An identity framework for providing access to FIWARE OAuth 2.0-based services according to the eIDAS European Regulation

Secure electronic identification (eID) is one of the key enablers of data protection, privacy, and the prevention of online fraud. However, until now, the lack of common legal basis prevented European Member States from recognizing and accepting eIDs issued in the other Member States. The electronic identification and trust services (eIDAS) regulation provides a solution to these issues by ensuring the cross-border mutual recognition of eIDs. FIWARE is a European initiative that provides a rather simple yet powerful set of application programming interfaces (APIs) that ease the development of smart applications in multiple vertical sectors and oriented to the future internet. In this paper, we propose a model that enables the connection of FIWARE OAuth 2.0-based services with the eID authentication provided by eIDAS reference. Thanks to this model, services already connected with an OAuth 2.0 identity provider can be automatically connected with eIDAS nodes for providing eID authentication to European citizens. For validating the proposed model, we have deployed an instance of the FIWARE identity manager connected to the Spanish eIDAS node. Then, we have registered two services, a private videoconferencing system, and a public smart city deployment, and extended their functionalities for enriching the user experience leveraging the eID authentication. We have evaluated the integration of both services in the eIDAS network with real users from seven different countries. We conclude that the proposed model facilitates the integration of generic and FIWARE-based OAuth 2.0 services to the eIDAS infrastructure, making the connection transparent for developers

Contribution to the Design and Integration of Identity Management and Access Control Mechanisms for Smart Environments

Identity Management and Access Control mechanisms are present in practically every digital application. Companies, public administrations or universities have deployed these mechanisms to ensure that appropriate users access to the services that are entitled to them. The main objective of this integration is to protect private personal and professional information from malicious actors. Digital services have grown exponentially, forcing Identity Management models to move from a centralised to a federated approach to improve the user experience and bridge some security loopholes. Nowadays, federated identity management systems are still in use but giving users a little more control over their data. Their design and implementation poses a number of challenges that depend on the characteristics of each environment and the privacy’s level required. However, people still have little control over their identity and how their information is shared between organizations. In recent years, a new paradigm in identity management has been emerging to give people autonomy over their digital identities: Self Sovereign Identity. It is at an early stage and opens up a number of opportunities and challenges. Nowadays, an increasing number of businesses are exploiting data obtained from a variety of sources. In this sense, due to the Industry 4.0 paradigm new spaces are emerging for data sharing between companies to improve production chains, and with it, new ways of controlling access to data. Traditional access control mechanisms does not fulfil the trust, governance and usage requirements that these cases need, giving rise to new challenges to be addressed. This thesis proposes a set of architectures, models and mechanisms to address the challenges identified in the scope of identity and access management and contribute to improve the security and privacy of that field. The starting point of the thesis is the design and evaluation of delegated authentication systems for non-interface and resource-constrained devices. These systems aim to improve the security of devices in these contexts and even improve their efficiency. The next step is to implement an Industry 4.0 standard for data sharing between organizations which allows to guarantee trust, data governance and secure data exchange. In this context, a model for enabling data usage control is presented. This model allows the management and definition of both access and usage control policies. Subsequently, a number of contributions are proposed in relation with European electronic IDentification and the eIDAS regulation. They enrich and simplify the authentication process for service providers and citizens. The first one extends the number of attributes of the eIDAS profile. The second extends the eIDAS basic architecture to obtain these attributes. Finally, another architecture is proposed for facilitating the integration of service providers into the eIDAS infrastructure. Finally, the new Self Sovereign Identity paradigm is approached. A study of opportunities and challenges is carried out and a model is proposed to integrate access control mechanisms with Self Sovereign Identity. ----------RESUMEN---------- Los mecanismos de gestión de identidades y control de acceso están presentes en prácticamente todas las aplicaciones digitales. Empresas, administraciones públicas o universidades han desplegado dichos mecanismos para asegurar que los usuarios acceden a los servicios correspondientes, y proteger la información privada, tanto del ámbito personal como profesional, de personas o entidades con malas intenciones. Los servicios digitales han crecido de forma exponencial, provocando que, modelos de gestión de identidades migren de un enfoque centralizado a uno federado, con el objetivo de mejorar la experiencia de usuario y evitar brechas de seguridad. Actualmente, se siguen usando los sistemas federados añadiendo alguna mejora respecto del control de los usuarios sobre su información. El diseño e implementación de estos sistemas trae consigo una serie de retos que dependen de las características de cada entorno y del nivel de privacidad exigido. Sin embargo, las personas siguen sin tener el suficiente control sobre su información y de cómo es compartida entre organizaciones. En los últimos años ha surgido un nuevo paradigma que pretende devolver a las personas plena autonomía sobre su identidad digital. La identidad Auto-Soberana. Actualmente se encuentra en una fase inicial de investigación por lo que el rango de oportunidades y retos es amplio. En la actualidad, cada vez hay más negocios que explotan datos obtenidos de distintas fuentes. Por ejemplo, debido a la cuarta revolución industrial están surgiendo nuevos espacios para compartir datos entre empresas con el objetivo de mejorar las cadenas de producción. A raíz de ello, han surgido nuevas formas de controlar el acceso a los datos. Los mecanismos de control de acceso tradicionales no cumplen con los requisitos de confianza, gobernanza y control de uso que requieren estos escenarios, dando lugar a nuevos retos que abordar. En esta tesis se proponen una serie de arquitecturas, modelos y mecanismos para abordar los retos que se han identificado en el ámbito de la gestión de identidades y control de acceso, contribuyendo a mejorar la seguridad y privacidad de este campo. La primera propuesta es el diseño y evaluación de sistemas de autenticación delegada para dispositivos que carecen de interfaces y con recursos hardware escasos. Estos sistemas mejoran la seguridad de los dispositivos e incluso mejoran su eficiencia. En el siguiente apartado se implementó un estándar para garantizar la confianza, gobernanza y el intercambio seguro de datos entre organizaciones en el ámbito de la Industria 4.0. En este ámbito se presenta también un modelo para controlar cómo están siendo usados los datos. Este modelo permite definir y gestionar tanto políticas de acceso a los datos como políticas de control de uso de dichos datos. A continuación, se proponen una serie de contribuciones relativas a la identificación electrónica europea y la regulación eIDAS. Estas contribuciones mejoran y simplifican el proceso de autenticación para los servicios y los ciudadanos. Las dos primeras contribuciones hacen referencia a cómo extender el perfil del ciudadano de eIDAS con nuevos atributos y cómo obtener e integrar dichos atributos en la arquitectura de eIDAS. Por último, se propone una arquitectura que facilita la integración de los servicios con la infraestructura de eIDAS. En última instancia se aborda el paradigma de identidad Auto-Soberana. Se realiza un estudio de las oportunidades y retos existentes. Se propone también un modelo que integra los mecanismos tradicionales de control de acceso con este nuevo paradigma

User-Adapted Web Services by Extending the eIDAS Specification with Functional Attributes

To provide web services adapted to the users’ functional capabilities, diversity must be considered from the conceptualization and design phases of the services’ development. In previous work, we proposed a model that allows the provisioning of adapted interfaces based on users’ identity and their functional attributes to facilitate this task to software designers and developers. However, being these identities and attributes self-declared by the users may impact reliability and usability. In this work, we propose an extension of our model to resolve these deficiencies by delegating the identity and attributes provision to external certified entities. The European electronic Identification, Authentication and Trust Services (eIDAS) regulation established a solution to ensure the cross-border mutual recognition of Electronic Identification (eID) mechanisms among the European Member States. This research aims to provide an extension of this regulation mentioned above (eIDAS) to support functional attributes and connect our previously proposed model to this extended eIDAS network. Thanks to this proposal, web services can guarantee adapted and personalized interfaces while improving the functionalities offered without any previous configuration by users and, in a reliable way, since the functional attributes belong to the users’ official eID. As the attributes set provided by eIDAS nodes only contains citizens’ personal and legal ones, we also propose a mechanism to connect the eIDAS network to external attribute providers that could extend the eIDAS profile of users with their functional attributes. We have deployed a pilot to validate the proposed model consisting of an identity provider, an eIDAS node supporting the extended reference code and an attribute provider supporting functional attributes. We have also designed and implemented a simple service that supports eID authentication and serves adapted interfaces based on the retrieved extended eIDAS profile. Finally, we have developed an experience for getting feedback from a set of real users with different functional capabilities. According to the results, we conclude that the generalized adoption of the proposed solution in the European digital web services will significantly improve their accessibility in terms of ease of use and adaptability to users’ capacities

Extending the EIDAS European Specification for Supporting Academic Attributes

Secure Electronic Identification (eID) is one of the key enablers of data protection, privacy and prevention of online fraud. However, to date, the lack of a common legal basis prevented European Member States from recognising and accepting eIDs issued by the other Member States. The electronic IDentification, Authentication and trust Service (eIDAS) regulation solves these issues by allowing citizens of any European country to use their national eIDs to securely access public and private e-services provided in other European countries. However, the minimum dataset typically provided by the Member States only contains citizens? personal attributes. Therefore, academic services that aim to facilitate the mobility of students within the European Union cannot exploit the advantages of integrating students? eIDs to the same extent as if they included attributes related to their academic profile as well. In this article, we propose an extension of the eIDAS specification in order to support academic attributes. Thanks to this extension, services can request students? information from the eIDAS nodes: not only their personal profiles but also additional attributes related to their academic profile. In this work, we also propose an architecture that allows the connection of the national eIDAS nodes to academic attribute providers in order to enrich the student minimum dataset with their academic attributes. We conclude that thanks to the extension of the eID profile of students with academic attributes, e-services in higher education sectors will be able to fully benefit from the integration of the eIDAS initiative, breaking barriers and favouring students? mobility within the European Union

Bridging the gap between academia and industry through students' contributions to the FIWARE European Open-Source Initiative: A pilot study

Although many courses in computer science and software engineering require students to work on practical assignments, these are usually toy projects that do not come close to real professional developments. As such, recent graduates often fail to meet industry expectations when they first enter the workforce. In view of the gap between graduates? skills and industry expectations, several institutions have resorted to integrating open-source software development as part of their programs. In this pilot study, we report on the results of the contributions of eleven students to the FIWARE open-source project as part of their final year project. Our findings suggest that both teachers and students have a positive perception towards contributing to the FIWARE open-source initiative and that students increased their knowledge of technologies valued by the industry. We also found that this kind of project requires an additional initial effort for the students as well as for the instructor to monitor their progress. Consequently, it is important that the instructors have previous experience in FIWARE, as many of the students need help during the process

An architecture for providing data usage, access control in data sharing ecosystems

We are experiencing a new digital revolution in which data are becoming a key pillar for business and industry. Promoting data sharing, without compromising data sovereignty and traceability, is fundamental since it provides a heterogeneous ecosystem with the potential to enrich the variety of applications and services that take part in this digital revolution. In this scope, the use of secure and trusted platforms for sharing and processing personal and industrial data is crucial for the creation of a data market and a data economy. Protecting data goes beyond restricting who can access what resource (covered by identity and access control respectively): it becomes necessary to control how data are treated, which is known as data usage control. Data usage control provides a common and trustful security framework to guarantee the sovereignty and the responsible use of organizations’ data by third-party entities, easing and ensuring data sharing in ecosystems such as industry or smart cities. In this article, we present an architecture proposal for achieving access and usage control in shared data ecosystems among multiple organizations. The proposed architecture is based on the UCON (Usage Control) model and an extended XACML (eXtensible Access Control Markup Language) Reference Architecture, relying on key aspects of the IDS (International Data Spaces) Reference Architecture Model. Its modular design and technology-agnostic nature provide an integral solution while maintaining flexibility of implementation

Enhancing university services by extending the eIDAS european specification with academic attributes

The European electronic IDentification, Authentication and trust Services (eIDAS) regulation makes available a solution to ensure the cross-border mutual recognition of electronic IDentification (eID) mechanisms among Member States. However, the basic set of attributes currently provided by each country only contains citizens’ personal and legal attributes, preventing e-services to take full advantage of citizens’ domain-specific information, such as academic or medical data. In this article, we propose an extension of the eIDAS specification to support academic attributes as part of citizens’ profiles. In addition, we present an architecture to enable the connection of eIDAS nodes to national attribute providers to enrich citizens’ profiles with additional academic attributes. We have deployed the eIDAS extension in the specific case of the Spanish eIDAS infrastructure, and we have connected it to an attribute provider of the Technical University of Madrid (UPM). We have also improved a set of institutional services of that university by enabling the connection to eIDAS and enhancing the features offered to students based on their academic profiles retrieved from the eIDAS extended infrastructure. Finally, we have evaluated the resulting services thanks to real students from two different countries, concluding that the widespread adoption of the proposed solution in the academic services of European universities will greatly improve their quality and usability

ESICM LIVES 2016: part two : Milan, Italy. 1-5 October 2016.

Meeting abstrac