud environment. Security
standardsarebasedonasetofkeyprinciplesintendedtoprotectthistypeoftrustedenvironment.
Messaging standards, especially for security in the cloud, must also include nearly all the same
considerations as any other IT security endeavor.
 Security(SAML,OAuth,OpenID,SSL/TLS)
Abasic philosophyofsecurityis tohavelayersof defense, aconceptknownas defensein depth.
This means having overlapping systems designed to provide security even if one system fails. An
example is a firewall working in conjunction with an intrusion-detection system (IDS). Defense
in depth provides security because there is no single point of failure and no single-entry vector at
which an attack can occur. No single security system is a solution by itself, so it is far better to
secure all systems. This type of layered securityis preciselywhat we are seeing develop in cloud
computing. Traditionally, security was implemented at the endpoints, where the user controlled
access. An organization had no choice except to put firewalls, IDSs, and antivirus software inside
its own network. Today, with the advent of managed securityservices offered by cloud providers,
additional security can be provided inside the cloud.
SecurityAssertionMarkupLanguage(SAML)
SAML is an XML-based standard for communicating authentication, authorization, and
attribute information among online partners. It allows businesses to securely send assertions
between partner organizations regarding the identity and entitlements of a principal. The
Organization for the Advancement of Structured Information Standards (OASIS) Security
Services Technical Committee is in charge of defining, enhancing, and maintaining the SAML
specifications.
SAMLisbuiltonanumberofexistingstandards,namely,SOAP,HTTP,andXML. SAMLrelies
on HTTP as its communications protocol and specifies the useofSOAP (currently,
version1.1).MostSAMLtransactionsareexpressedinastandardizedformofXML.SAML assertions
and protocols are specified using XML schema. Both SAML 1.1 and SAML 2.0 usedigital
signatures (based on the XML Signature standard) for authentication and message integrity.
XML encryption is supported in SAML 2.0, though SAML 1.1 does not have encryption
capabilities. SAML defines XML-based assertions and protocols, bindings, and profiles.
Theterm SAMLCorerefers to the general syntax and semantics ofSAMLassertions as
wellastheprotocolusedtorequestandtransmitthoseassertionsfromonesystementityto
another.SAMLprotocolreferstowhatistransmitted,nothowitistransmitted.ASAML
bindingdetermineshow SAMLrequestsand responses maptostandardmessagingprotocols. An
important (synchronous) binding is the SAML SOAP binding.
 SAML standardizes queries for, and responses that contain, user authentication,
entitlements, and attribute information in an XML format. This format can then be used to
request security information about a principal from a SAML authority. A SAML authority,
sometimes called the asserting party, is a platform or application that can relay security
information. The relying party (or assertion consumer or requesting party) is a partner site that
receives the security information.
The exchanged information deals with a subject's authentication status, access
authorization, and attribute information. A subject is an entity in a particular domain. A person
identified by an email address is a subject, as might be a printer.
SAML assertions are usually transferred from identity providers to service providers. Assertions
contain statements that service providers use to make access control decisions. Three types of
statements are provided by SAML: authentication statements, attribute statements, and
authorization decision statements. SAML assertions contain a packet of security information in
this form:
<saml:AssertionA...>
<Authentication>
...
</Authentication>
<Attribute>
...
</Attribute>
<Authorization>
...
</Authorization>
</saml:AssertionA>
Theassertionshownaboveisinterpretedas follows:
AssertionA,issuedattimeTbyissuerI,regardingsubject S,
provided conditions C are valid.
Authentication statements assert to a service provider that the principal did indeed
authenticate with an identity provider at a particular time using a particular method of
authentication.Otherinformationabouttheauthenticatedprincipal(calledtheauthentication
 context) may be disclosed in an authentication statement. An attribute statement asserts that a
subject is associated with certain attributes. An attribute is simply a name-value pair. Relying
partiesuseattributestomakeaccesscontroldecisions.Anauthorizationdecisionstatementasserts
thatasubjectispermittedtoperformactionAonresourceRgivenevidenceE.Theexpressiveness of
authorization decision statements in SAML is intentionally limited.
A SAML protocol describes how certain SAML elements (including assertions) are
packaged within SAML request and response elements. It provides processing rules that SAML
entities must adhere to when using these elements. Generally, a SAML protocol is a simple
request-response protocol. The most important type of SAML protocol request is a query. A
serviceprovidermakesaquerydirectlytoanidentityprovideroverasecurebackchannel.Forthis reason,
query messages are typically bound to SOAP. Corresponding to the three types of statements,
there are three types of SAML queries: the authentication query, the attribute query, and
theauthorization decision query. Ofthese, the attributequeryis perhaps most important. The result
of an attribute query is a SAML response containing anassertion, which itself contains an
attribute statement.
OpenAuthentication(OAuth)
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API
authorization in a simple, standardized method for various types of web applications. Cook and
Messina had concluded that there were no open standards for API access delegation. The OAuth
discussiongroupwascreatedinApril2007,forthesmallgroupofimplementerstowritethedraft proposal
for an open protocol. DeWitt Clinton of Google learned of the OAuth project and expressed
interest in supporting the effort. In July 2007 the team drafted an initial specification,
anditwasreleasedinOctoberofthesame year.OAuthisamethodforpublishingandinteracting with
protected data. For developers, OAuth provides
users access to their data while protecting account credentials. OAuth allows users to
grantaccesstotheirinformation,whichissharedbytheserviceproviderandconsumerswithoutsharing
all of their identity. The Core designation is used to stress that this is the baseline, and other
extensions and protocols can build on it.By design, OAuth Core 1.0 does not provide many
desiredfeatures(e.g.,automateddiscoveryofendpoints,languagesupport,supportforXML-RPC and
SOAP, standard definition of resource access, OpenID integration, signing algorithms, etc.). This
intentional lack of feature support is viewed by the authors as a significant
benefit. The Core deals with fundamental aspects of the protocol, namely, to establish a
mechanismforexchangingausernameandpasswordforatokenwithdefinedrightsandto provide
toolstoprotectthetoken..Infact,OAuthbyitselfprovidesnoprivacyatallanddependsonother protocols
such as SSL to accomplish that.
OpenID
OpenID is an open, decentralized standard for user authentication and access control that
allows users to log onto many services using the same digital identity. It is a single-sign-on(SSO)
method of access control. As such, it replaces the common log-in process (i.e., a log-in name and
a password) by allowing users to log in once and gain access to resources across participating
systems. The original OpenID authentication protocol was developed in May 2005 by Brad
Fitzpatrick, creator of the popular community web site Live-Journal. In late June 2005,
discussions began between OpenID developers and other developers from an enterprise software
company named Net-Mesh. These discussions led to further collaboration on interoperability
betweenOpenIDandNetMesh'ssimilarLight-WeightIdentity(LID)protocol.Thedirectresultof the
collaboration was the Yadis discovery protocol, which was announced on October 24, 2005.
The Yadis specification provides a general-purpose identifier for a person and any other
entity,whichcanbeused withavarietyofservices.Itprovidesasyntaxforaresourcedescription
document identifying services availableusingthat identifierand an interpretation oftheelements
ofthatdocument.Yadisdiscoveryprotocolisusedforobtainingaresourcedescriptiondocument, given
that identifier. Together these enable coexistence and interoperability of a rich variety of services
using a single identifier. The identifier uses a standard syntax and a well- established namespace
and requires no additional namespace administration infrastructure.
An OpenID is in the form of a unique URLand is authenticated bythe entityhostingthe OpenID
URL.The OpenID protocol does not rely on a central authority to authenticate a user's identity.
NeithertheOpenIDprotocolnoranywebsitesrequiringidentificationcanmandatethataspecific type of
authentication be used; nonstandard forms of authentication such as smart cards, biometrics, or
ordinary passwords are allowed. A typical scenario for using OpenID might be something like
this: A user visits a web site that displays an OpenID log-in form somewhere on thepage.Unlikea
typicallog-inform,whichhasfieldsforuser nameandpassword,theOpenID
log-in form has onlyone field fortheOpenIDidentifier(whichis an OpenIDURL).This formis
connected to an implementation of an OpenID client library.
A user will have previously registered an OpenID identifier with an OpenID identity
provider. The user types this OpenID identifier into the OpenID log-in form. The relying party
thenrequeststhewebpagelocatedatthatURLandreadsanHTMLlinktagtodiscovertheidentity
provider service URL. With OpenID 2.0, the client discovers the identityprovider service URL
by requesting the XRDS document (also called the Yadis document) with the content type
application/xrds+xml, which may be available at the target URL but is always available for a
target XRI.
There are two modes by which the relying party can communicate with the identity
provider: checkid_immediate and checkid_setup. In checkid_immediate, the relying party
requests that the provider not interact with the user. All communication is relayed through the
user'sbrowserwithoutexplicitlynotifyingtheuser.Incheckid_setup,theusercommunicateswith
theproviderserverdirectlyusingthesamewebbrowserasisusedtoaccesstherelyingpartysite. The
second option is more popular on the web.
Tostartasession,therelyingpartyandtheidentityproviderestablishasharedsecret—referenced by an
associate handle—which the relying party then stores. Usingcheckid_setup, the relying
partyredirectstheuser'swebbrowsertotheidentityprovidersothattheusercanauthenticatewith the
provider. The method of authentication varies, but typically, an OpenID identity provider
prompts the user for a password, then asks whether the user trusts the relying party web site to
receivehisorhercredentialsandidentitydetails.Iftheuserdeclinestheidentityprovider'srequest to trust
the relying party web site, the browser is redirected to the relying party with a message indicating
that authentication was rejected.
The site in turn refuses to authenticate the user. If the user accepts the identity provider's
request to trust the relying party web site, the browser is redirected to the designated return page
ontherelyingpartywebsitealongwiththeuser'scredentials.Thatrelyingpartymustthenconfirm that the
credentials really came from the identity provider. If they had previouslyestablished a
sharedsecret,therelyingpartycanvalidatethesharedsecretreceivedwiththe credentialsagainst the one
previously stored. In this case, the relying party is considered to be stateful, because it stores the
shared secret between sessions (a process sometimes referred to as
 persistence).Incomparison,astatelessrelyingpartymustmakebackgroundrequestsusingthe
check_authenticationmethodto besurethatthedatacamefrom theidentityprovider.

SSL/TLS
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are
cryptographically secure protocols designed to provide security and data integrity for
communications over TCP/IP. TLS and SSL encrypt the segments of network connections at the
transportlayer.Severalversionsoftheprotocolsareingeneraluseinwebbrowsers,email,instant
messaging, and voice-over-IP. TLS is an IETF standard protocol which was last updated in RFC
5246.
The TLS protocol allows client/server applications to communicate across a network in a
way specifically designed to prevent eavesdropping, tampering, and message forgery. TLS
provides endpoint authentication and data confidentiality by using cryptography. TLS
authentication is one-way—the server is authenticated, because the client already knows the
server'sidentity. Inthiscase,theclientremainsunauthenticated.Atthebrowserlevel,thismeans
thatthebrowserhasvalidatedtheserver'scertificate—morespecifically,ithascheckedthedigital
signatures of the server certificate's issuing chain ofCertification Authorities (CAs).
Validationdoesnotidentifytheservertotheenduser.Fortrueidentification,theenduser must
verify the identification information contained in the server's certificate (and, indeed, its
wholeissuingCAchain).Thisistheonlywayfortheendusertoknowthe"identity"oftheserver, and this
is the only way identity can be securely established, verifying that the URL, name, or
addressthatisbeingusedisspecifiedintheserver'scertificate.Maliciouswebsitescannotusethe valid
certificate of another web site becausethey have no means to encrypt the transmission in a way
that it can be decrypted with the valid certificate.
SinceonlyatrustedCAcanembedaURLinthecertificate,thisensuresthatcheckingtheapparent
URLwiththeURLspecifiedinthecertificateisanacceptablewayofidentifyingthesite.TLSalso
supports a more secure bilateral connection mode whereby both ends of theconnection can be
assured that they are communicating with whom they believe they are connected. This is known
asmutual (assured) authentication. Mutual authentication requires the TLS client-side to also
maintain a certificate.
TLSinvolvesthreebasicphases:
1. Peernegotiationforalgorithm support
2. Keyexchangeandauthentication
3. Symmetriccipherencryption andmessageauthentication
Duringthefirstphase,theclientandservernegotiateciphersuites,whichdeterminewhich
ciphersareused;makesadecisiononthekeyexchangeandauthenticationalgorithmsto beused;
anddeterminesthemessageauthenticationcodes.Thekeyexchangeandauthenticationalgorithms are
typically public key algorithms. The message authentication codes are made up from
cryptographic hash functions. Once these decisions are made, data transfer may begin.