Federated identity architecture of the european eID system

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in midterm also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments

Integrating an AAA-based federation mechanism for OpenStack - The CLASSe view

Identity federations enable users, service providers, and identity providers from different organizations to exchange authentication and authorization information in a secure way. In this paper, we present a novel identity federation architecture for cloud services based on the integration of a cloud identity management service with an authentication, authorization, and accounting infrastructure. Specifically, we analyse how this type of authentication, authorization, and accounting–based federation can be smoothly integrated into OpenStack, the leading open source cloud software solution, using the Internet Engineering Task Force (IETF) Application Bridging for Federated Access Beyond web specification for authentication and authorization. We provide details of the implementation undertaken in GÉANT's CLASSe project and show its validation in a real testbed

An approach for integrating kerberized non web-based services with web-based identity federations

Many identity federations are designed to be used with web browsers. This paper proposes an approach for integrating non web-based applications with web-based identity federations using Kerberos protocol. We evaluate this approach by making NFS server available for users of SAML-based identity federation of Baden-Württemberg state of Germany. We make use of LDAP-Facade software for federating non web-based services. We have modified the web-interface component of LDAP-Facade to enable the registration with kerberized services. Our approach can be used without modifications on the client side. Copyright © 2015 SCITEPRESS - Science and Technology Publications. All rights reserved

Käyttäjien välinen henkilöllisyyden todentaminen nykyaikaisissa kommunikaatio- ja yhteistyöympäristöissä

This thesis describes a method for person-to-person identification on Google Wave networks. The method can also be used for strong authentication on the Wave network. The solution is based on using a trusted third party. The users must first authenticate themselves to a trusted third party and then prove to it that they control a said Wave user account. After these steps, the trusted third party is then able to identify the users participating in a Wave discussion and report the identification results to the other participants. The users can request the trusted third party to reauthenticate a user if needed. The thesis describes also a federated model for person-to-person identification on the Wave network using multiple trusted third parties. The method described can be generalized to any communication networks where the origin of messages can be reliably traced on a domain name level. A proof-of-concept of the identification model was developed and it was used to evaluate the applicability of the model in the real world.Diplomityössä kuvataan menetelmä käyttäjien väliseen henkilöllisyyden todentamiseen Google Wave-verkossa. Kuvattua menetelmää voidaan käyttää myös henkilöiden vahvaan tunnistamiseen Wave-verkossa. Ratkaisu perustuu luotetun kolmannen tahon käyttöön. Käyttäjien tulee ensin tunnistautua luotetulle kolmannelle taholle ja sen jälkeen osoittaa luotetulle taholle omaavansa tietyn Wave-käyttäjätunnuksen. Tämän jälkeen luotettu kolmas taho voi tunnistaa käyttäjät Wave-verkossa ns. Wave-robotin avulla ja kertoa tunnistamisen tulokset muille osallistujille. Tarvittaessa käyttäjät voivat pyytää robotin avulla luotettua tahoa uudelleentunnistamaan käyttäjät. Työssä esitetään myös malli henkilöiden väliseen tunnistamiseen useamman luotetun tahon avulla. Menetelmä on yleistettävissä käytettäväksi sellaisissa keskusteluverkoissa, joissa voidaan luotettavasti tunnistaa, miltä verkon palvelimelta kommunikaatio on tapahtunut. Työssä toteutettiin tekninen kokeilu kehitetystä todennusmenetelmästä ja arvioitiin menetelmän soveltuvuutta käytäntöön

Token Based Authentication and Authorization with Zero-Knowledge Proofs for Enhancing Web API Security and Privacy

This design science study showcases an innovative artifact that utilizes Zero-Knowledge Proofs for API Authentication and Authorization. A comprehensive examination of existing literature and technology is conducted to evaluate the effectiveness of this alternative approach. The study reveals that existing APIs are using slower techniques that don’t scale, can’t take advantage of newer hardware, and have been unable to adequately address current security issues. In contrast, the novel technique presented in this study performs better, is more resilient in privacy sensitive and security settings, and is easy to implement and deploy. Additionally, this study identifies potential avenues for further research that could help advance the field of Web API development in terms of security, privacy, and simplicity

Hypermedia-based Web Services as System Integrators

As we move more closely to the practical concept of the Internet of Things and, our reliance on public and private APIs increases, web services and their related topics have become utterly crucial to the informatics community. However, the question about which style of web services would best solve a particular problem, can raise signi cant and multifarious debates. There can be found two implementation styles that highlight themselves: the RPC-oriented style represented by the SOAP protocol’s implementations and the hypermedia style, which is represented by the REST architectural style’s implementations. As we search examples of already established web services, we can nd a handful of robust and reliable public and private SOAP APIs, nevertheless, it seems that RESTful services are gaining popularity in the enterprise community. For the current generation of developers that work on informatics solutions, REST seems to represent a fundamental and straightforward alternative and even, a more deep-rooted approach than SOAP. But are they comparable? Do both approaches have each speci c best suitable scenarios? Such study is brie y carried out in the present document’s chapters, starting with the respective background study, following an analysis of the hypermedia approach and an instantiation of its architecture, in a particular case study applied in a BPM context.Devido ao facto de estarmos cada vez mais próximos do conceito prático de Internet of Things, assim como da nossa dependência em APIs públicas e privadas estar a aumentar, o tópico de web services e outros tópicos relacionados tornam-se bastante cruciais para a comunidade dedicada à área informática. Pode-se encontrar dois tipos principais de estilos de implementação que se destacam: o estilo orientado a RPC, cujo conceito é representado pelas implementações do protocolo SOAP e o estilo hypermedia representado pelas implementações do estilo arquitetural REST. Ao procurarmos exemplos de web services estabelecidos no mercado, é possível nos depararmos com várias APIs SOAP públicas e privadas classi cadas como robustas e áveis. No entanto, aparentemente, os serviços cujas implementações são orientadas ao estilo arquitetural REST, estão a ganhar popularidade na comunidade empresarial. Para a geração atual de developers que trabalham em soluções informáticas, REST aparenta ser uma alternativa mais essencial, direta e até sólida que SOAP. Mas será que são comparáveis? Será que cada abordagem tem o seu cenário de melhor enquadramento? O estudo presente neste documento tenta responder a este tipo de questões, começando com um estudo do background correspondente, seguido de uma analise da abordagem hypermedia e uma instanciação da sua arquitetura, num caso de estudo aplicado num contexto BPM