Superando os riscos da segurança baseada em perímetro - Uma abordagem com identificação federada através de certificados digitais A3/ICP-Brasil e SAML

The traditional perimeter-based approach for computer network security (the castle and the moat model) hinders the progress of enterprise systems and promotes, both in administrators and users, the delusion that systems are protected. To deal with the new range of threats, a new data-safety oriented paradigm, called de-perimeterisation , began to be studied in the last decade. One of the requirements for the implementation of the de-perimeterised model of security is the definition of a safe and effective mechanism for federated identity. This work seeks to fill this gap by presenting the specification, modelling and implementation of a mechanism for federated identity, based on the combination of SAML and X.509 digital certificates stored in smart-cards, following the A3 standard of ICP-Brasil (Brazilian official certificate authority and PKI)

Commitment issues in delegation process

Delegation is a powerful mechanism to provide flexible and dynamic access control decisions. Delegation is particularly useful in federated environments where multiple systems, with their own security autonomy, are connected under one common federation. Although many delegation schemes have been studied, current models do not seriously take into account the issue of delegation commitment of the involved parties. In order to address this issue, this paper introduces a new mechanism to help parties involved in the delegation process to express commitment constraints, perform the commitments and track the committed actions. This mechanism looks at two different aspects: pre-delegation commitment and post-delegation commitment. In pre-delegation commitment, this mechanism enables the involved parties to express the delegation constraints and address those constraints. The post-delegation commitment phase enables those parties to inform the delegator and service providers how the commitments are conducted. This mechanism utilises a modified SAML assertion structure to support the proposed delegation and constraint approach.

Behavioral biometrics for persistent single sign-on

Driven by the rapid development of ubiquitous and pervasive computing, personalized services and applications are deployed to support our lives. Accordingly, the number of interfaces and devices (smartphone, tablet computer, etc.) provided to access and consume these services is growing continuously. To simplify the complexity of managing many accounts with different credentials, Single Sign-On (SSO) solutions have been introduced. However, a single password for many accounts represents a single-point-of-failure. Furthermore, once initiated SSO session is a high potential risk when the working station is left unlocked and unattended. In this paper, we present a conception of a Persistent Single Sign-On (PSSO) for ubiquitous home environments by involving the capabilities of Behavioral Biometrics to check the identity of the user continuously in an unobtrusive manner.

基于SAML2的单点登录服务器FAAS的设计与实现

单点登录是实现集中身份认证和数据统一管理的一种访问控制方法,它能够解决分布式系统的多重认证问题。在对单点登录以及安全断言标记语言(SAML)分析的基础上,设计和实现了基于SAML2的单点登录服务器FAAS(联邦认证授权服务器),并成功用于某上市企业ERP开发集成项目中。该设计的重点是SAML2的协议实现和FAAS的架构。

Identification and validation of the dopamine agonist bromocriptine as a novel therapy for high-risk myelodysplastic syndromes and secondary acute myeloid leukemia

Myelodysplastic syndromes (MDS) represent a broad spectrum of diseases characterized by their clinical manifestation as one or more cytopenias, or a reduction in circulating blood cells. MDS is predominantly a disease of the elderly, with a median age in the UK of around 75. Approximately one third of MDS patients will develop secondary acute myeloid leukemia (sAML) that has a very poor prognosis. Unfortunately, most standard cytotoxic agents are often too toxic for older patients. This means there is a pressing unmet need for novel therapies that have fewer side effects to assist this vulnerable group. This challenge was tackled using bioinformatic analysis of available transcriptomic data to establish a gene-based signature of the development and progression of MDS. This signature was then used to identify novel therapeutic compounds via statistically-significant connectivity mapping. This approach suggested re-purposing an existing and widely-prescribed drug, bromocriptine as a novel potential therapy in these disease settings. This drug has shown selectivity for leukemic cells as well as synergy with current therapies.

Modelado basado en agentes : simulación de sistemas complejos en las Ciencias Sociales.

El proyecto se ha realizado en el Departamento de Organización y Gestión de Empresas, con sede en la Escuela Técnica Superior de Ingenieros Industriales de la Universidad de Valladolid. Los cinco profesores implicados en el trabajo forman el denominado grupo de Ingeniería de los Sistemas Sociales (INSISOC). El objetivo principal es crear un documento docente que recoja los fundamentos de las aplicaciones de Inteligencia Artificial Distribuida (Sistema Multiagente), a la Economía y las Ciencias Sociales en general. Se ha elaborado un tutorial básico del lenguaje de programación SDML y se han incluido dos ejemplos de su utilización. Como consecuencia del trabajo, el grupo INSISOC ha consolidado una biblioteca de fundamentos y aplicaciones de los sistemas multiagente. Este trabajo ha sido presentado en otras Universidades, en congresos y workshops. El grupo INSISOC consolida un papel de 'transfer' de la investigación más avanzada a la docencia universitaria, tanto en estudio de segundo ciclo o grado superior como en estudios de tercer ciclo. La evaluación obtenida de otros colegas universitarioos es muy positiva, pues no existen materiales publicados con los contenidos desarrollados. El volumen es susceptible de publicación y comercialización viable económicamente. La elaboración del proyecto ha supuesto el uso de las instalaciones del laboratorio de Organización Industrial y Producción del Escuela Técnica Superior de Ingenieros Industriales de Valladolid. Se ha utilizado el lenguaje de programación SAML, además de software edición.

Identity Provider Shibboleth per il servizio di federazione e Single Sign-On di Ateneo

L’università di Bologna, da sempre attenta alle nuove tecnologie e all’innovazione, si è dotata nel 2010 di un Identity Provider (IDP), ovvero un servizio per la verifica dell’identità degli utenti dell’organizzazione tramite username e password in grado di sollevare le applicazioni web (anche esterne all’organizzazione) dall’onere di verificare direttamente le credenziali dell’utente delegando totalmente la responsabilità sul controllo dell’identità digitale all’IDP. La soluzione adottata (Microsoft ADFS) si è dimostrata generalmente semplice da configurare e da gestire, ma ha presentato problemi di integrazione con le principali federazioni di identità regionali e italiane (FedERa e IDEM) a causa di una incompatibilità con il protocollo SAML 1.1, ancora utilizzato da alcuni dei servizi federati. Per risolvere tale incompatibilità il "CeSIA – Area Sistemi Informativi e Applicazioni" dell’Università di Bologna ha deciso di dotarsi di un Identity Provider Shibboleth, alternativa open source ad ADFS che presenta funzionalità equivalenti ed è in grado di gestire tutte le versioni del protocollo SAML (attualmente rilasciato fino alla versione 2.0). Il mio compito è stato quello di analizzare, installare, configurare e integrare con le federazioni IDEM e FedERa un’infrastruttura basata sull’IDP Shibboleth prima in test poi in produzione, con la collaborazione dei colleghi che in precedenza si erano occupati della gestione della soluzione Microsoft ADFS. Il lavoro che ho svolto è stato suddiviso in quattro fasi: - Analisi della situazione esistente - Progettazione della soluzione - Installazione e configurazione di un Identity Provider in ambiente di test - Deploy dell’Identity Provider in ambiente di produzione