Identity management is a growing Web trend with. A SWIFT Take COVER FEATURE. Virtual identities and identifiers
|
|
- Randolph Walton
- 5 years ago
- Views:
Transcription
1 COVER FEATURE A SWIFT Take on Identity Management Gabriel López, Óscar Cánovas, and Antonio F. Gómez-Skarmeta, University of Murcia, Spain Joao Girao, NEC Laboratories Europe, Germany A proposed identity management framework provides privacy protection, by means of virtual identities, and cross-layer single sign-on for users who subscribe to multiple service and identity s. Identity management is a growing Web trend with the goal of simplifying account management from a user s perspective. In addition, idm seeks to seamlessly maintain the user s privacy while accessing different Web services. The Web is idm s greatest strength, promoting rapid proliferation of the technology, but also its greatest weakness, in that idm mechanisms are not widely used in telecommunication networks or for more traditional services such as IP telephony or television. A single framework is crucial to the successful integrated deployment of idm on a global scale. Recent research activities, such as those of the EU s Secure Widespread Identities for Telecommunications (SWIFT; and PrimeLife ( eu) projects, and efforts by the International Telecommunication Union (ITU) and the World Wide Web Consortium (W3C), aim at a more consistent view of idm across the various layers and domains. These approaches consider Web development but focus on network integration aspects. Ultimately, users should be able to profit from pervasive use of this technology when accessing the network or an application service. We propose an idm framework that offers cross-layer single sign-on (SSO) mechanisms for users who have some type of subscription with several service and identity s. It also protects privacy by preventing unauthorized parties from linking steps or actions with the same user identifiers, enforcing privacy rules at different s, and supporting the user s autonomy in disclosing attributes. The framework provides the functionality to merge existing user subscriptions and generate a more general virtual identity the union of one or more attributes from one or more identity s. Users can create several virtual identities using a subset of attributes for each identity to which they subscribe. The concept of virtual identity is the key to creating federations of resources and an SSO mechanism across different idm systems. Users can access multiple services by referencing their virtual identity via a virtual identifier (VID). The main challenge for developers is how this additional level of indirection affects idm system elements and the requirements on newly needed components. Virtual identities and identifiers Nowadays many users have numerous accounts with different service s (SPs) on the Internet that play 46 computer Published by the IEEE Computer Society /09/$ IEEE
2 the role of authentication s or attribute s. Each account typically contains authentication credentials such as a login/password or certificate as well as a set of user attributes such as entitlement, age, sex, and grade, and these depend on the kind of : whether it provides network access, content, and so on. credentials are private between the authentication and user and must never be revealed to third parties, but attribute s can share user attributes with several SPs. Our proposed framework lets users define profiles, known as virtual identities, that aggregate authentication credentials and attributes from different identity s. 1,2 Users reference each profile by means of a VID when accessing a target service. As Figure 1 shows, a virtual identity references one authentication ID (AuthN ID), the identifier by which an authentication recognizes a particular authentication subscription, and one or more attribute IDs (Attr IDs) held by different attribute s. For example, Alice might define a virtual identity that references her home network s AuthN ID (alice@home.com). At the same time, it can hold the attribute connection_type=premium held by that attribute and the attribute VID role=vipclient held by a different attribute with which Alice has another account. Several VIDs can reference one virtual identity. Each VID includes information about the identity the domain where the VID was defined and data to select the right virtual identity within that domain. For example, alice@.org may represent a VID from.org that points to the virtual identity defined by Alice. For privacy reasons, when a user requests access to some service, the system will replace the virtual identity pointer with an encrypted identifier or artifact, and will only disclose the ID to SPs. Framework elements Figure 2 shows the relationships among the framework s five basic elements: authentication s, attribute s, identity s, SPs, and users. These elements can be seen as roles that one or more parties play, depending on the business model. VID Virtual identity pointer Virtual identity AuthN ID Attr ID 1 Attr ID 2 Attribute Attribute Credentials Attributes Attributes Figure 1. Virtual identity content. A virtual identity references one authentication ID and one or more attributes held by different attribute s. User Attr ID VID AuthN ID Attribute Pseudonym AttrP-IA Identity Pseudonym AuthNP-IA Pseudonym SP-IA Figure 2. Relationships among framework elements. These elements can be seen as roles that one or more parties play, depending on the business model. To prevent different s from correlating VIDs AuthN IDs, and Attr IDs, the framework uses pseudonyms established between the various actors. Identity s As identity s can support different functions depending on the services they provide, we distinguish authentication s, attribute s, and identity s. s. These prove the identity of users. Therefore, users must have a previous subscription with a and share some kind of authentication credentials, including an AuthN ID, to enable authentication. The framework does not impose any requirements on the authentication method used. Attribute s. Users may also have a subscription with one or more attribute s to maintain attribute data. The information these s manage can be general-purpose or relate to specific services, and may be filtered by user-specified privacy policies. Identity s. Users can generate or modify some properties of their profiles using one or several identity s, which are responsible for managing user MAY
3 cover FEATURE Access with SWIFT SSO Access with SP session status SWIFT intiation User authenticates with authentication SWIFT SSO User creates SWIFT SSO token to access service SWIFT SSO token SP session status Initial access only with VID User invoices service User gets access to service Figure 3. Framework s. The s are associated with user operations and result from the different interactions among the elements. profiles, VIDs, and SSO mechanisms and s. They also deliver the information contained in the profiles and enforce the privacy rules that users specify for a given operation. Identity s can maintain different federation agreements with authentication and attribute s to determine which information is available to build virtual identities and the necessary requirements to obtain the data. Aggregators can either be trusted third parties, able to generate security assessments that any other entity in the system must recognize, or they may serve as proxies of security s generated by the participating s. In this article, we focus on the first trust model. s SPs protect the resources being shared across a federation. They use authentication s, attribute s, or identity s to verify the identifiers (including VIDs) that users present and to retrieve the attributes needed to make an authorization decision. Users A user is an entity who has at least one subscription with an authentication or attribute. In relation to that, the user has an identifier and a set of attributes associated with that identifier. For authentication reasons, the user must know some authentication credentials. VIDs provide users with three main advantages: privacy, SSO, and life-cycle management. Privacy. To prevent different s from correlating VIDs, AuthN IDs, and Attr IDs, the framework uses pseudonyms 3 established between the various actors. A pseudonym is a privacy-preserving identifier assigned by a framework element to identify a user to a given relying party for an extended period of time. Depending on its use, the pseudonym can be transient or permanent. Figure 2 depicts three pseudonyms. The authentication and identity initially establish AuthNP-IA when the user creates the virtual identity; it references the AuthN ID. The attribute and identity use AttrP-IA to exchange user attributes. The SP and identity use SP-IA when they need to exchange information, including authentication data, about the user. To protect privacy, the framework also conceals VIDs from SPs, ensuring that only users and identity s have knowledge of a specific VID. Further, users can specify which attributes to disclose to specific s. SSO. Once an authentication has authenticated a user, the user can access any protected resource if he or she has the appropriate attributes and the authentication context provides some level of assurance. 4 Toward that end, the authentication must generate an authentication based on the VID and deliver it to the user. This certifies that the user behind the VID was successfully authenticated. Users rely on this to generate different SWIFT SSO tokens to access SPs. Life-cycle management. Users can manage several details of their VIDs including related profiles, activation, and revocation. Framework s Our framework includes several s, shown in Figure 3, associated with user operations and resulting from the different interactions among the elements. Users send a SWIFT initiation to access a protected service when they are not yet authenticated. This specifies only the VID but uses an artifact that is only meaningful to the identity, instead of the virtual identity pointer. It also includes the ID. SPs contact the identity, which protects user privacy and provides SSO to the VID being used to access the service. After a VID has been initiated, the user obtains a SWIFT SSO, which verifies that the user controls a specific VID. This is the framework s core method for providing SSO as long as this is valid, users need not authenticate again. Once the user receives an SSO, the system should never reveal it to any entity. 48 computer
4 User Identity SWIFT initiation request SWIFT initiation request Redirect to identity request Redirect to authentication request for SP process between user and authentication for SP SWIFT SSO for User authentication HTTPS HTTPS HTTPS Figure 4. SP-initiated authentication for Web services. Once they have been authenticated, users create SWIFT SSO tokens to request access to specific services. Similar to the initiation, an SSO token includes an artifact and the associated domain. However, in this case the artifact not only references the virtual identity but also the fact that the user has been previously authenticated. The artifact also includes some information about the SP to identify the intended relying party as well as a reference to the SWIFT SSO, such as a hash value. Finally, once an SP authorizes the user to access the specified resource, it provides an SP session status to the user to prevent further verifications during the specified validity period. This depends on the SP and is not part of the framework. In Web environments, it is usually implemented by means of cookies. 5 Use Cases Three SWIFT use cases demonstrate the framework s functionality. The first two involve an authentication step to gain access to a service (Web and network) offered by a SWIFT-enabled SP. The third includes the SSO process and authorization steps based on user attributes. SP-initiated authentication for Web services Alice is browsing the Internet and wants to access a protected Web service but wishes to keep her privacy. As Figure 4 shows, when she tries to access the service, she must first select one of her VIDs. In doing so, she creates a SWIFT initiation that includes an artifact a protected pointer to her virtual identity and the ID. The SP receives the access request and uses a name resolution service to locate the identity. For example, it may use the Domain Name System (DNS) if the ID is a fully qualified domain name (FQDN). The system then redirects Alice to the to determine the authentication, where she will be redirected, based on the virtual identity managed by the, MAY
5 cover FEATURE User Identity SWIFT initiation domain request domain response domain Redirect to authentication request process between user and authentication query for User authentication for SP for SP SWIFT SSO SWIFT SSO EAP HTTPS SAML PEAP RADIUS/EAP Figure 5. SP-initiated authentication for network roaming. SP-initiated authentication for roaming users Suppose that Alice must be authenticated before obtaining a network connection. Because she does not have network connectivity, the only communication channel available is the one to the authentication for exto complete the authentication process. Only Alice and the observe the VID, and the does not see her authentication credentials. Once authenticated, the system then redirects Alice to the with an authentication for proving that she has been successfully authenticated. This also contains the pseudonym AuthNP-IA, which allows the to verify the association between the VID and AuthN ID without actually knowing the latter. The then redirects Alice to the SP. The redirect message transports the SSO, which she stored to generate future SSO tokens. It also includes the authentication for SP, which the SP uses to verify that she was successfully authenticated. The subject of this contains the pseudonym SP-IA. Once the SP grants access to Alice, it also provides her with a SP session status for example, an HTTP cookie for session maintenance. The SP knows that a trusted has authenticated Alice, but it does not know which one or her credentials. Moreover, the SP can use the pseudonym SP-IA to request more user attributes from the identity without knowing their exact origin. 50 computer
6 User Identity Access with SP session status SP session status Access with SWIFT SSO SWIFT SSO token SWIFT SSO token for SP Attribute request Attribute request Pseudonym AttrP-IA Access response SP session status Authorization process Attribute response Attributes Attribute response Attributes Attribute retrieval Figure 6. access and single sign on (SSO). ample an Extensible Protocol (EAP) channel through IEEE 802.1X. When Alice tries to access the network, as Figure 5 shows, she creates a SWIFT initiation based on a particular VID, as described above. The discovers the authentication that should be used to perform the authentication process and sends back a response to the SP that includes the authentication domain. The SP then sends an authentication request message to the authentication that includes anonymous@ domain as Alice s identity and the ID. The authentication performs the previously described authentication process. After a successful authentication, the authentication sends a query containing an authentication for to verify that Alice has been authenticated. The response message from the identity includes the SWIFT SSO, which the system forwards to her using the EAP channel, and the authentication for SP, which it forwards to the SP. Encryption mechanisms prevent disclosure of information contained in both s to the authentication. In this scenario, the SP sends an anonymous access request to the authentication, and Alice s private credentials, shared with the authentication, are hidden from both the and SP. Moreover, at the end of the process, she obtains a new SWIFT SSO that can be used later to gain access, without reauthentication, to other Web services, Voice over Internet Protocol (VoIP), and so on. access and SSO Now suppose that, once Alice has been authenticated, she holds the required information to access a new service without the need of a new authentication process. As Figure 6 shows, she can exploit the framework s SSO mechanisms in two ways. MAY
7 cover FEATURE Alice can share an active session with the SP by presenting the SP session status together with a service request message. The SP would then look up the user session in its internal database and determine that she has a valid session and thus there is no need to reauthenticate her. Alternatively, if Alice does not have a valid SP session status but does have a valid SWIFT SSO, she can generate a SWIFT SSO token specific to that SP. When the SP receives the token, it communicates with the identity to verify that Alice was properly authenticated and to obtain the pseudonym SP-IA. To ensure that the can verify Alice as the token s creator, the artifact references the SWIFT SSO. Once the SP has determined that it does not have to authenticate Alice again, it may initiate an authorization process and requests the identity to provide attributes held by other attribute s such as her age, entitlement, and so on to make the access control decision. When the queries the attribute for these attributes, the latter uses an attribute release policy, specified by Alice, to decide whether to reveal them. The SP accordingly sends her an access response message, perhaps with an updated SP session status to further access the service. Obtaining anonymous access to the SP, by means of a previously SWIFT SSO token, makes it difficult for third parties to correlate data because the artifact included in the token differs for each access request. Our framework provides cross-layer SSO, ranging from the network to high-level applications. The ITU Telecommunication Standardization Sector s Focus Group on Identity Management ( fgidm) defined a main gap in cross-layer SSO that is now bridged by the SWIFT SSO obtained during the network access process and then used to derive the SSO tokens enabling access to higher-level services. The use cases assume that the identity is the central trusted entity. On the one hand, it avoids the need for all involved service, authentication, and attribute s to establish trust relationships, thus avoiding contract deals usually assigned to the Security Assertion Markup Language (SAML). 3 On the other hand, the could be seen as a central point of failure. However, we envision scenarios based on a distributed trust model, where SPs could obtain authentication and attribute s directly from the identity s. In this case, the would act as a discovery and proxy service. Nevertheless, both models can be deployed using the proposed framework. We continue to develop these models, and future work calls for a detailed security and privacy analysis. Although our framework is generic, several existing technologies could be used to instantiate part of the proposed use cases: SAML 2.0 profiles and the Extensible Access Control Markup Language (XACML) 6 could be the basis for representing the SWIFT authentication and attribute s, and standard access control policies; proposals like XRI Data Interchange (XDI) 7 could be used to provide standard resource identifiers and data exchange formats for name resolution protocols; and projects such as Deploying Authorization Mechanisms for Federated s in the eduroam Architecture (DAMe) 8 are defining SSO for cross-layer authentication and authorization. Instantiation details such as transport protocols or security algorithms will depend on the specific scenario: network, Web, VoIP, and so on. SAML 2.0 also defines IdP proxy mechanisms. We have extended this to not only include authentication and attribute requests but also to consider the impact of VID management, privacy, security, and trust. Because our framework assumes different trust associations, we cannot determine a priori the recipient of authentication or attribute trusts. A client-side implementation of the framework is theoretically possible. For example, Windows CardSpace ( provides a client-side idm discovery mechanism. However, CardSpace would assume that the client takes the identity role and thus lacks flexibility because the role is bound to the device and cannot offer network personalization. Further, it does not fit well with our trust model because SPs can only choose to trust the authentication/ attribute or user. Acknowledgments This work was partially funded by SWIFT (FP7, Grant Number ). The authors also thank the Funding Program for Research Groups of Excellence (04552/GERM/06) established by Fundación Séneca. References 1. 3GPP TS : 3GPP Generic User Profile (GUP) Requirements; Architecture (Stage 2), release 8, 16 Dec. 2008, 3GPP; 2. A. Sarma et al., Virtual Identity Framework for Telecom Infrastructures, Wireless Personal Comm., June 2008, pp OASIS Security s Technical Committee, Security Assertion Markup Language (SAML) V2.0 Technical Overview, draft 2, 25 Mar. 2008; security/saml/post2.0/sstc-saml-tech-overview-2.0-cd-02. html. 52 computer
8 4. W.E. Burr et al., Electronic Guideline, special publication , 8 Dec. 2008, NIST; csrc.nist.gov/publications/drafts/ rev1/sp Rev1_Dec2008.pdf. 5. D. Kristol and L. Montulli, HTTP State Management Mechanism, IETF RFC 2965, Oct. 2000; rfc2965.txt. 6. extensible Access Control Markup Language (XACML) Version 2.0, 1 Feb. 2005, OASIS; xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf. 7. D. Reed and G. Strongin, The Dataweb: An Introduction to XDI, v2, white paper, 12 Apr. 2004, OASIS; www. oasis-open.org/committees/download.php/6434/wd-xdiintro-white-paper pdf. 8. Ó. Cánovas et al., Deploying Authorization Mechanisms for Federated s in EDUROAM Architecture (DAME), Internet Research, vol. 17, no. 5, 2007, pp Gabriel López is an assistant professor in the Department of Information and Communications Engineering at the University of Murcia, Spain. His research interests include network security, public-key infrastructure (PKI), and identity management. López received a PhD in computer science from the University of Murcia. Contact him at gabilm@um.es. Óscar Cánovas is an associate professor in the Department of Computer Engineering at the University of Murcia. His research interests include PKI, authorization management systems, and network access services. Canovas received a PhD in computer science from the University of Murcia. Contact him at ocanovas@um.es. Antonio F. Gómez-Skarmeta is an associate professor in the Department of Information and Communications Engineering at the University of Murcia. His research interests include distributed artificial intelligence and computer network security. Gómez-Skarmeta received a PhD in computer science from the University of Murcia. He is a member of IEEE. Contact him at skarmeta@um.es. Joao Girao is a senior researcher in the Ubiquitous Secure Computing group at NEC Laboratories Europe, Heidelberg, Germany, where he is responsible for technical coordination in the identity management area. His research interests include security for networks and services and identity management. Girao received a diploma in computer and telematics engineering from the University of Aveiro, Portugal. He is a member of the IEEE and the ACM. Contact him at joao.girao@nw.neclab.eu. MAY
Towards Standardization of Distributed Access Control
Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo, NEC Laboratories Europe NEC Europe Ltd. Heidelberg Germany Elena Torroglosa, Alejandro Pérez, Antonio G. Skarmeta Department
More informationIdentity Provider for SAP Single Sign-On and SAP Identity Management
Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with
More informationManaging the lifecycle of XACML delegation policies in federated environments
Managing the lifecycle of XACML delegation policies in federated environments Manuel Sánchez, Óscar Cánovas, Gabriel López, Antonio F. Gómez-Skarmeta Abstract This paper presents an infrastructure that
More informationDigital (Virtual) Identities in Daidalos and beyond. Amardeo Sarma NEC Laboratories Europe
Digital (Virtual) Identities in Daidalos and beyond Amardeo Sarma NEC Laboratories Europe Who wants to pay for more Bandwidth? More Access Bandwidth? No one pays extra for volume or time plain usage is
More informationIntegrating User Identity Management Systems with the Host Identity Protocol
Integrating User Identity Management Systems with the Host Identity Protocol Marc Barisch Institute of Communication Networks and Computer Engineering Universität Stuttgart marc.barisch@ikr.uni-stuttgart.de
More informationIdentity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014
Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationExtending Services with Federated Identity Management
Extending Services with Federated Identity Management Wes Hubert Information Technology Analyst Overview General Concepts Higher Education Federations eduroam InCommon Federation Infrastructure Trust Agreements
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationilight/gigapop eduroam Discussion Campus Network Engineering
ilight/gigapop eduroam Discussion Campus Network Engineering By: James W. Dickerson Jr. May 10, 2017 What is eduroam?» eduroam (education roaming) is an international roaming service for users in research,
More informationIdentity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011
Identity management Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline 1. Single sign-on 2. OpenId 3. SAML and Shibboleth 4. Corporate IAM 5. Strong identity 2
More informationISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University
Identity Management and Federated ID (Liberty Alliance) ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Identity Identity is the fundamental concept of uniquely
More informationThe Identity Web An Overview of XNS and the OASIS XRI TC
The Identity Web An Overview of XNS and the OASIS XRI TC XML WG December 17, 2002 Marc LeMaitre VP Technology Strategy OneName Corporation Goals of this presentation Introduce the idea of the Identity
More informationDEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS
DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS Igor Balabine, Arne Koschel IONA Technologies, PLC 2350 Mission College Blvd #1200 Santa Clara, CA 95054 USA {igor.balabine, arne.koschel}
More informationCA SiteMinder. Federation in Your Enterprise 12.51
CA SiteMinder Federation in Your Enterprise 12.51 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation ), is for
More informationAssurance Enhancements for the Shibboleth Identity Provider 19 April 2013
Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013 This document outlines primary use cases for supporting identity assurance implementations using multiple authentication contexts
More informationNational Identity Exchange Federation. Terminology Reference. Version 1.0
National Identity Exchange Federation Terminology Reference Version 1.0 August 18, 2014 Table of Contents 1. INTRODUCTION AND PURPOSE... 2 2. REFERENCES... 2 3. BASIC NIEF TERMS AND DEFINITIONS... 5 4.
More informationOpenID Cloud Identity Connector. Version 1.3.x. User Guide
OpenID Cloud Identity Connector Version 1.3.x User Guide 2016 Ping Identity Corporation. All rights reserved. PingFederate OpenID Cloud Identity Connector User Guide Version 1.3.x January, 2016 Ping Identity
More informationAPAN 25 Middleware Session, Hawaii Jan.24, 2008 Japanese University PKI (UPKI) Update and Shibboleth using PKI authentication
APAN 25 Middleware Session, Hawaii Jan.24, 2008 Japanese University (U) Update and Shibboleth using authentication National Institute of Informatics, JAPAN Toshiyuki Kataoka, Shigeki Tanimoto, Masaki Shimaoka
More informationIntegrated Security Context Management of Web Components and Services in Federated Identity Environments
Integrated Security Context Management of Web Components and Services in Federated Identity Environments Apurva Kumar IBM India Research Lab. 4, Block C Vasant Kunj Institutional Area, New Delhi, India-110070
More informationMajor SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007
Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication
More informationToken-based Payment in Dynamic SAML-based Federations
Token-based Payment in Dynamic SAML-based Federations David J. Lutz 1 and Burkhard Stiller 2 1 Rechenzentrum Universitaet Stuttgart Allmandring 30; 70550 Stuttgart; Germany David.Lutz@rus.uni-stuttgart.de
More informationU.S. E-Authentication Interoperability Lab Engineer
Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI
More informationCA SiteMinder Federation
CA SiteMinder Federation Partnership Federation Guide 12.52 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationAttribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent Acknowledgements Project originally funded by UK JISC, called Shintau http://sec.cs.kent.ac.uk/shintau/
More informationSAML V2.0 Profile for Token Correlation
SAML V2.0 Profile for Token Correlation Committee Draft 01 28 June 2010 Specification URIs: This Version: 0.1 Previous Version: 0 Latest Version: Technical Committee: OASIS Security Services TC Chair(s):
More informationWeb Security Model and Applications
Web Security Model and Applications In this Tutorial Motivation: formal security analysis of web applications and standards Our Model of the Web Infrastructure Single Sign-On Case Studies Formal Security
More informationA NEW MODEL FOR AUTHENTICATION
All Rights Reserved. FIDO Alliance. Copyright 2016. A NEW MODEL FOR AUTHENTICATION ENABLING MORE EFFICIENT DIGITAL SERVICE DELIVERY Jeremy Grant jeremy.grant@chertoffgroup.com Confidential 5 The world
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationeidas Interoperability Architecture Version November 2015
eidas Interoperability Architecture Version 1.00 6. November 2015 1 Introduction This document specifies the interoperability components of the eidas-network, i.e. the components necessary to achieve interoperability
More informationAPPENDIX 2 Technical Requirements Version 1.51
APPENDIX 2 Technical Requirements Version 1.51 Table of Contents Technical requirements for membership in Sambi... 2 Requirements on Members... 2 Service Provider, SP... 2 Identity Provider, IdP... 2 User...
More informationCloud-based Identity and Access Control for Diagnostic Imaging Systems
320 Int'l Conf. Security and Management SAM'15 Cloud-based Identity and Access Control for Diagnostic Imaging Systems Weina Ma and Kamran Sartipi Department of Electrical, Computer and Software Engineering
More informationTrust Services for Electronic Transactions
Trust Services for Electronic Transactions ROUMEN TRIFONOV Faculty of Computer Systems and Control Technical University of Sofia 8 st. Kliment Ohridski bul., 1000 Sofia BULGARIA r_trifonov@tu-sofia.bg
More informationCA CloudMinder. SSO Partnership Federation Guide 1.51
CA CloudMinder SSO Partnership Federation Guide 1.51 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationRealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012
RealMe Version: Author: 1.0 APPROVED Richard Bergquist Datacom Systems (Wellington) Ltd Date: 15 November 2012 CROWN COPYRIGHT This work is licensed under the Creative Commons Attribution 3.0 New Zealand
More informationNational Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016
National Identity Exchange Federation Trustmark Signing Certificate Policy Version 1.0 Published October 3, 2014 Revised March 30, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Gale_Cengage Learning Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationCA SiteMinder Federation
CA SiteMinder Federation Legacy Federation Guide 12.52 SP1 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationTest Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0
1 2 3 4 5 6 7 8 9 10 11 Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 Version 3.1 Editor: Kyle Meadors, Drummond Group Inc. Abstract: This document describes the test steps to achieve
More informationTechnical Overview. Version March 2018 Author: Vittorio Bertola
Technical Overview Version 1.2.3 26 March 2018 Author: Vittorio Bertola vittorio.bertola@open-xchange.com This document is copyrighted by its authors and is released under a CC-BY-ND-3.0 license, which
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationEGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti
EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/
More informationAccess Manager Applications Configuration Guide. October 2016
Access Manager Applications Configuration Guide October 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights,
More informationSecurity and Privacy in the Internet of Things : Antonio F. Skarmeta
Security and Privacy in the Internet of Things : Antonio F. Skarmeta University of Murcia (UMU) SPAIN Motivation Security and privacy concerns were always there but we need to move from
More informationShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS
ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS Joseph Olufemi Dada & Andrew McNab School of Physics and Astronomy,
More informationFPKIPA CPWG Antecedent, In-Person Task Group
FBCA Supplementary Antecedent, In-Person Definition This supplement provides clarification on the trust relationship between the Trusted Agent and the applicant, which is based on an in-person antecedent
More informationING Corporate PKI G3 Internal Certificate Policy
ING Corporate PKI G3 Internal Certificate Policy Version 1.0 March 2018 ING Corporate PKI Service Centre Final Version 1.0 Document information Commissioned by Additional copies of this document ING Corporate
More informationFrom UseCases to Specifications
From UseCases to Specifications Fulup Ar Foll Liberty Technical Expert Group Master Architect, Global Software Practice Sun Microsystems Why Identity Related Services? Identity-enabling: Exposes identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationOpen Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014
The enabler of solutions Alexander Summerer, Giesecke & Devrient 30th Oct. 2014 SIMalliance Allows usage of Secure Elements in Mobile Devices Designed for Open Handset OS platforms Common API for Apps
More informationCA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5
CA SiteMinder Federation Manager Guide: Legacy Federation r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationOracle Utilities Opower Solution Extension Partner SSO
Oracle Utilities Opower Solution Extension Partner SSO Integration Guide E84763-01 Last Updated: Friday, January 05, 2018 Oracle Utilities Opower Solution Extension Partner SSO Integration Guide Copyright
More informationCA Adapter. Installation and Configuration Guide for Windows. r2.2.9
CA Adapter Installation and Configuration Guide for Windows r2.2.9 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation
More informationPRIVACY IN CONTENT DISTRIBUTION NETWORKS
PRIVACY IN CONTENT DISTRIBUTION NETWORKS Aframework description R.I. Hulsebosch Telelllnlica Institllllt, PO Box 589, 7500 AN, Ellschede, The Netherlal/ds e-mail: Boh.Hulschosch@tclm.nl; phone: +31 (0)534850498;
More informationSecurity and Certificates
Encryption, page 1 Voice and Video Encryption, page 6 Federal Information Processing Standards, page 6 Certificate Validation, page 6 Required Certificates for On-Premises Servers, page 7 Certificate Requirements
More informationLiberty Alliance Project
Liberty Alliance Project Federated Identity solutions to real world issues 4 October 2006 Timo Skyttä, Nokia Corporation Director, Internet and Consumer Standardization What is the Liberty Alliance? The
More informationarxiv: v1 [cs.cr] 30 May 2014
ROMEO: ReputatiOn Model Enhancing OpenID Simulator Ginés Dólera Tormo 1, Félix Gómez Mármol 1, and Gregorio Martínez Pérez 2 arxiv:1405.7831v1 [cs.cr] 30 May 2014 1 NEC Europe Ltd., Kurfürsten-Anlage 36,
More informationStandardization Trends in Identity Management Technologies
Standardization Trends in Identity Management Technologies Hiroki Itoh and Teruko Miyata Abstract We introduce the latest standardization trends in identity management (IdM) technologies and schemes for
More informationCA CloudMinder. SSO Partnership Federation Guide 1.53
CA CloudMinder SSO Partnership Federation Guide 1.53 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation ), is
More informationBECOMING A DATA-DRIVEN BROADCASTER AND DELIVERING A UNIFIED AND PERSONALISED BROADCAST USER EXPERIENCE
BECOMING A DATA-DRIVEN BROADCASTER AND DELIVERING A UNIFIED AND PERSONALISED BROADCAST USER EXPERIENCE M. Barroco EBU Technology & Innovation, Switzerland ABSTRACT Meeting audience expectations is becoming
More informationVersion 7.x. Quick-Start Guide
Version 7.x Quick-Start Guide 2005-2013 Ping Identity Corporation. All rights reserved. PingFederate Quick-Start Guide Version 7.x September, 2013 Ping Identity Corporation 1001 17th Street, Suite 100
More informationIntroduction to Identity Management Systems
Introduction to Identity Management Systems Ajay Daryanani Middleware Engineer, RedIRIS / Red.es Kopaonik, 13th March 2007 1 1 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and
More informationIntroducing Shibboleth. Sebastian Rieger
Introducing Shibboleth Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford eresearch Center
More informationTest Plan for Kantara Initiative Test Event Test Criteria SAML 2.0
1 2 3 4 5 6 7 8 9 10 11 Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0 Version: 3.3 Date: 2010-07-21 12 13 14 Editor: Kyle Meadors, Drummond Group Inc. Scott Cantor, Internet2 John
More informationFederated Authentication for E-Infrastructures
Federated Authentication for E-Infrastructures A growing challenge for on-line e-infrastructures is to manage an increasing number of user accounts, ensuring that accounts are only used by their intended
More informationIdentity, Authentication and Authorization. John Slankas
Identity, Authentication and Authorization John Slankas jbslanka@ncsu.edu Identity Who or what a person or thing is; a distinct impression of a single person or thing presented to or perceived by others;
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationA Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards
A Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards Sylvia Encheva Stord/Haugesund University College Bjørnsonsg. 45 5528 Haugesund, Norway sbe@hsh.no Sharil
More informationOlli Jussila Adaptive R&D TeliaSonera
Olli Jussila Adaptive R&D TeliaSonera Agenda TeliaSonera at a glance Project presentation Technical results Business model and actor benefits End user experience Dissemination activities Conclusion 23/02/07
More informationO365 Solutions. Three Phase Approach. Page 1 34
O365 Solutions Three Phase Approach msfttechteam@f5.com Page 1 34 Contents Use Cases... 2 Use Case One Advanced Traffic Management for WAP and ADFS farms... 2 Use Case Two BIG-IP with ADFS-PIP... 3 Phase
More informationExisting Healthcare Standards
Existing Healthcare Standards Category Context (Information Model) Information Interchange Standard & Specific Elements ASN.1 Abstract Syntax Notation.1 ASTM E2369-05 Standard Specification for Continuity
More informationTrust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)
Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014) This document has been developed by representatives of Apple, Google, Microsoft, and Mozilla. Document History
More informationSSL Certificates Certificate Policy (CP)
SSL Certificates Last Revision Date: February 26, 2015 Version 1.0 Revisions Version Date Description of changes Author s Name Draft 17 Jan 2011 Initial Release (Draft) Ivo Vitorino 1.0 26 Feb 2015 Full
More informationUnsolicited Communication / SPIT / multimedia-spam
Unsolicited Communication / SPIT / multimedia-spam overview of this topic in different SDOs Thilo Ewald NGN Group, NEC Laboratories Europe NEC Europe Ltd., Heidelberg, Germany ewald@nw.neclab.eu Page
More informationIdentity Federation Requirements
Identity Federation Requirements By: Technical Editing Author: Stephen Skordinski Version: 1.001 Published: September 26, 2012 Document Change History for Technical Documents Template Version Number Version
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Concordia University of Edmonton Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that
More informationOman Research & Education Network (OMREN)
Oman Research & Education Network (OMREN) Presented By: Said Al-Mandhari The Research Council Sultanate of Oman said.mandhari@trc.gov.om http://www.trc.gov.om 1 Table of Content OMREN Definition OMREN
More informationOracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On
Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On Configuration Guide E84772-01 Last Update: Monday, October 09, 2017 Oracle Utilities Opower Energy Efficiency Web Portal -
More informationCA Adapter. CA Adapter Installation Guide for Windows 8.0
CA Adapter CA Adapter Installation Guide for Windows 8.0 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation
More informationInternet Engineering Task Force (IETF) Request for Comments: 7831 Category: Informational. H. Tschofenig ARM Ltd. J. Schaad August Cellars May 2016
Internet Engineering Task Force (IETF) Request for Comments: 7831 Category: Informational ISSN: 2070-1721 J. Howlett Jisc S. Hartman Painless Security H. Tschofenig ARM Ltd. J. Schaad August Cellars May
More informationINTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD
INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD Jeffy Mwakalinga, Prof Louise Yngström Department of Computer and System Sciences Royal Institute of Technology / Stockholm University
More informationTechTarget, Inc. Privacy Policy
This Privacy Policy (the Policy ) is designed to inform users of TechTarget, Inc., and its affiliates (collectively TechTarget ) network of websites about how TechTarget gathers and uses information provided
More informationUser Empowerment Architectural
H2020-EUJ-02-2016 H2020 Grant Agreement Number 723076 NICT Management Number18302 Deliverable D5.2 User Empowerment Architectural Version V1.0 September 30 th, 2017 ABSTRACT This deliverable integrates
More informationIdentity Management: Setting Context
Identity Management: Setting Context Joseph Pato Trusted Systems Lab Hewlett-Packard Laboratories One Cambridge Center Cambridge, MA 02412, USA joe.pato@hp.com Identity Management is the set of processes,
More informationIT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)
Page 1 of 6 IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT) I. Understanding the need for privacy in the IT environment A. Evolving
More informationA solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga
A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel Matranga Access Delegation in distributed environments SAML 2.0 Condition to Delegate Implementation Future plans
More informationPseudonym Based Security Architecture for Wireless Mesh Network
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 16, Issue 4, Ver. VII (Jul Aug. 2014), PP 01-05 Pseudonym Based Security Architecture for Wireless Mesh Network
More informationPROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL
Q&A PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL This document answers questions about Protected Extensible Authentication Protocol. OVERVIEW Q. What is Protected Extensible Authentication Protocol? A.
More informationSELF SERVICE INTERFACE CODE OF CONNECTION
SELF SERVICE INTERFACE CODE OF CONNECTION Definitions SSI Administration User Identity Management System Identity Provider Service Policy Enforcement Point (or PEP) SAML Security Patch Smart Card Token
More informationDissecting NIST Digital Identity Guidelines
Dissecting NIST 800-63 Digital Identity Guidelines KEY CONSIDERATIONS FOR SELECTING THE RIGHT MULTIFACTOR AUTHENTICATION Embracing Compliance More and more business is being conducted digitally whether
More informationITU-T SG 17 Q10/17. Trust Elevation Frameworks
ITU-T SG 17 Q10/17 Trust Elevation Frameworks Abbie Barbir, Ph.D. ITU-T SG 17 Q10 Rapporteur Martin Euchner SG 17 Advisor ITU Workshop on "Future Trust and Knowledge Infrastructure July 1 2016 Contents
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationTRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model
TRUST. assured reliance on the character, ability, strength, or truth of someone or something - Merriam-Webster TRUST AND IDENTITY July 2017 Trusted Relationships for Access Management: The InCommon Model
More informationStrong Authentication for Web Services using Smartcards
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2009 Strong Authentication for Web Services using Smartcards D S. Stienne
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Royal Society of Chemistry Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationSystem Architecture Model Version 1.1 WV Tracking Number: WV-020
System Architecture Model Version 1.1 WV Tracking Number: WV-020 Notice Copyright 2001-2002 Ericsson, Motorola and Nokia. All Rights Reserved. Implementation of all or part of any Specification may require
More informationFederated Access Management Futures
Federated Access Management Futures Ian A. Young SDSS, Edina, University of Edinburgh ian@iay.org.uk Prediction is very difficult, especially about the future. Niels Bohr What to expect Prepared material
More informationCA SiteMinder. Federation Manager Guide: Partnership Federation. r12.5
CA SiteMinder Federation Manager Guide: Partnership Federation r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationNovell Access Manager 3.1
Technical White Paper IDENTITY AND SECURITY www.novell.com Novell Access Manager 3.1 Access Control, Policy Management and Compliance Assurance Novell Access Manager 3.1 Table of Contents: 2..... Complete
More information