NIST SPECIAL PUBLICATION 1800-3
Attribute Based Access Control¶
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)
Bill Fisher
Norm Brickman
Prescott Burden
Santos Jha
Brian Johnson
Andrew Keller
Ted Kolovos
Sudhi Umarji
Sarah Weeks
SECOND DRAFT
NIST SPECIAL PUBLICATION 1800-3
Attribute Based Access Control
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)
Bill Fisher
National Cybersecurity Center of Excellence
National Institute of Standards and Technology
Norm Brickman
Prescott Burden
Santos Jha
Brian Johnson
Andrew Keller
Ted Kolovos
Sudhi Umarji
Sarah Weeks
The MITRE Corporation
McLean, VA
SECOND DRAFT
September 2017
U.S. Department of Commerce
Wilbur Ross, Secretary
National Institute of Standards and Technology
Kent Rochford, Acting Undersecretary of Commerce for Standards and Technology and Director
- Volume B
- 1. Summary
- 2. How to Use This Guide
- 3. Introduction
- 4. Approach
- 5. Architecture
- 5.1. Overview
- 5.1.1. User Authentication and the Creation of an Authentication Context
- 5.1.2. Federation of a User Identity and Attributes
- 5.1.3. Fine-Grained Access Control through a PEP Closely Coupled with the Application
- 5.1.4. The Creation of Attribute-Based Policy Definitions
- 5.1.5. Secondary Attribute Requests
- 5.1.6. Allow RP Access Decisions on External Identities without the Need for Pre‑Provisioning
- 5.2. ABAC Architecture Considerations
- 5.3. Technology and Architecture of the NCCoE Build
- 5.4. Security Characteristics
- 5.5. Features and Benefits
- 5.1. Overview
- Volume C
- 1. Introduction
- 2. Setting Up the Identity Provider
- 2.1. Components
- 2.2. Configuring l PC for 802.1x Auth
- 2.3. Install Nginx Web Server
- 2.4. Install Microsoft AD
- 2.5. Configure the Cisco Switch
- 2.6. Install and Configure Cisco Identity Services Engine
- 2.7. Install RSA AA
- 2.8. Configure RSA AA Rules
- 2.8.1. Create Rule for Non-Persistent User Enrollment
- 2.8.2. Create Rule for Persistent User Enrollment
- 2.8.3. Create Rule for User Updates
- 2.8.4. Create Rule for Challenge SMS
- 2.8.5. Increase SMS Token Length
- 2.8.6. Create Policy for Session Sign-In
- 2.8.7. Create Lists for Session Sign-In
- 2.8.8. Create Rules for Session Sign-In
- 2.8.9. Create Rule to Allow Forced Sign-In for Payment
- 2.8.10. Create Custom Fact
- 2.9. Install and Configure PingFederate-RP
- 2.10. Install PingFederate-IdP
- 2.11. Install the SCE Plug-in for the PingFederate-IdP
- 2.12. Install the Situational Context Connector for the PingFederate-IdP
- 2.13. Configure PingFederate-IdP
- 2.13.1. Configure SAML Protocol
- 2.13.2. Create Data Store for Microsoft AD
- 2.13.3. Create Credential Validator for Microsoft AD
- 2.13.4. Create IdP Adapter for Authentication with Microsoft AD via Web Browser Form
- 2.13.5. Create IdP Adapter for Two-Factor Authentication with RSA AA
- 2.13.6. Create Composite IdP Adapter Integrating Microsoft AD and RSA AA
- 2.13.7. Create IdP Adapter for the Situational Context Connector and ISE Authentication
- 2.13.8. Configure the Federation Connection to the Relying Party
- 2.13.9. Configure ISE Composite Adapter
- 2.13.10. Applying the Composite Adapter
- 2.14. Certificates
- 2.15. Functional Test of All Configurations for Section 2
- 3. Setting up Federated Authentication Between the Relying Party and the Identity Provider
- 4. Installing and Configuring Microsoft SharePoint Server and Related Components
- 5. Set Up Federated Authentication at the Relying Party’s SharePoint
- 6. Attribute Exchange between the Identity Provider and Relying Party
- 6.1. Introduction
- 6.2. Create Custom User Attributes in Microsoft AD
- 6.3. Configure PingFederate Servers to Pull User Attributes
- 6.4. Configure PingFederate-RP and SharePoint to Pass and Read Attributes
- 6.5. Configure the Claims Viewer Web Part at the SharePoint Site
- 6.6. Functional Test of All Configurations for Section 6
- 7. Setting Up NextLabs to Protect SharePoint
- 7.1. Introduction
- 7.2. Components
- 7.3. Installation and Configuration of NextLabs Control Center (on the SQL Server)
- 7.4. Installation and Configuration of NextLabs Policy Studio: Enterprise Edition (PAP)
- 7.5. Installation and Configuration of Policy Controller (PDP)
- 7.6. Installation and Configuration of NextLabs Entitlement Manager for SharePoint Server
- 7.7. Functional Tests
- 8. Defining Policies and Enforcing Access Decisions with NextLabs
- 8.1. Introduction
- 8.2. Policy Strategy
- 8.3. Translation of Business Logic into Policy
- 8.4. Using the NextLabs Policy Studio GUI for Policy Definition and Deployment
- 8.4.1. Login and Initial Screen in Policy Studio
- 8.4.2. Policy Studio Menu Commands
- 8.4.3. Defining and Deploying Components
- 8.4.4. Defining Policy
- 8.4.5. Deploying Policy
- 8.4.6. Modifying and Re-Deploying Policies and Components
- 8.4.7. Deactivating Policies and Components
- 8.4.8. Deleting Policies and Components
- 8.5. Configuring Attributes in NextLabs
- 8.6. Functional Test
- 9. Leveraging NextLabs Control Center Reporter for Reporting and Auditing Purposes
- 10. Configuring a Secondary Attribute Provider
- 10.1. Introduction
- 10.2. Component Software and Hardware Requirements
- 10.3. Ping Custom Data Store
- 10.4. NextLabs PIP Plugin
- 10.5. Protocol Broker
- 10.6. Apache Directory Service (ApacheDS)
- 10.7. PingFederate - Apache Integration
- 10.8. Configuration of PingFederate to Query the JIT Cache when Responding to Secondary Attribute Requests
- 10.9. ApacheDS Schema Extension
- 10.10. Functional Tests