Federation solutions for inter- and intradomain security in next-generation mobile service platforms
|
|
- Bryan Lucas
- 8 years ago
- Views:
Transcription
1 Int. J. Electron. Commun. (AEÜ) 60 (2006) Federation solutions for inter- and intradomain security in next-generation mobile service platforms Hans-Jörg Vögel a, Benjamin Weyl a,, Stephan Eichler b a BMW Group Research and Technology, Hanauerstr. 46, D München, Germany b Institute of Communication Networks, Technische Universität München (TUM), Arcisstr. 21, D München, Germany Dedicated to Professor Jörg Eberspächer on the occasion of his 60th birthday Abstract A federation approach for security in future distributed service delivery platforms for mobile users offers some key advantages over an integrated solution relying on a common choice of a standardized authentication technology. By agreeing on an exchange protocol for security assertions rather than on the detailed security mechanisms, Service Aggregators and Access Network Operators will be able to federate their customer offerings flexibly and jointly offer services. The consumer will find formerly separate offerings combined, and Service Operators will enjoy open interfaces towards the network s service delivery platform. Through the use of Security Assertion Markup Language (SAML), standardized assertion statements can be made not only for the user s identity, but also on attributes and authorizations associated with it. This will allow a seamless personalized service experience offering single sign-on across separate operational domains. An example from automobile telematics is used to illustrate the concepts Elsevier GmbH. All rights reserved. Keywords: Security; Assertion; Single sign-on; SAML; Open service provisioning; Telematics; Automotive 1. Introduction In future networks, services will be offered across multiple access technologies and network access will become even more a commodity than nowadays. The service provisioning platform capable of spanning heterogeneous access technologies and even operators and their respective networks will become a key component. Moreover, entities holding individual customer relationships, i.e. aggregators and service providers will want to bundle their services with network access contracts. They are striving for more integrated offerings with better functionality and greater Corresponding author. addresses: hans-joerg.voegel@bmw.de (H.-J. Vögel), benjamin.weyl@bmw.de (B. Weyl), s.eichler@tum.de (S. Eichler). business flexibility, such as integrated pricing and valueadded services. This functionality can hardly be addressed by simple roaming contracts, and only partially by current mobile network- and client-side service platform technologies, such as IN-based CAMEL and MExE [1]. As opposed to those rather monolithic approaches, future platforms will clearly discriminate and differentiate between access and transport infrastructure, provisioning infrastructure, and infrastructure related to pure service logic. Multiple administrative domains will emerge for various parts of this fragmented platform (with roles such as Access Operator, Provisioning Operator, Service Operator, Service Aggregator). Therefore, secure service delivery and distributed authorization will become key challenges to be mastered. This is even more important, since highly individual and personalized services will have to be securely delivered and authorized across the /$ - see front matter 2005 Elsevier GmbH. All rights reserved. doi: /j.aeue
2 14 H.-J. Vögel et al. / Int. J. Electron. Commun. (AEÜ) 60 (2006) operational boundaries of those domains. Hence, not only intra- but most importantly inter-domain security will have to be dealt with. In our work, a flexible security architecture based on a federation approach is proposed. The remainder of the paper is organized as follows: in Section 2, we discuss next-generation service architectures and analyze their needs for distributed authorization. Section 3 will briefly elaborate on the Security Assertion Markup Language (SAML) and other technologies, and then present a federation approach for future mobile service architectures. 2. Next-generation service architecture 2.1. Services for mobile users Future service delivery platforms have to accommodate mobile users and their need for a personal set of individual services. These services comprise commodity services, such as voice and IP connectivity, supplementary services, and a growing number of value-added services. While the first two are typical mobile operator offerings already in secondgeneration networks [1], it is this last category that is increasingly offered by third parties in cooperation with or even independent of the mobile operator. Examples for the diverse nature of these value-added services are entertainment services such as music subscription services or telematic services like navigation, assistance, and general driver information services [2]. Frequently, these services are defined and operated as location-based services [3]. Mobility concepts beyond third generation foresee them being delivered across heterogeneous access infrastructures [4,5]. This is a strong driving force behind new operator concepts, which clearly separate access from service provisioning and that again from service infrastructure. Services will in the future be delivered on open provisioning platforms, facilitating flexible and innovative business models [4]. In particular, the service aggregator will be a role with strategic positioning able to bundle services and offer them to end-users across multiple access network domains, both technological and operational. The aggregator is the end-user s prime contractual partner. Frequently, the aggregator will issue a digital identity, which depending on the chosen security solution will comprise credentials and/or certificates of some form Distributed authorization needs Besides the service aggregator, many additional roles will drive or be more clearly defined by provisioning platform developments, such as service operators, content providers, service provisioning platform operators, and access network operators. They will define complex business relationships with each other and towards consumers, but in our model it is the aggregator role that holds the central customer relationship and is ultimately liable for the service contract. Nevertheless, increasing separation and clearly defined interfaces between the operators technical platforms facilitate the formation of administrative and legal domains. In particular, service aggregators and/or service operators may maintain direct contractual relationships with consumers. The need for their services to be delivered across and independent of multiple access network infrastructures requires an integrated approach towards certain functionalities and information models, such as management of user identities, subscriptions, authorization, and personalization information. However, instead of a technically integrated solution, a federation approach should rather be followed. This will reduce tight coupling between network and service, and will allow for services to be more flexibly bundled into an offering. It will provide an open technology solution to accommodate shifting patterns of business relationships and customer ownerships. Users need to be able to sign-in to the system only once, even when accessing services across infrastructure operated in different administrative domains, e.g. when service-logic is not operated by the same entity as the network across which it is accessed. The end user should not need to authenticate, at least not manually, each time a service or rather a service infrastructure is accessed. The end user will, through the contract with the aggregator, be authorized to access services or variants thereof. These services will not be operated in one single location, but will rather be offered by several independent service providers each operating their own service infrastructure. To securely access services, end users need to be identified, their identity verified, and their authorizations in using the service determined and reliably enforced. Conversely, for a service provider to sell its service through multiple aggregators requires secure access to the respective portion of the customer database, establishing a user s identity, identifying rights and roles and authorizing service access. The service provider should be able to do this without having to create duplicate security infrastructures and deploy multiple solutions for each aggregator that his service is sold through. Correspondingly, the aggregator should be able to readily create business relationships with service providers and add services flexibly based on the chosen security solution. Further, it should be possible to flexibly bundle these offerings with a contract to use access network resources. This calls for a loose, yet secure coupling of the business platforms, federating the respective organizational and operational domains. An open way to securely exchange authentication and authorization information and the corresponding attributes has to be defined.
3 2.3. An exemplary application domain: telematics H.-J. Vögel et al. / Int. J. Electron. Commun. (AEÜ) 60 (2006) Securely delivering services into vehicles and maintaining information security along the way for sure is a challenge that has to be faced as more complex telematics services are being defined [6]. In particular, the aggregator role already is and will be exercised by multiple stakeholders such as vehicle manufacturers (OEM), service operators focusing on telematics, and increasingly mobile operators. Some aggregators, in particular those offering services into vehicles of multiple OEMs, might not be free to choose identities and corresponding security mechanisms. As a service will be sold into many vehicles of different brands and models and through many aggregators, the service operator will have to interface with many different security solutions and authentication mechanisms. Clearly, the service provider/operator should not be required to implement all of them. Inside the vehicle we are running the risk of cluttering the dashboard yet even more with a host of devices for presenting authentication credentials such as SIM card, PIN entry pad, smartcard reader, etc. Moreover, a Single Sign-On (SSO) concept across all services will dramatically facilitate service deployment and reduce the amount of user interaction needed for secure service access. Fig. 1. Basic concept: inter-domain single sign-on. 3. Federation approach 3.1. Distributed authorization concept Instead of business stakeholders (cf. roles described in Section 2.2 above) having to agree on one single authentication technology or each embarking onto separate schemes, it is rather preferable to exchange information of their respective security decisions in a standardized format. Stakeholders trusting each other accept their respective statements on those decisions. They are said to have entered into a security federation, also known as circle-of-trust, exchanging security assertions [6]. The strong value proposition of federations relies on the fact that an assertion consumer does not need to know about how this information has been created. Based on his trust relationship with the producer, he can rely on an assertion to be correct. And because of the standardized format, a consumer will always be able to read the assertion [7,8]. Fig. 1 illustrates the basic concept of distributed authorization. An end user is securely identified (authenticated) at his portal (the source site) after having presented his credentials. The asserting authority behind the portal issues an assertion with the basic attributes and authorizations of this end user. When the user accesses an application/service, this assertion is then presented to a service center (the destination site) together with other session information, such as the user s identity. The service center evaluates the informa- tion contained in the assertion, and optionally verifies the assertion s validity with the source site. If the assertion is valid the user is granted access to the service. This works in the same way, regardless of whether the source and destination site are in the same administrative and operational domain or not, i.e. regardless of being operated by the same or by different entities End-user perspective Typically, for a user there will be only one source site, which is the aggregator s site. When a new user is introduced to the system, it is sufficient to register him with the aggregator serving as source site for the rest of the system, unless the service is to be personalized (see Section 3.4 below). Note that the user does not have to maintain a second set of credentials for the destination site, nor does he have to authenticate a second time when accessing the service, nor does the service center have to maintain its own credential store or a copy of the source site s credential store. Hence, the user will be able to flexibly request new services to be added to his portfolio or even subscribe to them in an increasingly easy self-provisioning approach. Security is effectively increased since his credentials are stored in one central place and he only requires one set, regardless of the number of service centers.
4 16 H.-J. Vögel et al. / Int. J. Electron. Commun. (AEÜ) 60 (2006) Technologies enabling federations Various standards and frameworks have been specified and designed for enabling federated identity management. The solutions establish so called circles-of-trust, i.e. the efficient and secure linking and exchange of identity- and profilerelated information across heterogeneous domains. Entities taking the role of a relying party are able to access profile information required for authentication and authorization from an asserting party, usually also taking the role of a so called identity provider. The most important developments are SAML, Liberty Alliance, Shibboleth, and WS- Federation. Basically, the Security Assertion Markup Language SAML has been defined for the exchange of authentication, attribute and authorization information across domains. The main use case of SAML 1.0/1.1 [7] is the setup of a SSO environment. Recently, SAML 2.0 [8] has been officially released. It consolidates SAML and the specifications of the Liberty Alliance Project. The Liberty Alliance Project, aims at designing a comprehensive federated identity management framework. Use cases for a distributed, federated identity- and profile management solutions, supporting SSO and Single Log-out (SLO) are specified, respective specifications leveraging the SAML standard at least partially [9]. Another solution is being developed by the Shibboleth Project. They also base their framework on SAML and focus on extensions for enabling privacy by anonymizing the security context and providing a minimum set of attributes required for authorization. This attribute provisioning is being controlled and enforced with predefined privacy policies, which can be managed by the user [10]. WS-Federation, the competitor to Liberty Alliance, specifies how a federated identity environment is established [11]. The specified use cases embody trust-establishment across domains, SSO, SLO and attribute management. Besides these specifications, a web-services security framework, including several other specifications has been defined [12]. Only WS-Security has reached official specification status yet. A great challenge is the interoperability of all specifications and solutions. It remains yet to be seen, whether solutions will converge or several competing federated identity approaches will persist. Anyhow, the reliance of Liberty Alliance on SAML, plus SAML being the baseline technology in the Shibboleth Project places the technology into a key position. SAML has been created as an open framework to communicate security information. This security information is compiled as assertions about subjects, those subjects frequently being natural persons. These assertions, among others, are used for federated identity management, distributed authorization in general and web services in particular, and for multi-vendor portals. Fig. 2. SAML domain model [7]. Assertions are XML documents and contain information about a subject s attributes, authentication performed on the subject, and its authorizations. Using assertions, security information can be conveyed in a standardized way without requiring common authentication schemes to be agreed. Assertions are issued by SAML authorities, i.e. authentication, attribute and authorization authorities. Besides the format of an assertion, SAML defines a protocol for clients to request assertions from an authority [7]. A data/entity relationship model for SAML is provided in Fig. 2, not taking into account any actual data flow when performing SAML request/response transactions [7]. A System Entity, i.e. a subject that securely wants to access an application, will have to provide credentials first to be authenticated. This is done by an authentication authority, which issues an authentication assertion. Attribute and authorization authority will then provide respective assertions with additional information on the subject and its authorization status with respect to applications that the system entity wishes to access. When the subject performs its application request, the entity processing this request (or rather, the respective policy enforcement point) can then use the SAML assertion to verify the subject s identity, obtain relevant information that was securely disclosed in the attribute assertion, and securely authorize the application request based on the authorization assertion Federated service architecture The basic authorization architecture has already been presented in Section 3.1 above (Fig. 1). This section will discuss further details of federated service architectures and how SAML is applied. When the service provided by the destination site can be personalized, the service provider will maintain its own store of user information and additional criteria for authorization, such as roles and rights (Fig. 3). This will have to be synchronized (i.e. federated) with the source site s store such that they have agreed on a federated user identification
5 H.-J. Vögel et al. / Int. J. Electron. Commun. (AEÜ) 60 (2006) Fig. 3. Personalized services. Fig. 4. Aggregator perspective. scheme linking the two stores in an unequivocal way. The Liberty Alliance approach may be used here [9]. Authorization may be distributed, such that both, the source and the destination site have control over their authorization decisions and how to enforce them. This might be coordinated in such a way that, e.g. the source site performs aggregator functions and provides basic contractual authorizations, whereas the service provider maintains service-specific personalization information on the user and the corresponding, more fine-grained, service-specific authorizations. The aggregator will be free in his choice of authentication mechanism and the credentials issued to his end users. He will maintain one single repository of credentials and the central store of user-related, frequently private information, such as address, account information, etc. Through the standardized format and protocol of SAML, the aggregator will be able to act as source site (asserting party) in a distributed authorization environment. He will be able to federate with any number of service providers and link to their service center infrastructure. This federation will happen in the same, standardized and open way, maintaining integrity of the end-user s private information while providing a secure environment to communicate identity and authorization information, among others (Fig. 4). In return the service provider will be able to sell his service through any aggregator to the respective end users. The great advantage for the service provider here is that the interface and mechanisms for identifying end users and authorizing their service requests will always be the same regardless of the aggregator. Moreover, the service provider may remain totally agnostic of the actual authentication technology used and the infrastructure in place to create an assertion. After establishing a trust relationship with the aggregator, the service provider can base his own policy enforcement decisions on the aggregator s assertion and rely on the authentication decision described therein. Perhaps most important of all, the service provider does neither have to maintain his own credential store, much less a copy of each aggregator s credential store, nor does he have to issue his own credentials to end users. This considerably reduces infrastructure requirements for service providers Provisioning platform requirements So far, we have directed our view more towards the upper service layers. Now, we will look closer towards the underlying networks, the corresponding service provisioning platforms and how they leverage a federation approach. A service operator (content and added value service operator) can define its own policies and policy enforcement points separating its operational domain from other operators. If the service operator does not possess own security functionalities or only parts of them, it can have agreements with one or more service provisioning platform operators (which in turn may be closely linked to the aggregator), building up security federations. Some service operators could maintain their own access network to offer their services. These
6 18 H.-J. Vögel et al. / Int. J. Electron. Commun. (AEÜ) 60 (2006) access networks instantiate additional policy enforcement points that can be supported by the service operator s own policy decision points or will have to federate with a service provisioning platform operator [4]. Next-generation service-provisioning platforms accommodating above-mentioned mechanisms will be offering a number of new services, e.g. Identity services: Providing end-user identities in an open format based on the underlying network authentication will allow service infrastructure to be flexibly set up relying on an operational security infrastructure. Privacy services: By being able to make authentication and attribute assertion statements, the platform operator will be able to effectively hide the real end-user identity and hand out assertions with virtual, even service-specific identities. Multiple identities belonging to one user. Multiple authentication mechanisms. Single sign-on for multiple services and administrative domains. Multiple sessions of users using multiple devices. Distributed authorization, i.e. policies located at different administrative domains. Contracts between participating entities and federations. This will on the one hand re-define the roles in network operation, and on the other hand lead to a higher degree of flexibility when packaging services into an end user offering [4,13]. 4. Conclusion Future mobile service architectures will clearly separate technical platforms and operational roles. Service providers will define individual services of content and logic, packaged into an overall offering by a service aggregator. In turn they will rely on the services of a provisioning platform to roll out services on a number of access networks, operated by yet another business entity. This will put the necessary technical interfaces in place to have flexible decisions on the openness of the actual business policy applied. This goal is particularly well supported by the proposed federation approach. It loosely couples infrastructure security instead of relying on a monolithic, technically integrated one-size-fits-all solution. This has great advantages in particular for the inter-domain situations, when different parts of the platforms involved in serving an actual end-user application request are operated by different entities. SAML is a key enabling technology to implement those federations, standardized and supported by industry for a federated identity management system. Future telecoms will have new revenue streams by offering identity management and privacy services in this distributed infrastructure. All-in-all, they can play the role of a central trusted party for both, end-users and service providers. Aggregators and service providers already holding a customer relationship will be able to federate these contracts with network access services, to have a more integrated offering, both technically and commercially. Acknowledgement This work was partially funded by the European Commission in the projects GST and DAIDALOS of its 6th Framework Programme. References [1] Bettstetter C, Eberspächer J, Vögel HJ. GSM switching, services and protocols. Chichester: Wiley; [2] Vögel HJ. Aspects of personalization and security in an open telematics services market. Proceedings of the 10th world congress on intelligent transportation systems and services (ITS), November [3] Kühn PJ. Location-based services in mobile communication infrastructure. Int J Electron Commun (AEÜ) 2004;58: [4] Weyl B, Brandão P, Gómez Skarmeta AF, Marin Lopez R, Mishra P, Hauser C, Ziemek H. Protecting privacy of identities in federated operator environments. Proceedings of the IST mobile summit, June [5] Kellerer W, Bettstetter C, Schwingenschlögl C, Sties P, Steinberg K-E, Vögel H-J. (Auto)mobile communication in a heterogeneous and converged world. IEEE Personal Commun Mag 2001;8:41 7. [6] Eichler S, Billion J, Maier R, Vögel HJ, Kroh R, Lonc B. On providing security for an open telematics platform. Proceedings of the ITS congress, June [7] Maler E, Mishra P, Philpott R, (Eds). Assertions and protocol for the OASIS security assertion markup language (SAML). Standard v1.1. OASIS, September [8] Cantor S, Kemp J, Philpott R, Maler E, (Eds). Assertions and protocols for the OASIS security assertion markup language (SAML). Standard v2.0. OASIS, March [9] Liberty Alliance Project webpage. org, [10] Internet2 Shibboleth Project webpage. internet2.edu, [11] Kaler C, Nadalin A, (Eds). Web Services Federation Language (WS-Federation). asp?url = /library/en-us/dnglob%spec/html/ws-federation.asp, July [12] Della-Libera G, Dixon B, Farrell J, et al. Security in a web-services world: a proposed architecture and roadmap. White Paper Version 1.0. IBM Corporation and Microsoft Corporation, April [13] Aguiar R, Bijwaard D, Jähnert J, Christ P, Einsiedler H. Designing networks for the delivery of advanced flexible personal services: the Daidalos approach. Proceedings of the IST mobile summit, June 2004.
7 H.-J. Vögel et al. / Int. J. Electron. Commun. (AEÜ) 60 (2006) Hans-Jörg Vögel received his Dipl.- Ing. and his Dr.-Ing. degree in Electrical Engineering and Information Technology from the Technische Universität München (TUM) in 1993 and 2000, respectively. At BMW Group Research, he is responsible for a research programme in the area of advanced telematics concepts, focussing on invehicle and backend IT architectures, secure remote management, service delivery platforms, and broadcast services. Dr. Vögel is currently representing BMW in the EC FP6 IST projects DAIDALOS and GST as well as some initiatives with the European Space Agency ESA and the newly founded Carto-Car Communications Consortium standardization initiative. He is a member of VDE and serves as reviewer for IEEE Communications Magazine. Stephan Eichler studied Electrical Engineering at the Braunschweig University of Technology and at the TUM. He received his Dipl.-Ing. degree in Electrical Engineering from the TUM in 2003, focussing in networking and security. Since 2003, he works as a Ph.D. candidate at the Institute of Communication Networks at TUM. He is active in the EC FP6 IST project GST. Benjamin Weyl graduated in Electrical Engineering and Information Technology at TUM in Since 2003, he is engaged in research at BMW Group Research and is pursuing a Ph.D. with the Research Group IT-Security at the Darmstadt University of Technology. He is active in the EC FP6 IST project DAIDALOS.
SWIFT: Advanced identity management
SWIFT: Advanced identity management Elena Torroglosa, Alejandro Pérez, Gabriel López, Antonio F. Gómez-Skarmeta and Oscar Cánovas Department of Information and Communications Engineering University of
More informationFederated Identity Architectures
Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,
More informationNationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance
Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Christina Stephan, MD Co-Chair Liberty Alliance ehealth SIG National Library of Medicine
More informationLeveraging New Business Models with Identity Management An e-learning case study
Leveraging New Business Models with Identity Management An e-learning case study José M. del Álamo DIT, Universidad Politécnica de Madrid, Ciudad Universitaria s/n, 28040 Madrid, Spain jmdela@dit.upm.es,
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.
More informationIdentity Federation Management to make Operational and Business Efficiency through SSO
2012 International Conference on Industrial and Intelligent Information (ICIII 2012) IPCSIT vol.31 (2012) (2012) IACSIT Press, Singapore Identity Federation Management to make Operational and Business
More informationSecurity Services. Benefits. The CA Advantage. Overview
PRODUCT BRIEF: CA SITEMINDER FEDERATION SECURITY SERVICES CA SiteMinder Federation Security Services CA SITEMINDER FEDERATION SECURITY SERVICES EXTENDS THE WEB SINGLE SIGN-ON EXPERIENCE PROVIDED BY CA
More informationA Federated Authorization and Authentication Infrastructure for Unified Single Sign On
A Federated Authorization and Authentication Infrastructure for Unified Single Sign On Sascha Neinert Computing Centre University of Stuttgart Allmandring 30a 70550 Stuttgart sascha.neinert@rus.uni-stuttgart.de
More informationTitle: A Client Middleware for Token-Based Unified Single Sign On to edugain
Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, 70550 Stuttgart, Germany e-mail: sascha.neinert@rus.uni-stuttgart.de
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationAn Oracle White Paper Dec 2013. Oracle Access Management Security Token Service
An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
More informationFederated Identity in the Enterprise
www.css-security.com 425.216.0720 WHITE PAPER The proliferation of user accounts can lead to a lowering of the enterprise security posture as users record their account information in order to remember
More informationSecuring Web Services With SAML
Carl A. Foster CS-5260 Research Project Securing Web Services With SAML Contents 1.0 Introduction... 2 2.0 What is SAML?... 2 3.0 History of SAML... 3 4.0 The Anatomy of SAML 2.0... 3 4.0.1- Assertion
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so
More informationWeb Access Management. RSA ClearTrust. Enhancing control. Widening access. Driving e-business growth. SSO. Identity Management.
RSA ClearTrust Web Access Management Enhancing control. Widening access. Driving e-business growth. Identity Management Authentication Centralized Security Policy SSO Access Management RSA ClearTrust Web
More informationIdentity Federation Broker for Service Cloud
2010 International Conference on Sciences Identity Federation Broker for Cloud He Yuan Huang 1, Bin Wang 1, Xiao Xi Liu 1, Jing Min Xu 1 1 IBM Research China {huanghey, wangbcrl, liuxx, xujingm}@cn.ibm.com
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationSPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness
Interoperability Summit 2002 SPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness Gavenraj Sodhi Senior Technology Analyst Provisioning
More informationMONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard
MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY ASR 2006/2007 Final Project Supervisers: Maryline Maknavicius-Laurent, Guy Bernard Federated Identity Project topic Superviser: Maryline Maknavicius
More informationSecure Semantic Web Service Using SAML
Secure Semantic Web Service Using SAML JOO-YOUNG LEE and KI-YOUNG MOON Information Security Department Electronics and Telecommunications Research Institute 161 Gajeong-dong, Yuseong-gu, Daejeon KOREA
More informationGreg Giles, Cisco Systems. Is compression a valid candidate for a standard?
1 WebServices Framework & Assertion exchange using SAML 2 3 4 5 Submitted By : Abstract: Krishna Sankar, Cisco Systems Greg Giles, Cisco Systems 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationINTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN
INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO
More informationExtending DigiD to the Private Sector (DigiD-2)
TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.
More informationBiometric Single Sign-on using SAML
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On
More informationSAML:The Cross-Domain SSO Use Case
SAML:The Cross-Domain SSO Use Case Chris Ceppi Oblix Corporate Engineer Ed Kaminski OBLIX Federal Business Manager 410-349-1828 ekaminski@oblix.com Mike Blackin Principal Systems Engineer Oblix, Inc. 202-588-7397
More informationOIO SAML Profile for Identity Tokens
> OIO SAML Profile for Identity Tokens Version 1.0 IT- & Telestyrelsen October 2009 Content > Document History 3 Introduction 4 Related profiles 4 Profile Requirements 6 Requirements 6
More informationIdentity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September 2010. http://persons.unik.no/josang/
Identity Management Audun Jøsang University of Oslo NIS 2010 Summer School September 2010 http://persons.unik.no/josang/ Outline Identity and identity management concepts Identity management models User-centric
More informationAND SUN OPENSSO MICROSOFT GENEVA SERVER ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS. White Paper May 2009.
MICROSOFT GENEVA SERVER AND SUN OPENSSO ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS White Paper May 2009 Abstract Interoperability between applications in heterogeneous technology
More informationBiometric Single Sign-on using SAML Architecture & Design Strategies
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand
More informationThe Role of Federation in Identity Management
The Role of Federation in Identity Management August 19, 2008 Andrew Latham Solutions Architect Identity Management 1 The Role of Federation in Identity Management Agenda Federation Backgrounder Federation
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationIntroducing Federated Identities to One-Stop-Shop e-government Environments: The Greek Case
echallenges e-2009 Conference Proceedings Paul Cunningham and Miriam Cunningham (Eds) IIMC International Information Management Corporation, 2009 ISBN: 978-1-905824-13-7 Introducing Federated Identities
More informationWhite Paper The Identity & Access Management (R)evolution
White Paper The Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 A New Perspective on Identity & Access Management Executive Summary Identity & Access Management
More information2 Transport-level and Message-level Security
Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective The Globus Security Team 1 Version 4 updated September 12, 2005 Abstract This document provides an overview of the Grid Security
More informationInternet Single Sign-On Systems
Internet Single Sign-On Systems Radovan SEMANČÍK nlight, s.r.o. Súľovská 34, 812 05 Bratislava, Slovak Republic semancik@nlight.sk Abstract. This document describes the requirements and general principles
More informationSAP NetWeaver. SAP NetWeaver
SAP NetWeaver SAP NetWeaver POWERED BY SAP NetWeaver The SAP NetWeaver technology platform is a comprehensive integration and application platform that helps reduce your total cost of ownership (TCO).
More informationEnabling SAML for Dynamic Identity Federation Management
Enabling SAML for Dynamic Identity Federation Management Patricia Arias Cabarcos 1, Florina Almenárez Mendoza 1, Andrés Marín López 1, Daniel Díaz Sanchez 1, P. Arias 1 et al. University Carlos III of
More informationWhite Paper Delivering Web Services Security: The Entrust Secure Transaction Platform
White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.
More informationOPENIAM ACCESS MANAGER. Web Access Management made Easy
OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access
More informationWebLogic Server 7.0 Single Sign-On: An Overview
WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of
More informationDIGIPASS as a Service. Google Apps Integration
DIGIPASS as a Service Google Apps Integration April 2011 Table of Contents 1. Introduction 1.1. Audience and Purpose of this Document 1.2. Available Guides 1.3. What is DIGIPASS as a Service? 1.4. About
More informationSeminar: Security Metrics in Cloud Computing (20-00-0577-se)
Technische Universität Darmstadt Dependable, Embedded Systems and Software Group (DEEDS) Hochschulstr. 10 64289 Darmstadt Seminar: Security Metrics in Cloud Computing (20-00-0577-se) Topics Descriptions
More informationService management White paper. Manage access control effectively across the enterprise with IBM solutions.
Service management White paper Manage access control effectively across the enterprise with IBM solutions. July 2008 2 Contents 2 Overview 2 Understand today s requirements for developing effective access
More informationOn A-Select and Federated Identity Management Systems
On A-Select and Federated Identity Management Systems Joost Reede August 4, 2007 Master s Thesis Information Systems Chair Computer Science Department University of Twente ii This thesis is supervised
More informationInternet Single Sign-On Systems
Research Report Author: Radovan Semančík Date: May 2005 Version: 1.0 Abstract: This document describes the requirements and general principles of Internet Single Sign-On systems. The general model of Internet
More informationNetwork-based Access Control
Chapter 4 Network-based Access Control 4.1 Rationale and Motivation Over the past couple of years, a multitude of authentication and access control technologies have been designed and implemented. Although
More informationManisha R. Patil. Keywords Cloud service provider, Identity Provider, Enhanced Client Profile, Identity Management, Privacy, Trust Manager.
Volume 4, Issue 7, July 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Privacy and Dynamic
More informationAn integrated management platform for the support of advanced Charging, Accounting & Billing schemes in Reconfigurable Mobile Networks
An integrated management platform for the support of advanced Charging, Accounting & Billing schemes in Reconfigurable Mobile s Maria Koutsopoulou, Spyridon Panagiotakis, Athanassia Alonistioti, Alexandros
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationsolution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?
solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service? provides identity and access management capabilities as a hosted cloud service. This allows you to quickly
More informationPrivacy and Identity Management in a Layered Pervasive Service Platform
Privacy and Identity Management in a Layered Pervasive Service Platform Marc BARISCH, Martin NEUBAUER, Joao PAGAIME 2, Joao GIRAO 2, Rui L. AGUIAR 3 University of Stuttgart, Institute of Communication
More informationSOA, case Google. Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901.
Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901 SOA, case Google Written by: Sampo Syrjäläinen, 0337918 Jukka Hilvonen, 0337840 1 Contents 1.
More informationService assurance for communications service providers White paper. Improve service quality and enhance the customer experience.
Service assurance for communications service providers White paper Improve service quality and enhance the customer experience. December 2007 2 Contents 2 Overview 2 Move to a competitive business model
More informationA Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems
Volume 1, Number 2, December 2014 JOURNAL OF COMPUTER SCIENCE AND SOFTWARE APPLICATION A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems Satish Kumar*,
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is
More informationDynamism and Data Management in Distributed, Collaborative Working Environments
Dynamism and Data Management in Distributed, Collaborative Working Environments Alexander Kipp 1, Lutz Schubert 1, Matthias Assel 1 and Terrence Fernando 2, 1 High Performance Computing Center Stuttgart,
More informationIdentity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH
Identity opens the participation age Open Web Single Sign- On und föderierte SSO Dr. Rainer Eschrich Program Manager Identity Management Sun Microsystems GmbH Agenda The Identity is the Network Driving
More informationSAML 101. Executive Overview WHITE PAPER
SAML 101 Executive Overview Today s enterprise employees use an ever-increasing number of applications, both enterprise hosted and in the Cloud, to do their jobs. What s more, they are accessing those
More informationSWIFT Identity Management Model
ENHANCING THE SECURITY FRAMEWORK SECURECLOUD WITH THE SWIFT IDENTITY MANAGEMENT FRAMEWORK Abdulrahman H. Altalhi 1, Zailani Mohamed Sidek 2, Norjihan Abdul Ghani 3, Fazidah Othman 4 and Maged Abdelkhaleq
More informationTrust areas: a security paradigm for the Future Internet
Trust areas: a security paradigm for the Future Internet Carsten Rudolph Fraunhofer Institute for Secure Information Technology SIT Rheinstrasse 75, Darmstadt, Germany Carsten.Rudolph@sit.fraunhofer.de
More informationB2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value
B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value IDM, 12 th November 2014 Colin Miles Chief Technology Officer, Pirean Copyright 2014 Pirean Limited. All rights reserved. Safe Harbor All
More informationGovernment's Adoption of SOA and SOA Examples
Government's Adoption of SOA and SOA Examples Presented by : Ajay Budhraja, Chief of Enterprise Services ME (Engg), MS (Management), PMP, CICM, CSM, ECM (Master) AIIM, ITIL-F Copyright 2008 Ajay Budhraja
More informationHP Software as a Service. Federated SSO Guide
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationM2M. Machine-to-Machine Intelligence Corporation. M2M Intelligence. Architecture Overview
M2M Machine-to-Machine Intelligence Corporation M2M Intelligence Architecture Overview M2M Intelligence - Essential platform for the M2M and IoT Economy Architecture Overview Revised styles and edits 6/3/2016
More informationThe Emerging Infrastructure for Identity and Access Management
The Emerging Infrastructure for Identity and Access Management Copyright 2001 The Burton Group. All rights reserved. Open Group In3 Conference January 23, 2002 Jamie Lewis, CEO and Research Chair, jlewis@burtongroup.com
More informationSecurity solutions Executive brief. Understand the varieties and business value of single sign-on.
Security solutions Executive brief Understand the varieties and business value of single sign-on. August 2005 2 Contents 2 Executive overview 2 SSO delivers multiple business benefits 3 IBM helps companies
More informationA secure and auditable Federated Identity and Access Management Infrastructure. Serge Bertini Director, Security Canada
A secure and auditable Federated Identity and Access Management Infrastructure Serge Bertini Director, Security Canada The Role of the Identity While Perimeters dissolve Applications become more distributed
More informationSecure Document Circulation Using Web Services Technologies
Secure Document Circulation Using Web Services Technologies Shane Bracher Bond University, Gold Coast QLD 4229, Australia Siemens AG (Corporate Technology), Otto-Hahn-Ring 6, 81739 Munich, Germany sbracher@student.bond.edu.au
More informationService-Oriented Architecture and Software Engineering
-Oriented Architecture and Software Engineering T-86.5165 Seminar on Enterprise Information Systems (2008) 1.4.2008 Characteristics of SOA The software resources in a SOA are represented as services based
More informationThe OMA Perspective On SOA in Telecoms
The OMA Perspective On SOA in Telecoms Adopting SOA for Telecom Workshop, Open Standards Forum 2008 Ditton Manor, 30 September 3 October 2008 Musa Unmehopa» Chairman OMA Architecture Working Group» Distinguished
More informationSAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog
SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog IIWb, Mountain View, CA, 4 December 2006 1 When you distribute identity tasks and information in the
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationOVERVIEW. DIGIPASS Authentication for Office 365
OVERVIEW DIGIPASS for Office 365 Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility
More informationIdentity Management and Operator Perspectives
Identity Management and Operator Perspectives Aude Pichelin France Telecom Head of multimedia services standardisation Aude.pichelin@orange-ftgroup.com Aude Pichelin- France Telecom 1 Identity Management
More informationCA Federation Manager
PRODUCT BRIEF: CA FEDERATION MANAGER CA FEDERATION MANAGER PROVIDES STANDARDS-BASED IDENTITY FEDERATION CAPABILITIES THAT ENABLE THE USERS OF ONE ORGANIZATION TO EASILY AND SECURELY ACCESS THE DATA AND
More informationEnabling SAML for Dynamic Identity Federation Management
Enabling SAML for Dynamic Identity Federation Management Patricia Arias, Florina Almenárez, Andrés Marín and Daniel Díaz-Sánchez University Carlos III of Madrid http://pervasive.gast.it.uc3m.es/ WMNC 2009
More informationGENIVI FAQ. What is the GENIVI Alliance?
GENIVI FAQ What is the GENIVI Alliance? GENIVI Alliance is a non-profit consortium of over 180 automotive industry companies promoting the collaboration and deployment of open source software in the automotive
More informationIDDY. Case Study: Rearden Commerce Delivers SaaS Via Federation WINNER
2007 IDDY AWARD WINNER Case Study: Rearden Commerce Delivers SaaS Via Federation Thanks to federation, Rearden Commerce makes it easier than ever for corporate employees to book and manage travel arrangements.
More informationTECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management
TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 The Need for
More informationMasdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae
Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation
More informationAn Integrated Service Management Approach Using OSGi Technology and ACAP
An Integrated Management Approach Using OSGi Technology and ACAP M. Cochinwala, S. Moyer, H. Shim, Telcordia Technologies One Telcordia Way Piscataway, NJ 08854 {munir, stanm, hyongsop}@research.telcordia.com
More informationInteroperable, Federated Identity Management Frameworks Across Enterprise Architectures. We can do this.
Interoperable, Federated Identity Management Frameworks Across Enterprise Architectures. We can do this. Scott McGrath COO Organization for the Advancement of Structured Information Standards A diverse
More informationPROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN
PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:
More informationCloud-based Identity and Access Control for Diagnostic Imaging Systems
Cloud-based Identity and Access Control for Diagnostic Imaging Systems Weina Ma and Kamran Sartipi Department of Electrical, Computer and Software Engineering University of Ontario Institute of Technology
More informationIT@Intel. Improving Security and Productivity through Federation and Single Sign-on
White Paper Intel Information Technology Computer Manufacturing Security Improving Security and Productivity through Federation and Single Sign-on Intel IT has developed a strategy and process for providing
More informationFederation Proxy for Cross Domain Identity Federation
Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com
More informationHP Cloud Services Enablement portfolio for communications service providers: Compute Services. Solution brief
SCALEnow. HP Cloud Services Enablement portfolio for communications service providers: Compute Services Solution brief HP Cloud Services Enablement (HP CSE) for infrastructure as a service (IaaS) enables
More informationExecutive Overview of the Security Assertions Markup Language (SAML) v2.0
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Executive Overview of the Security Assertions Markup Language (SAML) v2.0 Working Draft 01, 1830 June 2004 Document identifier: sstc-saml-exec-overview-2.0-draft-010
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: University of Lethbridge 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources
More informationEnterprise Digital Identity Architecture Roadmap
Enterprise Digital Identity Architecture Roadmap Technical White Paper Author: Radovan Semančík Date: April 2005 (updated September 2005) Version: 1.2 Abstract: This document describes the available digital
More informationThe Benefits of an Industry Standard Platform for Enterprise Sign-On
white paper The Benefits of an Industry Standard Platform for Enterprise Sign-On The need for scalable solutions to the growing concerns about enterprise security and regulatory compliance can be addressed
More informationIndependent Insight for Service Oriented Practice. An SOA Roadmap. John C. Butler Chief Architect. A CBDI Partner Company. www.cbdiforum.
Independent Insight for Oriented Practice An SOA Roadmap John C. Butler Chief Architect A CBDI Partner Company www.cbdiforum.com Agenda! SOA Vision and Opportunity! SOA Roadmap Concepts and Maturity Levels!
More informationStandards for Identity & Authentication. Catherine J. Tilton 17 September 2014
Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent
More informationGetting Started with Single Sign-On
Getting Started with Single Sign-On I. Introduction Your institution is considering or has already purchased Collaboratory from Treetop Commons, LLC. One benefit provided to member institutions is Single
More informationContinuing the MDM journey
IBM Software White paper Information Management Continuing the MDM journey Extending from a virtual style to a physical style for master data management 2 Continuing the MDM journey Organizations implement
More informationResearch and Implementation of Single Sign-On Mechanism for ASP Pattern *
Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Bo Li, Sheng Ge, Tian-yu Wo, and Dian-fu Ma Computer Institute, BeiHang University, PO Box 9-32 Beijing 100083 Abstract Software
More informationService Virtualization: Managing Change in a Service-Oriented Architecture
Service Virtualization: Managing Change in a Service-Oriented Architecture Abstract Load balancers, name servers (for example, Domain Name System [DNS]), and stock brokerage services are examples of virtual
More informationCryptoNET: Security Management Protocols
CryptoNET: Security Management Protocols ABDUL GHAFOOR ABBASI, SEAD MUFTIC CoS, School of Information and Communication Technology Royal Institute of Technology Borgarfjordsgatan 15, SE-164 40, Kista,
More informationTrend of Federated Identity Management for Web Services
30 Trend of Federated Identity Management for Web Services Chulung Kim, Sangyong Han Abstract While Web service providers offer different approaches to implementing security, users of Web services demand
More information