8 research outputs found
Federated identity architecture of the european eID system
Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in midterm also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments
EVALUASI PENERAPAN SINGLE SIGN-ON SAML DAN OAUTH 2.0: STUDI PADA PERGURUAN TINGGI YOGYAKARTA
Dalam memutuskan strategi Single Sign-On (SSO) yang efektif, perguruan tinggi perlu memahami manfaat SSO, mengidentifikasi kebutuhan spesifik organisasi, dan memilih protokol yang akan memenuhi kebutuhan tersebut. Kontribusi penelitian ini adalah menganalisis efektifitas penerapan SSO protokol SAML dan OAuth 2.0 pada perguruan tinggi Yogyakarta. Langkah penelitian meliputi pengumpulan data, kemudian melakukan analisis penerapan protokol SAML dan OAuth 2.0 terhadap referensi yang relevan. Pengumpulan data dilakukan melalui literatur review, observasi pada domain-domain website resmi perguruan tinggi, survei, dan wawancara kepada 22 responden dari 17 Pusat IT perguruan tinggi. Dari hasil survei dan wawancara ditemukan ketidaksesuaian penerapan protokol pada 7 perguruan tinggi yang mengintegrasikan aplikasi native (desktop-based/mobile-based) dan IoT menggunakan SAML dan juga ditemukan ketidaksesuaian penerapan protokol yaitu OAuth 2.0 pada 2 perguruan tinggi. Hasil analisis menunjukkan bahwa beberapa perguruan tinggi belum menerapkan SSO secara efektif. Meskipun 60% perguruan tinggi mengklaim telah melakukan riset dalam pemilihan protokol SSO yang digunakan, namun pada praktiknya masih dijumpai penerapan SSO yang justru menambah kompleksitas permasalahan sebelumnya.
Kata kunci: evaluasi, oauth 2.0, perguruan tinggi, saml, single sign-on
 
The Review of Non-Technical Assumptions in Digital Identity Architectures
The literature on digital identity management systems (IdM) is abundant and solutions vary by technology components and non-technical requirements. In the long run, however, there is a need for exchanging identities across domains or even borders, which requires interoperable solutions and flexible architectures. This article aims to give an overview of the current research on digital identity management. We conduct a systematic literature review of digital identity solution architectures and extract their inherent non-technical assumptions. The findings show that solution designs can be based on organizational, business and trust assumptions as well as human-user assumptions. Namely, establishing the trust relationships and collaborations among participating organizations; human-users capability for maintaining private cryptographic material or the assumptions that win-win business models could be easily identified. By reviewing the key findings of solutions proposed and looking at the differences and commonalities of their technical, organizational and social requirements, we discuss their potential real-life inhibitors and identify opportunities for future research in IdM
Electronic identification for universities: Building cross-border services based on the eIDAS infrastructure
The European Union (EU) Regulation 910/2014 on electronic IDentification, Authentication, and trust Services (eIDAS) for electronic transactions in the internal market went into effect on 29 September 2018, meaning that EU Member States are required to recognize the electronic identities issued in the countries that have notified their eID schemes. Technically speaking, a unified interoperability platformβnamed eIDAS infrastructureβhas been set up to connect the EU countriesβ national eID schemes to allow a person to authenticate in their home EU country when getting access to services provided by an eIDAS-enabled Service Provider (SP) in another EU country. The eIDAS infrastructure allows the transfer of authentication requests and responses back and forth between its
nodes, transporting basic attributes about a person, e.g., name, surname, date of birth, and a so-called eIDAS identifier. However, to build new eIDAS-enabled services in specific domains, additional attributes are needed. We describe our approach to retrieve and transport new attributes through the eIDAS infrastructure, and we detail their exploitation in a selected set of academic services. First, we describe the definition and the support for the additional attributes in the eIDAS nodes. We then present a solution for their retrieval from our university. Finally, we detail the design, implementation, and installation of two eIDAS-enabled academic services at our university: the eRegistration in the Erasmus student exchange program and the Login facility with national eIDs on the university portal
Providing Login and Wi-Fi Access Services With the eIDAS Network: A Practical Approach
The digital identity (or electronic identity) of a person is about being able to prove upon authentication who one is on the Internet, with a certain level of assurance, such as by means of some attributes obtained from a trustworthy Identity Provider. In Europe, the eIDAS Network allows the citizens to authenticate securely with their national credentials and to provide such personal attributes when getting access to Service Providers in a different European country. Although the eIDAS Network is more and more known, its integration with real operational services is still at an initial phase. This paper presents two eIDAS-enabled services, Login with eIDAS and Wi-Fi access with eIDAS , that we have designed, implemented, deployed, and validated at the Politecnico di Torino in Italy. The validation study involved several undergraduate students, who have run the above services with their authentication credentials and platforms and with minimal indications on their usage. The results indicate that the services were beneficial. Several advantages exist both for the users and for the Service Providers, such as resistance to some security attacks and the possibility to adopt the service without prior user registration ( e.g. for short meetings, or in public places). However, some students expressed doubts about exploiting their national eID for Wi-Fi access, mainly in connection with usability and privacy issues. We discuss also these concerns, along with advantages and disadvantages of the proposed services
Electronic identity services as sociotechnical and political-economic constructs
Electronic identification services (eIDs) have become strategic services in the global governance of online societies. In this article, we argue that eIDs are sociotechnical constructs that also have political-economic dimensions. In the European context, governmental and corporate efforts to develop eIDs are shaped by legal EU frameworks, which are almost exclusively focussed on technical and legal interoperability, such as the European Interoperability Framework (EIF) and the European Interoperability Reference Architecture (EIRA). Public concerns such as privacy, security, user empowerment and control over oneβs personal information prompts developers to propose a decentralized, attribute-based system governed on a nonprofit, nonstate basis (DAN-eID). To illustrate our argument, we explore a single emerging eID system (IRMA; acronym for I Reveal My Attributes) that is developing in a national context (The Netherlands). We argue that developing eIDs requires more than engineering ingenuity and legal compliance; as sociotechnical and political-economic constructs, they involve negotiation of conflicting social and political values
Improving key exchange protocols based on sender and receiver electronic identification documents
ΠΡΠ΅Π΄ΠΌΠ΅Ρ ΡΠ°Π΄Π° Π΄ΠΎΠΊΡΠΎΡΡΠΊΠ΅ Π΄ΠΈΡΠ΅ΡΡΠ°ΡΠΈΡΠ΅ ΡΠ΅ ΡΠ°Π³Π»Π΅Π΄Π°Π²Π°ΡΠ΅ Π°ΠΊΡΡΠ΅Π»Π½ΠΈΡ
ΠΏΡΠΎΠ±Π»Π΅ΠΌΠ° Π²Π΅Π·Π°Π½ΠΈΡ
Π·Π° ΠΏΠΎΡΠΌΠΎΠ²Π΅ ΡΠ°Π·ΠΌΠ΅Π½Π° ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΠΊΠΈΡ
ΠΊΡΡΡΠ΅Π²Π° ΠΈ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡΠ° ΠΊΠΎΡΠΈΡΠ½ΠΈΠΊΠ° ΡΠΈΡΡΠ΅ΠΌΠ° Π·Π° ΡΠ°ΡΠ½Ρ ΠΊΠΎΠΌΡΠ½ΠΈΠΊΠ°ΡΠΈΡΡ. Π Π°Π΄ ΡΠ΅ Π±Π°Π²ΠΈ Π°Π½Π°Π»ΠΈΠ·ΠΎΠΌ ΠΏΠΎΡΡΠΎΡΠ΅ΡΠΈΡ
ΡΠ΅ΡΠ΅ΡΠ° Ρ ΠΎΠ±Π»Π°ΡΡΠΈ ΠΈΡΡΡΠ°ΠΆΠΈΠ²Π°ΡΠ° ΠΈ ΡΠ°Π·Π²ΠΈΡΠ°ΡΠ΅ΠΌ ΡΠΎΠΏΡΡΠ²Π΅Π½ΠΎΠ³ ΡΠΈΡΡΠ΅ΠΌΠ° Π·Π° ΡΠ°ΡΠ½Ρ ΠΊΠΎΠΌΡΠ½ΠΈΠΊΠ°ΡΠΈΡΡ.
ΠΠ°ΡΡΠ½ΠΈ ΡΠΈΡ Π΄ΠΈΡΠ΅ΡΡΠ°ΡΠΈΡΠ΅ ΡΠ΅ ΡΠ½Π°ΠΏΡΠ΅ΡΠ΅ΡΠ΅ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° Π·Π° ΡΠ°Π·ΠΌΠ΅Π½Ρ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΠΊΠΈΡ
ΠΊΡΡΡΠ΅Π²Π° Π½Π° Π±Π°Π·ΠΈ Π»ΠΈΡΠ½ΠΈΡ
ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΎΠ½ΠΈΡ
Π΄ΠΎΠΊΡΠΌΠ΅Π½Π°ΡΠ°. ΠΠ·Π²ΡΡΠ΅Π½Π° ΡΠ΅ Π°Π½Π°Π»ΠΈΠ·Π° ΠΏΠΎΡΡΠΎΡΠ΅ΡΠΈΡ
ΠΏΡΠΈΡΡΡΠΏΠ° Ρ ΠΎΠ±Π»Π°ΡΡΠΈ ΠΈΡΡΡΠ°ΠΆΠΈΠ²Π°ΡΠ° Ρ ΡΠΈΡΠ΅ΠΌ Π΄Π° ΡΠ΅ ΠΏΠΎΠ±ΠΎΡΡΠ° Π½ΠΈΠ²ΠΎ Π·Π°ΡΡΠΈΡΠ΅ ΠΏΡΠΈΠ»ΠΈΠΊΠΎΠΌ ΡΠ°ΡΠ½Π΅ ΠΊΠΎΠΌΡΠ½ΠΈΠΊΠ°ΡΠΈΡΠ΅ ΠΈ Π΄ΠΎΠ±ΠΈΡΠ΅ ΠΎΡΠ½ΠΎΠ²Π° Π·Π° ΡΠ°Π·Π²ΠΎΡ ΡΠΎΠΏΡΡΠ²Π΅Π½ΠΎΠ³ ΡΠΈΡΡΠ΅ΠΌΠ°. ΠΠΎΠΌΠ±ΠΈΠ½ΠΎΠ²Π°ΡΠ΅ΠΌ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΠΊΠΈΡ
ΠΌΠ΅ΡΠΎΠ΄Π° ΠΊΠΎΡΠ΅ ΠΎΠ±Π΅Π·Π±Π΅ΡΡΡΡ ΠΏΠΎΠ²Π΅ΡΡΠΈΠ²ΠΎΡΡ, Π°ΡΡΠ΅Π½ΡΠΈΡΠ½ΠΎΡΡ ΠΈ ΠΈΠ½ΡΠ΅Π³ΡΠΈΡΠ΅Ρ, ΡΠ· ΠΏΡΠΈΠΌΠ΅Π½Ρ ΡΡΠ΅Π³Π°Π½ΠΎΠ³ΡΠ°ΡΡΠΊΠΈΡ
ΠΌΠ΅ΡΠΎΠ΄Π° Π·Π° ΡΠ°Π·ΠΌΠ΅Π½Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡΠ° Π½Π° ΡΠΊΡΠΈΠ²Π΅Π½ Π½Π°ΡΠΈΠ½, ΠΊΠΎΡΠΈΡΠ½ΠΈΡΠΈΠΌΠ° ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ΠΎΠ³ ΡΠΈΡΡΠ΅ΠΌΠ° ΡΠ΅ ΠΏΡΡΠΆΠ° ΠΌΠΎΠ³ΡΡΠ½ΠΎΡΡ Π΄Π° Π½Π° Π΅ΡΠΈΠΊΠ°ΡΠ°Π½ ΠΈ ΡΠΈΠ³ΡΡΠ°Π½ Π½Π°ΡΠΈΠ½ ΡΠ°Π·ΠΌΠ΅ΡΡΡΡ ΡΠ°ΡΠ½Π΅ ΠΏΠΎΡΡΠΊΠ΅.
ΠΠ½Π°Π»ΠΈΠ·ΠΎΠΌ ΡΠ΅Π·ΡΠ»ΡΠ°ΡΠ° ΠΈΡΡΡΠ°ΠΆΠΈΠ²Π°ΡΠ° Π·Π°ΠΊΡΡΡΠ΅Π½ΠΎ ΡΠ΅ Π΄Π° ΠΏΠΎΡΡΠΎΡΠΈ ΠΎΠΏΡΠ°Π²Π΄Π°Π½ΠΎΡΡ ΡΠΏΠΎΡΡΠ΅Π±Π΅ Π»ΠΈΡΠ½ΠΈΡ
ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΎΠ½ΠΈΡ
Π΄ΠΎΠΊΡΠΌΠ΅Π½Π°ΡΠ° Π·Π° ΡΠ°Π·ΠΌΠ΅Π½Ρ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΠΊΠΈΡ
ΠΊΡΡΡΠ΅Π²Π° ΠΊΠΎΡΠΈ ΡΠ΅ ΠΊΠΎΡΠΈΡΡΠ΅ Ρ ΡΠ°ΡΠ½ΠΎΡ ΠΊΠΎΠΌΡΠ½ΠΈΠΊΠ°ΡΠΈΡΠΈ