557 research outputs found
Enabling SAML for dynamic identity federation management
Proceedings of: The Second IFIP WG 6.8 Joint Conference, WMNC 2009, Gdansk, Poland, September 9-11, 2009Federation in identity management has emerged as a key concept for reducing complexity in the companies and offering an improved user experience when accessing services. In this sense, the process of trust establishment is fundamental to allow rapid and seamless interaction between different trust domains. However, the problem of establishing identity federations in dynamic and open environments that form part of Next Generation Networks (NGNs), where it is desirable to speed up the processes of service provisioning and deprovisioning, has not been fully addressed. This paper analyzes the underlying trust mechanisms of the existing frameworks for federated identity management and its suitability to be applied in the mentioned environments. This analysis is mainly focused on the Single Sign On (SSO) profile. We propose a generic extension for the SAML standard in order to facilitate the creation of federation relationships in a dynamic way between prior unknown parties. Finally, we give some details of implementation and compatibility issues
SPADE: SPKI/SDSI for Attribute Release Policies in a Distributed Environment
Shibboleth is a federated administrated system that supports inter-institutional authentication and authorization for sharing of resources. SPKI/SDSI is a public key infrastructure whose creation was motivated by the perception that X.509 is too complex and flawed. This thesis addresses the problem of how users that are part of a Public Key Infrastructure in a distributed computing system can effectively specify, create, and disseminate their Attribute Release Policies for Shibboleth using SPKI/SDSI. This thesis explores existing privacy mechanims, as well as distributed trust management and policy based systems. My work describes the prototype for a Trust Management Framework called SPADE (SPKI/SDSI for Attribute Release Policies in a Distributed Environment) that I have designed, developed and implemented. The principal result of this research has been the demonstration that SPKI/SDSI is a viable approach for trust management and privacy policy specification, especially for minimalistic policies in a distributed environment
Shibboleth and the challenge of authentication in multiple servers on a e-learning environment
L' objectiu d’aquest treball és l’estudi, implementació i prova d'un sistema de
autentificaciĂł compartida per a mĂşltiples servidors. Encara que des d'un principi es
sabia que es treballaria amb Shibboleth també s’han tingut en compte altres possibles
solucions. Shibboleth Ă©s un projecte desenvolupat per els membres de les universitats
que formen el consorci Internet2 amb l’ objectiu de desenvolupar un nou middleware
per a realitzar les funcions d’autentificació compartida en múltiples servidors i pensat
especĂficament per facilitar la col·laboraciĂł entre institucions i l’accĂ©s a continguts
digitals.
Shibboleth és una solució complerta ja que contempla des de l’autentificació ,
autoritzaciĂł i accounting, fins al sistema de login i els atributs a emprar. La qual cosa fa
que es converteixi en un entorn de treball molt segur però amb l’avantatge d’aportar
privacitat als usuaris.
El primer objectiu ha estat identificar les peculiaritats i requeriments dels entorns de elearning
distribuĂŻts, per això s’ha estudiat conceptes especĂfics de seguretat aixĂ com la
manera d’adaptar-los a l’entorn requerit. Desprès s’ha fet una comparativa de les
solucions existents al mercat amb una funcionalitat similar a Shibboleth, per tal de
presentar els avantatges i desavantatges de Shibboleth vers aquests.
Posteriorment, el treball ha consistit en entendre la estructura i els principis de
funcionament de Shibboleth, quin tipus de requeriments tenia, el funcionament i
objectius de cada part, estudiar els requeriments de l’entorn especĂfic per al qual ha
estat dissenyat (e-learning) i donar una idea general de com s’ hauria de fer la
implementació. També s’han estudiat totes les tecnologies i requeriments necessaris
per desenvolupar Shibboleth.
Una vegada estudiat Shibboleth i l'entorn especĂfic en el que s’hauria d’integrar, s’ha
muntat un escenari per a la posada en marxa i proves d’aquest, provant especĂficament
cada part i entenent amb les proves reals el funcionament. Amb l’escenari en
funcionament, la idea era integrar Shibboleth amb Sakai i Blackboard, els CMS (Course
Management System) utilitzats a on-campus, el campus virtual de la Fachhochschule
LĂĽbeck.
Per a finalitzar i a mode de conclusions s'ha fet una petita explicaciĂł dels resultats
obtinguts, una valoraciĂł de com Shibboleth resoldria les necessitats plantejades i
algunes propostes de millora
Assured information sharing for ad-hoc collaboration
Collaborative information sharing tends to be highly dynamic and often ad hoc among organizations. The dynamic natures and sharing patterns in ad-hoc collaboration impose a need for a comprehensive and flexible approach to reflecting and coping with the unique access control requirements associated with the environment.
This dissertation outlines a Role-based Access Management for Ad-hoc Resource Shar- ing framework (RAMARS) to enable secure and selective information sharing in the het- erogeneous ad-hoc collaborative environment. Our framework incorporates a role-based approach to addressing originator control, delegation and dissemination control. A special trust-aware feature is incorporated to deal with dynamic user and trust management, and a novel resource modeling scheme is proposed to support fine-grained selective sharing of composite data. As a policy-driven approach, we formally specify the necessary pol- icy components in our framework and develop access control policies using standardized eXtensible Access Control Markup Language (XACML). The feasibility of our approach is evaluated in two emerging collaborative information sharing infrastructures: peer-to- peer networking (P2P) and Grid computing. As a potential application domain, RAMARS framework is further extended and adopted in secure healthcare services, with a unified patient-centric access control scheme being proposed to enable selective and authorized sharing of Electronic Health Records (EHRs), accommodating various privacy protection requirements at different levels of granularity
Interoperability between Heterogeneous Federation Architectures: Illustration with SAML and WS-Federation
International audienceDigital identity management intra and inter information systems, and, service oriented architectures, are the roots of identity federation. This kind of security architectures aims at enabling information system interoperability. Existing architectures, however, do not consider interoperability of heterogeneous federation architectures, which rely on different federation protocols.In this paper, we try to initiate an in-depth reflection on this issue, through the comparison of two main federation architecture specifications: SAML and WS-Federation. We firstly propose an overall outline of identity federation. We furthermore address the issue of interoperability for federation architectures using a different federation protocol. Afterwards, we compare SAML and WS-Federation. Eventually, we define the ways of convergence, and therefore, of interoperability
An identity aware wimax personalization for pervasive computing services
Mobile Internet access is becoming more and more pervasive in the new 4G scenarios, where WiMAX is to play a crucial role. WiMax has advantages when considering both
energy consumption and bandwidth, when compared with
HSDPA and LTE. However, we have found some limitations in
IEEE 802.16 security support, which may limit authentication
and authorization mechanisms for ubiquitous service
development. In this article we analyze weaknesses and
vulnerabilities we have found in WiMAX security. WiMax,
with the adequate identity management support, could be
invaluable for developing new pervasive computing services.
We propose the introduction of identity management in WiMAX, as a pervious step to the definition of identity aware
WiMax personalization of pervasive computing servicesProyecto CCG10-UC3M/TIC-4992 de la Comunidad AutĂłnoma de Madrid y la Universidad Carlos III de Madri
- …