Interoperability between Heterogeneous Federation Architectures: Illustration with SAML and WS-Federation

International audienceDigital identity management intra and inter information systems, and, service oriented architectures, are the roots of identity federation. This kind of security architectures aims at enabling information system interoperability. Existing architectures, however, do not consider interoperability of heterogeneous federation architectures, which rely on different federation protocols.In this paper, we try to initiate an in-depth reflection on this issue, through the comparison of two main federation architecture specifications: SAML and WS-Federation. We firstly propose an overall outline of identity federation. We furthermore address the issue of interoperability for federation architectures using a different federation protocol. Afterwards, we compare SAML and WS-Federation. Eventually, we define the ways of convergence, and therefore, of interoperability

Privacy in Enterprise Identity Federation - Policies for Liberty Single Signon

Cross-domain identity management is gaining significant interest in industry. A recent example is the Liberty Alliance's specifications for single signon of users across a federation of enterprises. These specifications stress that the federation process is voluntary for the users and that privacy is preserved, e.g., by using pseudonyms. We evaluate the privacy of these specifications in detail. We point out ambiguities and propose a concrete privacy policy together with a few changes to the Liberty processing rules. Our analysis demonstrates that identity-management policies are non-trivial even in a limited context. We also discuss how such low-tech proposals from industry relate to hightech privacy-enhancing proposals from the research community

Organisational and cross-organisational identity management

We are all familiar with the overwhelming number of usernames and passwords needed in our daily life in the networked world. Services need to identify their end users and keep record on them. Traditionally, this has been done by providing the end user with an extra username and password for each new service. Managing all these isolated user identities is painful for the end user and work-intensive for the service owner. Having out-of-date user accounts and privileges is also a security threat for an organisation. Identity management refers to the process of representing and recognising entities as digital identities in computer networks. In an organisation, an end user s identity has a lifecycle. An identity is created when the user enters the organisation; for example, a new employee is hired, a student is admitted in a school or a company gets a new customer. Changes in the end user s affiliation to the organisation are reflected to his identity, and when the end user departs, his identity needs to be revoked. Organisational identity management develops and maintains an architecture that supports maintenance of user identities during their life cycle. In crossorganisational identity management, these identities are used also when accessing services that are outside the organisation. This thesis studies identity management in organisational and cross-organisational services. An organisation s motivations for improving identity management are presented. Attention is paid to how the person registries in an organisation should be interconnected to introduce an aggregated view on an end user s identity. Connection between identity management and introduction of more reliable authentication methods is shown. The author suggests what needs to be taken into account in a usable deployment of single sign-on and PKI for authentication. Federated identity management is a new way to implement end user identity management in services that cross organisational boundaries. This thesis studies how to establish a federation, an association of organisations that wants to exchange information about their users and services to enable cross-organisational collaborations and transactions. The author presents guidelines for organising a federation and preserving an end user s privacy in it. Finally, common use scenarios for federated identity management are presented