Interoperability between Heterogeneous Federation Architectures: Illustration with SAML and WS-Federation

International audienceDigital identity management intra and inter information systems, and, service oriented architectures, are the roots of identity federation. This kind of security architectures aims at enabling information system interoperability. Existing architectures, however, do not consider interoperability of heterogeneous federation architectures, which rely on different federation protocols.In this paper, we try to initiate an in-depth reflection on this issue, through the comparison of two main federation architecture specifications: SAML and WS-Federation. We firstly propose an overall outline of identity federation. We furthermore address the issue of interoperability for federation architectures using a different federation protocol. Afterwards, we compare SAML and WS-Federation. Eventually, we define the ways of convergence, and therefore, of interoperability

Towards a user centric model for identity and access management within the online environment

Today, one is expected to remember multiple user names and passwords for different domains when one wants to access on the Internet. Identity management seeks to solve this problem through creating a digital identity that is exchangeable across organisational boundaries. Through the setup of collaboration agreements between multiple domains, users can easily switch across domains without being required to sign in again. However, use of this technology comes with risks of user identity and personal information being compromised. Criminals make use of spoofed websites and social engineering techniques to gain illegal access to user information. Due to this, the need for users to be protected from online threats has increased. Two processes are required to protect the user login information at the time of sign-on. Firstly, user’s information must be protected at the time of sign-on, and secondly, a simple method for the identification of the website is required by the user. This treatise looks at the process for identifying and verifying user information, and how the user can verify the system at sign-in. Three models for identity management are analysed, namely the Microsoft .NET Passport, Liberty Alliance Federated Identity for Single Sign-on and the Mozilla TrustBar for system authentication

A taxonomy of single sign-on systems

Abstract. At present, network users have to manage one set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once and are logged into the services they subsequently use without further manual interaction. Several architectures for SSO have been developed, each with different properties and underlying infrastructures. This paper presents a taxonomy of these approaches and puts some of the SSO schemes, services and products into that context. This enables decisions about the design and selection of future approaches to SSO to be made within a more structured context; it also reveals some important differences in the security properties that can be provided by various approaches.

Organisational and cross-organisational identity management

We are all familiar with the overwhelming number of usernames and passwords needed in our daily life in the networked world. Services need to identify their end users and keep record on them. Traditionally, this has been done by providing the end user with an extra username and password for each new service. Managing all these isolated user identities is painful for the end user and work-intensive for the service owner. Having out-of-date user accounts and privileges is also a security threat for an organisation. Identity management refers to the process of representing and recognising entities as digital identities in computer networks. In an organisation, an end user s identity has a lifecycle. An identity is created when the user enters the organisation; for example, a new employee is hired, a student is admitted in a school or a company gets a new customer. Changes in the end user s affiliation to the organisation are reflected to his identity, and when the end user departs, his identity needs to be revoked. Organisational identity management develops and maintains an architecture that supports maintenance of user identities during their life cycle. In crossorganisational identity management, these identities are used also when accessing services that are outside the organisation. This thesis studies identity management in organisational and cross-organisational services. An organisation s motivations for improving identity management are presented. Attention is paid to how the person registries in an organisation should be interconnected to introduce an aggregated view on an end user s identity. Connection between identity management and introduction of more reliable authentication methods is shown. The author suggests what needs to be taken into account in a usable deployment of single sign-on and PKI for authentication. Federated identity management is a new way to implement end user identity management in services that cross organisational boundaries. This thesis studies how to establish a federation, an association of organisations that wants to exchange information about their users and services to enable cross-organisational collaborations and transactions. The author presents guidelines for organising a federation and preserving an end user s privacy in it. Finally, common use scenarios for federated identity management are presented

Authentication and privacy in mobile web services

This thesis looks at the issue of authentication and privacy in mobile Web services. The work in this thesis builds on GSM and UMTS security framework to develop security protocols for mobile Web services environment. The thesis initially highlights some core principles of designing security protocols in such environment. The next two chapters look at the core technologies and building blocks in Web services systems and the core security features in mobile networks mainly GSM and UMTS. Registration and authentication were identified as security issues in federated systems. Proposed solutions were developed utilizing XML security mechanisms with SIM card security in GSM environment to address these issues. Also a novel system was proposed in which it is possible for a mobile user to securely authenticate and have full anonymity as far as the service providers are concerned; however it is possible for a trusted authority to reveal the identity of the user if he or she is suspected of illegal activities. The next section analyze in detail the Generic Authentication Architecture from 3GPP. Combining SAML with the Generic Authentication Architecture, we propose a novel "generic mobile Web service platform" for M-Commerce. Various solutions have been proposed to address privacy concern in distributed networks; the Platform for Privacy Preferences is one of the popular proposal, though it has many desirable features, it is not easy to enforce it. We argue that this limitation can be managed in federated system such as the Liberty Alliance framework. In the final chapter we make the case for using timestamp based authentication protocol in mobile Web service on the ground of efficiency gain

Security, Trust and Privacy (STP) Model for Federated Identity and Access Management (FIAM) Systems

The federated identity and access management systems facilitate the home domain organization users to access multiple resources (services) in the foreign domain organization by web single sign-on facility. In federated environment the user’s authentication is performed in the beginning of an authentication session and allowed to access multiple resources (services) until the current session is active. In current federated identity and access management systems the main security concerns are: (1) In home domain organization machine platforms bidirectional integrity measurement is not exist, (2) Integrated authentication (i.e., username/password and home domain machine platforms mutual attestation) is not present and (3) The resource (service) authorization in the foreign domain organization is not via the home domain machine platforms bidirectional attestation

Managing Identity Management Systems

Although many identity management systems have been proposed, in- tended to improve the security and usability of user authentication, major adoption problems remain. In this thesis we propose a range of novel schemes to address issues acting as barriers to adoption, namely the lack of interoper- ation between systems, simple adoption strategies, and user security within such systems. To enable interoperation, a client-based model is proposed supporting in- terworking between identity management systems. Information Card systems (e.g. CardSpace) are enhanced to enable a user to obtain a security token from an identity provider not supporting Information Cards; such a token, after en- capsulation at the client, can be processed by an Information Card-enabled relying party. The approach involves supporting interoperation at the client, while maximising transparency to identity providers, relying parties and iden- tity selectors. Four specific schemes conforming to the model are described, each of which has been prototyped. These schemes enable interoperation be- tween an Information Card-enabled relying party and an identity provider supporting one of Liberty, Shibboleth, OpenID, or OAuth. To facilitate adoption, novel schemes are proposed that enable Informa- tion Card systems to support password management and single sign on. The schemes do not require any changes to websites, and provide a simple, intu- itive user experience through use of the identity selector interface. They fa- miliarise users with Information Card systems, thereby potentially facilitating their future adoption. To improve user security, an enhancement to Information Card system user authentication is proposed. During user authentication, a one-time pass- word is sent to the user's mobile device which is then entered into the com- puter by the user. Finally, a universal identity management tool is proposed, designed to support a wide range of systems using a single user interface. It provides a consistent user experience, addresses a range of security issues (e.g. phishing), and provides greater user control during authentication.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Context-aware multi-factor authentication

Trabalho apresentado no âmbito do Mestrado em Engenharia Informática, como requisito parcial para obtenção do grau de Mestre em Engenharia InformáticaAuthentication systems, as available today, are inappropriate for the requirements of ubiquitous, heterogeneous and large scale distributed systems. Some important limitations are: (i) the use of weak or rigid authentication factors as principal’s identity proofs, (ii) non flexibility to combine different authentication modes for dynamic and context-aware interaction criteria, (iii) not being extensible models to integrate new or emergent pervasive authentication factors and (iv) difficulty to manage the coexistence of multi-factor authentication proofs in a unified single sign-on solution. The objective of this dissertation is the design, implementation and experimental evaluation of a platform supporting multi-factor authentication services, as a contribution to overcome the above limitations. The devised platform will provide a uniform and flexible authentication base for multi-factor authentication requirements and context-aware authentication modes for ubiquitous applications and services. The main contribution is focused on the design and implementation of an extensible authentication framework model, integrating classic as well as new pervasive authentication factors that can be composed for different context-aware dynamic requirements. Flexibility criteria are addressed by the establishment of a unified authentication back-end, supporting authentication modes as defined processes and rules expressed in a SAML based declarative markup language. The authentication base supports an extended single sign-on system that can be dynamically tailored for multi-factor authentication policies, considering large scale distributed applications and according with ubiquitous interaction needs

Architektur- und Werkzeugkonzepte für föderiertes Identitäts-Management

Als essentielle Komponente des IT-Security Managements umfasst das Identity & Access Management (I&AM) saemtliche organisatorischen und technischen Prozesse der Verwaltung von Dienstnutzern einer Einrichtung und deren Berechtigungen; dabei werden die Datenbestaende verschiedenster autoritativer Datenquellen wie Personal- und Kundenverwaltungssysteme aggregiert, korreliert und in aufbereiteter Form den IT-Services zur Verfuegung gestellt. Das Federated Identity Management (FIM) hat zum Ziel, die so geschaffenen integrierten Datenbestaende auch organisationsuebergreifend nutzbar zu machen; diese Funktionalitaet wird beispielsweise im Rahmen von Business-to-Business-Kooperationen, Outsourcing-Szenarien und im Grid-Computing zunehmend dringender benoetigt. Die Vermeidung von Redundanz und Inkonsistenzen, aber auch die garantierte Verfuegbarkeit der Daten und die Einhaltung von Datenschutzbestimmungen stellen hierbei besonders kritische Erfolgsfaktoren dar. Mit der Security Assertion Markup Language (SAML), den Spezifikationen der Liberty Alliance und WS-Federation als integralem Bestandteil des Web Services WS-*-Protokollstacks haben sich industrielle und partiell standardisierte technische Ansaetze fuer FIM herauskristallisiert, deren praktische Umsetzung jedoch noch haeufig an der nur unzureichend geklaerten, komplexen organisatorischen Einbettung und den technischen Unzulaenglichkeiten hinsichtlich der Integration in bestehende IT-Infrastrukturen scheitert. In dieser Arbeit wird zunaechst eine tiefgehende und in diesem Umfang neue Anforderungsanalyse durchgefuehrt, die neben I&AM und FIM auch die als User-Centric Identity Management (UCIM) bezeichnete Benutzerperspektive beruecksichtigt; die Schwerpunkte der mehr als 60 strukturierten und gewichteten Anforderungen liegen dabei auf der Integration von I&AM- und FIM-Systemen sowohl auf der Seite der organisation, der die Benutzer angehoeren (Identity Provider), als auch beim jeweiligen Dienstleister (Service Provider), und auf dem Einbezug von organisatorischen Randbedingungen sowie ausgewaehlten Sicherheits- und Datenschutzaspekten. Im Rahmen eines umfassenden, gesamtheitlichen Architekturkonzepts wird anschliessend eine Methodik zur systematischen Integration von FIM-Komponenten in bestehende I&AM-Systeme erarbeitet. Neben der praezisen Spezifikation der technischen Systemschnittstellen, die den bestehenden Ansaetzen fehlt, fokussiert diese Arbeit auf die organisatorische Eingliederung aus Sicht des IT Service Managements, wobei insbesondere das Security Management und das Change Management nach ITIL vertieft werden. Zur Kompensation weiterer grundlegender Defizite bisheriger FIM-Ansaetze werden im Rahmen eines Werkzeugkonzepts fuenf neue FIM-Komponenten spezifiziert, die auf eine verbesserte Interoperabilitaet der FIM-Systeme der an einer so genannten Identity Federation beteiligten organisationen abzielen. Darueber hinaus wird auf Basis der eXtensible Access Control Markup Language (XACML) eine policy-basierte Privacy Management Architektur spezifiziert und integriert, die eine dezentrale Steuerung und Kontrolle von Datenfreigaben durch Administratoren und Benutzer ermoeglicht und somit essentiell zur Einhaltung von Datenschutzauflagen beitraegt. Eine Beschreibung der prototypischen Implementierung der Werkzeugkonzepte mit einer Diskussion ihrer Performanz und die methodische Anwendung des Architekturkonzepts auf ein komplexes, realistisches Szenario runden die Arbeit ab

Fiducia e tecnologia nelle relazioni elettroniche inter-organizzative

Il caso delle organizzazioni virtuali. Il caso LD-CAST. Il caso delle tecnologie per l'autenticazione federata: benefici attesi tangibili vs intangibili.Il caso delle organizzazioni virtuali. Il caso LD-CAST. Il caso delle tecnologie per l'autenticazione federata: benefici attesi tangibili vs intangibili.LUISS PhD Thesi