Your search keyword '"Federated identity"' showing total 87 results

1. Two Factor Authentication: Voice Biometric and Token-Based Authentication

Author

Hamid, Herny Ramadhani Mohd Husny, Nordin, Nur Wazir, Abdullah, Norhaiza Ya, Ismail, Wan Hazimah Wan, Abdullah, Dalilah, Ismail, Azman, editor, Zulkipli, Fatin Nur, editor, Mohd Daril, Mohd Amran, editor, and Öchsner, Andreas, editor

Published

2024

2. Why Are There So Many Digital Identities?

Author

Mitchell Landrigan, Stephen Wilson, and Hamish Fraser

Subjects

digital identity, personal identity, federated identity, profiling, Law in general. Comparative and uniform law. Jurisprudence, K1-7720

Abstract

This article analyses why people have so many digital identities and offers suggestions to reduce the numbers to more reasonable levels. Digital identity thinking has been dominated by the objective of general-purpose reusable identity as a response to the unwieldy profusion of identifiers that came with expanding ecommerce. The notion of reusable digital identity is somewhat intuitive, energised by the mental model of humans exercising a virtual self in cyberspace. Many user interfaces are constructed to exhibit an intentional stance suggestive of humans having a digital counterpart making our digital actions more lifelike and comprehensible. In some nations, there is a precedent for national identity, which makes general-purpose digital identity culturally more logical, even appealing. In common law countries, however, the market for reusable digital identity is still not mature. To date, there is no solid business case for general purpose reusable identity - largely because it proves costlier than expected to reengineer transactional identifiers to align (or federate) with an intuitive singular digital identity. Thus, individuals must manage many siloed, special purpose identifiers, account names, passwords, and piecemeal authenticators. If transactional identifiers go hand in hand with transaction systems, then there will likely remain a need for about as many identifiers as there are transactional services. Recent technology developments, especially in cryptographic verifiable credentials and mobile digital wallets, may provide ways to automate the management of multiple identifiers and achieve the desired usability anticipated from singular identity without disrupting the forces that have led to transaction specific identification.

Published

2024

3. Why Are There So Many Digital Identities?

Author

Landrigan, Mitchell, Wilson, Stephen, and Fraser, Hamish

Subjects

DIGITAL certificates, ELECTRONIC commerce, COMPUTER passwords, SOCIAL media, CYBERSPACE

Abstract

This article analyses why people have so many digital identities and offers suggestions to reduce the numbers to more reasonable levels. Paradigmatic digital identity thinking has been dominated by the objective of general purpose reusable identity as a response to the unwieldy profusion of identifiers that came with expanding ecommerce. The things called 'digital identity' in this paradigm are intended to be general purpose insofar as they are meant to be relied upon in different settings beyond the immediate control of the original issuer. The notion of reusable digital identity is somewhat intuitive, energised by the mental model of humans exercising a virtual self in cyberspace. Many user interfaces are constructed to exhibit an intentional stance suggestive of humans having a digital counterpart, making our digital actions more lifelike and comprehensible. A reusable identity can limit inconvenience to end users and some of the risks of loss of personal data associated with end users creating multiple digital identities for discrete transactional situations. In some nations, there is a precedent for 'national identity', a concept that manifests as attributes necessary for a person to be identified or distinguished as a member of a state, typically to allow that person to be eligible to receive government services of the state. In these nations, national identity makes general purpose digital identity culturally more logical, even appealing. However, in most countries, the market for reusable digital identity is still not mature, except for low-stakes transactions, such as social media logins. To date, there is no solid business case for general purpose reusable identity--largely because it proves costlier than expected to re-engineer transactional identifiers to align (or federate) with an intuitive singular digital identity. Thus, individuals must manage many siloed, special purpose identifiers, account names, passwords and piecemeal authenticators. If transactional identifiers go hand in hand with transaction systems, then there will likely remain a need for about as many identifiers as there are transactional services. Recent technology developments, especially in cryptographically verifiable credentials and mobile digital wallets, may provide ways to automate the management of multiple identifiers and achieve the desired usability anticipated from singular identity without disrupting the forces that have led to transaction-specific identification. [ABSTRACT FROM AUTHOR]

Published

2024

4. Accessing Patient Electronic Health Record Portals Safely Using Social Credentials: Demonstration Pilot Study.

Author

SooHoo, Spencer, Keller, Michelle S, Moyse, Harold, Robbins, Benjamin, McLaughlin, Matthew, Arora, Ajay, Burger, Abigail, Huang, Lilith, Huang, Shao-Chi, Goud, Anil, Truong, Lyna, Rodriguez, Donaldo, and Roberts, Pamela

Subjects

EHR, acceptability, clinical support, communication, credentials, electronic health records, feasibility, federated identity, patient communication, patient portal, patient portal access, single sign-on, social credentials, social identity, Biomedical and clinical sciences, Health sciences

Abstract

BackgroundPatient portals allow communication with clinicians, access to test results, appointments, etc, and generally requires another set of log-ins and passwords, which can become cumbersome, as patients often have records at multiple institutions. Social credentials (eg, Google and Facebook) are increasingly used as a federated identity to allow access and reduce the password burden. Single Federated Identity Log-in for Electronic health records (Single-FILE) is a real-world test of the feasibility and acceptability of federated social credentials for patients to access their electronic health records (EHRs) at multiple organizations with a single sign-on (SSO).ObjectiveThis study aims to deploy a federated identity system for health care in a real-world environment so patients can safely use a social identity to access their EHR data at multiple organizations. This will help identify barriers and inform guidance for the deployment of such systems.MethodsSingle-FILE allowed patients to pick a social identity (such as Google or Facebook) as a federated identity for multisite EHR patient portal access with an SSO. Binding the identity to the patient's EHR records was performed by confirming that the patient had a valid portal log-in and sending a one-time passcode to a telephone (SMS text message or voice) number retrieved from the EHR. This reduced the risk of stolen EHR portal credentials. For a real-world test, we recruited 8 patients and (or) their caregivers who had EHR data at 2 independent health care facilities, enrolled them into Single-FILE, and allowed them to use their social identity credentials to access their patient records. We used a short qualitative interview to assess their interest and use of a federated identity for SSO. Single-FILE was implemented as a web-based patient portal, although the concept can be readily implemented on a variety of mobile platforms.ResultsWe interviewed the patients and their caregivers to assess their comfort levels with using a social identity for access. Patients noted that they appreciated only having to remember 1 log-in as part of Single-FILE and being able to sign up through Facebook.ConclusionsOur results indicate that from a technical perspective, a social identity can be used as a federated identity that is bound to a patient's EHR data. The one-time passcode sent to the patient's EHR phone number provided assurance that the binding is valid. The patients indicated that they were comfortable with using their social credentials instead of having to remember the log-in credentials for their EHR portal. Our experience will help inform the implementation of federated identity systems in health care in the United States.

Published

2022

5. Towards a Methodology for Formally Analyzing Federated Identity Management Systems

Author

Ksystra, Katerina, Dimarogkona, Maria, Triantafyllou, Nikolaos, Stefaneas, Petros, Kavassalis, Petros, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, and Margaria, Tiziana, editor

Published

2022

6. Digitale Identitäten in der physischen Welt: Eine Abwägung von Privatsphäreschutz und Praktikabilität.

Author

Roland, Michael, Höller, Tobias, and Mayrhofer, René

Abstract

Copyright of HMD: Praxis der Wirtschaftsinformatik is the property of Springer Nature and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2023

7. Trust and identity: designing an identity solution for digital innovation.

Author

Cunha, Lucas do M. N., Wangham, Michelle S., and Machado, Iara

Subjects

DIGITAL technology, TECHNOLOGICAL innovations, TRUST, DESIGN thinking, DESIGN research

Abstract

Innovation ecosystems are based on the dynamics of trust relationships between entities that enable technology development and innovation. This study addresses the issue of trust and identity in these environments, inquiring how to design a 'digital federated identity and access management system' for science and technology parks (STPs) in the state of Rio Grande do Sul. For this purpose, it draws on design thinking as a method of 'creative inquiry', which sets a conceptual framework for generating insights in product discovery. As a research-in-progress, this paper presents preliminary findings on the evaluation of the suitability of the FIM model for STPs. [ABSTRACT FROM AUTHOR]

Published

2022

8. Adaptive security architectural model for protecting identity federation in service oriented computing

Author

Mohamed Ibrahim Beer Mohamed, Mohd Fadzil Hassan, Sohail Safdar, and Muhammad Qaiser Saleem

Subjects

Federated identity, SSO, Security, SOA, EAI, Trust, Electronic computers. Computer science, QA75.5-76.95

Abstract

With the tremendous growth of Internet and its related technologies, the Service Oriented Architecture (SOA) became a dominant paradigm shift for enterprise computing. In SOA, business functionalities are offered by many different Service Providers as services. In order to get served by different service providers, the client has to authenticate with those service providers at multiple times. Single Sign On (SSO) mechanism provides the client to login only one time so that access to different services is made possible without needing to re-authenticate. Here, the identity of the logged-in client is federated among the enterprise computing nodes. This is one of the simplest forms of federated identity. The goal of identity federation is to benefit ease of use, flexibility, productivity and reduced cost of the authentication process, but trust and security is a major concern in this situation. Major threats on federated identity management are due to identity misuse, identity theft, and trust deficit between identity providers and services providers. As of now, the Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID are the three important federated identity management standards in the industry. However, none of them is equipped by itself to provide comprehensive security protection for identity federation even within a single enterprise computing environment. In fact, these federated solutions result in additional security vulnerabilities due to their openness of identity federation. The security threats are becoming severe when federated identity is spanned into the inter-organizational and intra-organizational computing environment. This paper analyses the vulnerabilities and security gaps in the existing federated identity solutions. To overcome these gaps, an adaptive security architectural model is proposed for identity federation at inter and intra-organizational level using public key infrastructure that adheres to the SOA security standards and specifications. The proposed architecture is implemented and tested in a large-scale federated identity enterprise computing environment with security-centric financial data to acquire the desired results. A cross-sectional comparative analysis is done between existing and proposed solutions to validate the improvement in the protection of identity federation environment.

Published

2021

9. Federation in Dynamic Environments: Can Blockchain Be the Solution?

Author

Antevski, Kiril and Bernardos, Carlos J.

Subjects

*TELECOMMUNICATION network management, *BLOCKCHAINS

Abstract

Deploying multi-domain network services is becoming a need for operators. However, achieving that in a real operational environment is not easy and requires the use of federation. Federation is a multi-domain concept that enables the use and orchestration of network services/resources to/from external administrative domains. In this article, we first characterize the federation concept and involved procedures, and then dive into the challenges that emerge when federation is performed in dynamic environments. To tackle these challenges, we propose the application of blockchain technology, identifying some associated high-level benefits. Last, we validate our proposed approach by conducting a small experimental scenario using Tendermint, an application-based blockchain. [ABSTRACT FROM AUTHOR]

Published

2022

10. Health-X dataLOFT: A Sovereign Federated Cloud for Personalized Health Care Services.

Author

Boll, Susanne and Meyer, Jochen

Subjects

MEDICAL care, PREVENTIVE medicine, MOBILE apps, COMMUNICATION infrastructure, MOBILE health, ACCESS control

Abstract

Future preventative health care will rely more and more on our personal health data that comes both from clinical sources, but also from many wearable and mobile health devices and apps. However, data from such devices is distributed and partly locked in different data stores, impeding the use for advanced health and care services. To unlock the large potential of such data for future personalized health care, it must be unlocked and released and made accessible for joint use. Health-X is an interdisciplinary scientific research project that will develop and offer a federated cloud infrastructure which puts the individual at the center of the access and control of future health care services. [ABSTRACT FROM AUTHOR]

Published

2022

11. Adaptive security architectural model for protecting identity federation in service oriented computing.

Author

Beer Mohamed, Mohamed Ibrahim, Hassan, Mohd Fadzil, Safdar, Sohail, and Saleem, Muhammad Qaiser

Subjects

MATHEMATICAL models of finance, PUBLIC key cryptography, IDENTITY theft, SERVICE-oriented architecture (Computer science)

Abstract

With the tremendous growth of Internet and its related technologies, the Service Oriented Architecture (SOA) became a dominant paradigm shift for enterprise computing. In SOA, business functionalities are offered by many different Service Providers as services. In order to get served by different service providers, the client has to authenticate with those service providers at multiple times. Single Sign On (SSO) mechanism provides the client to login only one time so that access to different services is made possible without needing to re-authenticate. Here, the identity of the logged-in client is federated among the enterprise computing nodes. This is one of the simplest forms of federated identity. The goal of identity federation is to benefit ease of use, flexibility, productivity and reduced cost of the authentication process, but trust and security is a major concern in this situation. Major threats on federated identity management are due to identity misuse, identity theft, and trust deficit between identity providers and services providers. As of now, the Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID are the three important federated identity management standards in the industry. However, none of them is equipped by itself to provide comprehensive security protection for identity federation even within a single enterprise computing environment. In fact, these federated solutions result in additional security vulnerabilities due to their openness of identity federation. The security threats are becoming severe when federated identity is spanned into the inter-organizational and intra-organizational computing environment. This paper analyses the vulnerabilities and security gaps in the existing federated identity solutions. To overcome these gaps, an adaptive security architectural model is proposed for identity federation at inter and intra-organizational level using public key infrastructure that adheres to the SOA security standards and specifications. The proposed architecture is implemented and tested in a large-scale federated identity enterprise computing environment with security-centric financial data to acquire the desired results. A cross-sectional comparative analysis is done between existing and proposed solutions to validate the improvement in the protection of identity federation environment. [ABSTRACT FROM AUTHOR]

Published

2021

12. Anonymous Authentication with a Bi-directional Identity Federation in the Cloud

Author

Rashid, Fatema, Miri, Ali, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, and Tryfonas, Theo, editor

Published

2016

13. A shared responsibility model to support cross border and cross organizational federation on top of decentralized and self-sovereign identity: Architecture and first PoC

Author

Kubach, Michael, Henderson, Isaac, Bithin, Alangot, Dimitrakos, Theo, Vargas, Juan, Winterstetter, Matthias, and Krontiris, Ioannis

Subjects

decentralized identity, trust infrastructure, gaia-x, ssi, trust policy, self-sovereign identity, data spaces, verifiable credentials, federated identity

Abstract

This paper discusses the challenges of transitioning from legacy federated identity systems to emerging decentralized identity technologies based on self-sovereign identities (SSI) and verifiable credentials, which are being used in initiatives such as Gaia-X and Catena-X for secure and sovereign data sharing. The adoption of SSI and decentralized identity technologies requires a standardized reference model that addresses challenges around trust in cross-border and crossorganizational federations based on decentralized identities. To facilitate this transition, the paper proposes a new Fed2SSI architecture that introduces a middle layer of abstraction for the policybased transformation of credentials, enabling interoperability between legacy federated identity solutions and SSI/decentralized identity environments. The architecture is implemented in a prototype and an exemplary use case is presented to illustrate the added value of this approach.

Published

2023

14. HMD Praxis der Wirtschaftsinformatik / Digitale Identitäten in der physischen Welt: Eine Abwägung von Privatsphäreschutz und Praktikabilität : Digital Identities in the Physical World: A Trade-off Between Privacy and Practicability

Author

Roland, Michael, Höller, Tobias, and Mayrhofer, René

Subjects

Authentifizierung, Authentication, eID, Privacy-by-Design, Biometrics, föderierte Identität, Federated identity, Biometrie, digitaler Zwilling, Digital twin

Abstract

Anforderungen an Datenschutz und Informationssicherheit, aber auch an Datenaktualität und Vereinfachung bewirken einen kontinuierlichen Trend hin zu plattformübergreifenden ID-Systemen für die digitale Welt. Das sind typischerweise föderierte Single-Sign-On-Lösungen großer internationaler Konzerne wie Apple, Facebook und Google. Dieser Beitrag beleuchtet die Frage, wie ein dezentrales, offenes, globales Ökosystem nach dem Vorbild des Single-Sign-On für die digitale, biometrische Identifikation in der physischen Welt aussehen könnte. Im Vordergrund steht dabei die implizite Interaktion mit vorhandener Sensorik, mit der Vision, dass Individuen in der Zukunft weder Plastikkarten noch mobile Ausweise am Smartphone mit sich führen müssen, sondern ihre Berechtigung für die Nutzung von Diensten rein anhand ihrer biometrischen Merkmale nachweisen können. Während diese Vision bereits jetzt problemlos durch Systeme mit einer zentralisierten Datenbank mit umfangreichen biometrischen Daten aller Bürger*innen möglich ist, wäre ein Ansatz mit selbstverwalteten, dezentralen digitalen Identitäten erstrebenswert, bei dem die Nutzer*in in den Mittelpunkt der Kontrolle über ihre eigene digitale Identität gestellt wird und die eigene digitale Identität an beliebigen Orten hosten kann. Anhand einer Analyse des Zielkonflikts zwischen umfangreichem Privatsphäreschutz und Praktikabilität, und eines Vergleichs der Abwägung dieser Ziele mit bestehenden Ansätzen für digitale Identitäten wird ein Konzept für ein dezentrales, offenes, globales Ökosystem zur privaten, digitalen Authentifizierung in der physischen Welt abgeleitet. Requirements on data privacy and information security, as well as data quality and simplification, cause a continuous trend towards federated identity systems for the digital world. These are often the single sign-on platforms offered by large international companies like Apple, Facebook and Google. This article evaluates how a decentralized, open, and global ecosystem for digital biometric identification in the physical world could be designed based on the model of federated single sign-on. The main idea behind such a concept is implicit interaction with existing sensors, in order to get rid of plastic cards and smartphone-based mobile IDs in a far future. Instead, individuals should be capable of proving their permissions to use a service solely based on their biometrics. While this vision is already proven feasible using centralized databases collecting biometrics of the whole population, an approach based on self-sovereign, decentralized digital identities would be favorable. In the ideal case, users of such a system would retain full control over their own digital identity and would be able to host their own digital identity wherever they prefer. Based on an analysis of the trade-off between privacy and practicability, and a comparison of this trade-off with observable design choices in existing digital ID approaches, we derive a concept for a decentralized, open, and global-scale ecosystem for private digital authentication in the physical world. Version of record

Published

2023

15. Personal identifiable information privacy model for securing of users’ attributes transmitted to a federated cloud environment

Author

Afolayan A. Obiniyi, Maria Abur, and Sahalu B. Junaidu

Subjects

Computer Networks and Communications, business.industry, Computer science, Applied Mathematics, Privacy policy, Advanced Encryption Standard, Cryptography, Cloud computing, Computer security, computer.software_genre, Encryption, Identity management, Computer Science Applications, Computational Theory and Mathematics, Artificial Intelligence, Federated identity, Electrical and Electronic Engineering, business, Personally identifiable information, computer, Information Systems

Abstract

One of the security issues affecting Federated Cloud Environment users is privacy. It is the ability to secure and control the Personal Identifiable Information (PII) of a user during and after being communicated to the Cloud. Existing studies addressed the problem using techniques such as: uApprove, uApprove.jp, enhanced privacy and dynamic federation in Identity Management (IdM), privacy-preserving authorization system, end-to-end Privacy Policy Enforcement in Cloud Infrastructure, multi-tenancy authorization system with federated identity, and a Cryptography Encryption Key and Template Data Dissemination (CEKTTDD). Users’ PIIremains vulnerable as existing researches lack efficient control of user's attributes in the Cloud. This paper proposes a PIIPrivacy model for protecting user’s attributes on transit to the Federated Cloud Environment. The approach used, combined Advanced Encryption Standard (AES 128) and Discrete Cosine Transform Modulus three (DCTM3) steganography to improve CEKTTDD technique. This was achieved by techniques to encrypt user’s PIIs. The model was implemented using Matrix Laboratory (MATLAB) and evaluated using undetectability, robustness, match (%), encryption time and decryption time. Chi-square attack was applied to prove the security of the proposed model. Results obtained showed that the proposed model was stronger in robustness with values of ((59.10 dB) and (55.45 dB) than the existing model of values ((55.76 dB) and (54.15 dB)). Similarly, the proposed system successfully minimizes undetectability than the former model, while evaluation for match (%) yielded 17% increase better than the existing system. This study has achieved a state-of-the-art model for a secured user’s attributes in the cloud.

Published

2021

16. DCSS Protocol for Data Caching and Sharing Security in a 5G Network

Author

Jonathan Loo, Ed Kamya Kiyemba Edris, Mahdi Aiash, and Seeling, Patrick

Subjects

formal methods, Computer science, data sharing, applied pi calculus, Access control, 02 engineering and technology, 0203 mechanical engineering, network services, federated identity, ProVerif, 0202 electrical engineering, electronic engineering, information engineering, Information-security, business.industry, security protocol, 020302 automobile design & engineering, 020206 networking & telecommunications, Provisioning, General Medicine, Information security, Cryptographic protocol, Service provider, Data sharing, Cellular network, authorization, Distributed-computing, Federated identity, business, 5G, data caching, Computer-networking, Computer network

Abstract

Fifth Generation mobile networks (5G) promise to make network services provided by various Service Providers (SP) such as Mobile Network Operators (MNOs) and third-party SPs accessible from anywhere by the end-users through their User Equipment (UE). These services will be pushed closer to the edge for quick, seamless, and secure access. After being granted access to a service, the end-user will be able to cache and share data with other users. However, security measures should be in place for SP not only to secure the provisioning and access of those services but also, should be able to restrict what the end-users can do with the accessed data in or out of coverage. This can be facilitated by federated service authorization and access control mechanisms that restrict the caching and sharing of data accessed by the UE in different security domains. In this paper, we propose a Data Caching and Sharing Security (DCSS) protocol that leverages federated authorization to provide secure caching and sharing of data from multiple SPs in multiple security domains. We formally verify the proposed DCSS protocol using ProVerif and applied pi-calculus. Furthermore, a comprehensive security analysis of the security properties of the proposed DCSS protocol is conducted.

Published

2021

17. Adaptive security architectural model for protecting identity federation in service oriented computing

Author

Muhammad Qaiser Saleem, Sohail Safdar, Mohd Fadzil Hassan, and Mohamed Ibrahim Beer Mohamed

Subjects

General Computer Science, computer.internet_protocol, Computer science, 02 engineering and technology, Trust, Computer security, computer.software_genre, Security Assertion Markup Language, Identity theft, 0202 electrical engineering, electronic engineering, information engineering, SOA, SOA Security, EAI, Authentication, SSO, 020206 networking & telecommunications, QA75.5-76.95, Service-oriented architecture, Service provider, Electronic computers. Computer science, Security, Identity (object-oriented programming), 020201 artificial intelligence & image processing, Federated identity, computer

Abstract

With the tremendous growth of Internet and its related technologies, the Service Oriented Architecture (SOA) became a dominant paradigm shift for enterprise computing. In SOA, business functionalities are offered by many different Service Providers as services. In order to get served by different service providers, the client has to authenticate with those service providers at multiple times. Single Sign On (SSO) mechanism provides the client to login only one time so that access to different services is made possible without needing to re-authenticate. Here, the identity of the logged-in client is federated among the enterprise computing nodes. This is one of the simplest forms of federated identity. The goal of identity federation is to benefit ease of use, flexibility, productivity and reduced cost of the authentication process, but trust and security is a major concern in this situation. Major threats on federated identity management are due to identity misuse, identity theft, and trust deficit between identity providers and services providers. As of now, the Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID are the three important federated identity management standards in the industry. However, none of them is equipped by itself to provide comprehensive security protection for identity federation even within a single enterprise computing environment. In fact, these federated solutions result in additional security vulnerabilities due to their openness of identity federation. The security threats are becoming severe when federated identity is spanned into the inter-organizational and intra-organizational computing environment. This paper analyses the vulnerabilities and security gaps in the existing federated identity solutions. To overcome these gaps, an adaptive security architectural model is proposed for identity federation at inter and intra-organizational level using public key infrastructure that adheres to the SOA security standards and specifications. The proposed architecture is implemented and tested in a large-scale federated identity enterprise computing environment with security-centric financial data to acquire the desired results. A cross-sectional comparative analysis is done between existing and proposed solutions to validate the improvement in the protection of identity federation environment.

Published

2021

18. A Federated Framework for Fine-Grained Cloud Access Control for Intelligent Big Data Analytic by Service Providers

Author

Gyeong-Jin Ra, Donghyun Kim, Im-Yeong Lee, and Dae-Hee Seo

Subjects

Information privacy, General Computer Science, Computer science, Big data, Data_MISCELLANEOUS, 0211 other engineering and technologies, Cloud computing, Access control, 02 engineering and technology, Computer security, computer.software_genre, Outsourcing, outsourcing cloud, Server, intelligent big data analytics, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, 021110 strategic, defence & security studies, business.industry, federated cloud, General Engineering, access control, Service provider, Privacy, self-sovereign, 020201 artificial intelligence & image processing, Federated identity, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971

Abstract

This paper proposes a novel data-owner-driven privacy-aware cloud data acquisition framework for intelligent big data analytics for service providers and users. To realize this idea, we propose three main components. The first one is a new global identity provider concept to support fine-grained access control for a federated outsourcing cloud, namely called P-FIPS (Privacy-enhanced Federated Identity Provider System), in which data owners perform identity access control with the operator of the federated outsourcing cloud so that the service providers can selectively use their encrypted data on the cloud for various purpose such as intelligent big data analytics. In P-FIPS, data owners manage the access privilege of service providers over their encrypted data on the cloud by (a) labeling the scope of use (e.g., user connection, user disconnection, user tracking) on each encrypted data on the cloud, and (b) by selectively providing the information regarding the data owners to the service provider. The label also includes the attributes related to the data owner’s identity, and this allows service providers to locate the target data with the assist of cryptographic computation according to the scope of the use at the cloud outsourcing server. The second one is a new ambiguous data acquisition mechanism integrated with P-FIPS from a cloud to a service provider. The last one is the Decentralized Audit and Ordering (DAO) Chain mechanism which provides the correctness of obtained data to the service provider as well as ensures the owners that their data is being used for the approved purpose only. Most importantly, we show that our framework is much more efficient than the existing alternative in the scheme.

Published

2021

19. Multi-factor authentication for shibboleth identity providers

Author

Carlos Eduardo da Silva, Gabriela Cavalcanti da Silva, Bruno Bristot Loli, Michelle S. Wangham, Samuel Bristot Loli, Emerson Ribeiro de Mello, and Shirlei Aparecida de Chaves

Subjects

Password, lcsh:Computer engineering. Computer hardware, Computer Networks and Communications, Computer science, Computer Applications, Federated identity management, lcsh:TK7885-7895, Multi-factor authentication, Service provider, Computer security, computer.software_genre, Shibboleth, Computer Science Applications, lcsh:Telecommunication, Robustness (computer science), Phone, lcsh:TK5101-6720, Shibboleth identity provider, Federated identity, computer

Abstract

The federated identity model provides a solution for user authentication across multiple administrative domains. The academic federations, such as the Brazilian federation, are examples of this model in practice. The majority of institutions that participate in academic federations employ password-based authentication for their users, with an attacker only needing to find out one password in order to personify the user in all federated service providers. Multi-factor authentication emerges as a solution to increase the robustness of the authentication process. This article aims to introduce a comprehensive and open source solution to offer multi-factor authentication for Shibboleth Identity Providers. Based on the Multi-factor Authentication Profile standard, our solution provides three extra second factors (One-Time Password, FIDO2 and Phone Prompt). The solution has been deployed in the Brazilian academic federation, where it was evaluated using functional and integration testing, as well as security and case study analysis.

Published

2020

20. Can We Create a Cross-Domain Federated Identity for the Industrial Internet of Things without Google?

Author

Hyoungshick Kim, Seok Hyun Kim, Woojoong Ji, Simon S. Woo, Eunsoo Kim, Youngseob Cho, and Bedeuro Kim

Subjects

Authentication, Blockchain, Computer science, business.industry, Authorization, Service provider, Identity management, World Wide Web, Identity provider, Next-generation network, Federated identity management, Identity (object-oriented programming), The Internet, Federated identity, business

Abstract

Providing a cross-domain federated identity is essential for next-generation Internet services because information about user identity should be seamlessly exchanged across different domains for authentication and authorization. Federated identity can enable users to use various services through a single account. However, conventional federated identity management systems necessarily require a trustworthy identity provider who stores user identity information and presents it to other service providers. Unfortunately, this requirement may not be acceptable in Industrial Internet of Things (IIoT) applications, which often require interacting and authenticating with users and devices across different domains. Who will take full responsibility for managing and issuing all digital identities for IIoT devices? Can we really trust one superpower organization to manage all the identities and credentials of IIoT devices? In this article, we provide an overview of centralized and decentralized identity management methods and examine the feasibility of those methods for IIoT applications. To overcome the inherent limitations of existing approaches, we are specifically interested in designing decentralized cross-domain federated identity management using blockchain. Our Copernican idea brings new and important perspectives in establishing universal cosmopolitan cross-domain federated identity management in a secure and fair manner.

Published

2020

21. 基于Ｓｈｉｂｂｏｌｅｔｈ的在线实验平台多资源访问认证.

Author

张　禹, 陆慧梅, and 向　勇

Abstract

Federated identity was applied to achieve single-sign-on for the situation in which users were from different organizations. However.the diversity of resources brought about trouble of management. To solve the problem, this paper selected Shibboleth as a method of federated identity. System in federation provided REST API of their own resources, and released the authorization code which identified the access rights of resource by the attribute publishing policy in Shibboleth. thus it accessed multi-resouce by users from different organazations after unified authentication. Taking online experimental platform based on OpenEdX as an example, it implemented unified authentication and authorization of complex resources. It applied Shibboleth to authenticate users,coupled with REST API and authorization code,and it shared complex resources during several systems. Moreover,it developed some XRlocks on OpenEdX to share data with other systems. [ABSTRACT FROM AUTHOR]

Published

2017

22. Proxying the Data Body: Artificial Intelligence, Federated Identity, and Machinic Subjection

Author

Sam Popowich

Subjects

lcsh:LC8-6691, Authentication, lcsh:Special aspects of education, business.industry, Computer science, media_common.quotation_subject, Corporate governance, 05 social sciences, Cloud computing, Ambiguity, Intellectual property, Artificial intelligence, Federated identity, 0509 other social sciences, 050904 information & library sciences, business, Host (network), Implementation, media_common

Abstract

Academic libraries have recently seen a shift from self-management of user-authentication of licensed resources themselves, to cloud-based implementations of "federated identity" technologies. Such technologies aim to solve the problems of fragile access to licensed resources while also better protecting publishers' intellectual property. However, federated identity systems raise a host of issues regarding privacy, surveillance, machinic subjection, and algorithmic governance. This paper traces the development of federated identity systems out of earlier authentication processes, shows how such systems use artificial intelligence techniques to create a trackable "data body" for each student, and then analyzes this whole procedure through the critical theories of Maurizio Lazzarato and Bernard Stiegler. In conclusion, the article argues that the emergent nature of the "data body" creates ambiguity between the hyper-control of contemporary technologies and the possibility of resisting them.

Published

2020

23. Sabiá: an authentication, authorization, and user data delivery architecture based on user consent for health information systems in Brazil

Author

Ricardo Alexsandro de Medeiros Valentim, Carlos Breno Pereira Silva, Túlio de Paiva Marques Carvalho, Jailton Carlos de Paiva, Diêgo Ferreira de Lima, and Emerson Costa Silva

Subjects

Authentication, Database, business.industry, Computer science, 0206 medical engineering, Interoperability, Biomedical Engineering, Context (language use), 02 engineering and technology, computer.software_genre, 020601 biomedical engineering, Health informatics, 030218 nuclear medicine & medical imaging, 03 medical and health sciences, Consistency (database systems), 0302 clinical medicine, Information system, Data Protection Act 1998, Federated identity, business, computer

Abstract

Health information systems in Brazil have been designed and developed in a heterogeneous manner based on local regional characteristics, resulting in a lack of health information integrity. In this context, the Brazilian Ministry of Health pointed out the need for interoperability solutions of health information systems, noting the importance of integration with national databases and alignment with Brazilian data protection laws. Therefore, this paper presents Sabia, a platform for authentication, authorization, and data delivery based on user consent for health information systems in Brazil. Sabia’s architecture is designed to achieve the following requirements: (R1) Provide a Federated Identity; (R2) Be a Federated Resource Manager; (R3) Collect user data from different information systems; and (R4) Deliver user data to systems based on user consent. Sabia consists of three main components: (1) Sabia Authorization Server, responsible for implementing Open Authentication; (2) Sabia Collector, responsible for collecting data from different information systems; and (3) Sabia Resource Server, responsible for delivering data previously authorized by the user to the systems. After analyzing historical data, R4 functionality was selected to be submitted to performance testing because it is the process that most affects overall system performance. The tests aimed at analyzing Sabia’s behavior in the heaviest scenario based on historical data. The results showed no flaws and indicated system stability and consistency, in which the user perceives a system reaction instantaneous, whose response time averages remained below 100 ms.

Published

2020

24. Federation in dynamic environments: Can Blockchain be the solution?

Author

Kiril Antevski, Carlos J. Bernardos, and European Commission

Subjects

Telecomunicaciones, Computer Networks and Communications, Electrical and Electronic Engineering, Federated identity, Blockchains, Computer Science Applications, Telecommunication network management

Abstract

Deploying multi-domain network services is be-coming a need for operators. However, achieving that in a real operational environment is not easy and requires the use of federation. Federation is a multi-domain concept that enables the use and orchestration of network services/resources to/from external administrative domains. In this article, we first characterize the federation concept, and involved procedures, to then dive into the challenges that emerge when federation is performed in dynamic environments. To tackle these challenges, we propose the application of Blockchain technology, identifying some associated high-level benefits. Last, we validate our proposed approach by conducting a small experimental scenario using Tendermint, an application-based Blockchain. This work has been partially supported by EC H2020 5GPPP 5Growth project (Grant 856709).

Published

2022

25. Towards Scalability for Federated Identity Systems for Cloud-Based Environments

Author

André Albino Pereira, João Bosco M. Sobral, and Carla M. Westphall

Subjects

scalability, federated identity, cloud computing, authentication, access control, Electronic computers. Computer science, QA75.5-76.95

Abstract

As multi-tenant authorization and federated identity management systems for cloud computing matures, the provisioning of services using this paradigm allows maximum efficiency on business that requires access control. However, regarding scalability support, mainly horizontal, some characteristics of those approaches based on central authentication protocols are problematic. The objective of this work is to address these issues by providing an adapted sticky-session mechanism for a Shibboleth architecture using JASIG CAS. This alternative, compared with the recommended distributed memory approach, shown improved efficiency and less overall infrastructure complexity, as well as demanding less 58% of computational resources and improving throughput (requests per second) by 11%.

Published

2015

26. Decentralized Identity: Where Did It Come From and Where Is It Going?

Author

Eve Maler, Pamela Dingle, Drummond Reed, Manu Sporny, Joni Brenan, Kim Hamilton Duffy, Alan Bachmann, Abbie Barbir, and Oscar Avellaneda

Subjects

Cryptocurrency, Computer Networks and Communications, Computer science, business.industry, Computer security, computer.software_genre, OpenID Connect, Digital identity, Data sharing, Management of Technology and Innovation, Identity (object-oriented programming), The Internet, Federated identity, Enhanced Data Rates for GSM Evolution, Safety, Risk, Reliability and Quality, business, Law, computer

Abstract

The technology category now widely known as “decentralized identity” and more narrowly as “self-sovereign identity” didn’t even exist four years ago. At that time, the cutting edge of digital identity technology consisted of Internet- scale federated identity protocols such as OpenID Connect and user-centric data sharing protocols such as User-Managed Access (UMA). Then along came Bitcoin and a surge of interest in blockchain and distributed ledger technology (DLT). Although the initial uses of this technology focused primarily on cryptocurrency, it didn’t take long for the digital identity community to begin applying it to digital identity scenarios.

Published

2019

27. FTS3 / WebFTS – A Powerful File Transfer Service for Scientific Communities.

Author

Kiryanov, Andrey, Ayllon, Alejandro Alvarez, and Keeble, Oliver

Subjects

FILE transfer (Computer science), LARGE Hadron Collider, DATA mining, DATA transmission systems, GRID computing

Abstract

FTS3, the service responsible for globally distributing the majority of the LHC data across the WLCG infrastructure, is now available to everybody. Already integrated into LHC experiment frameworks, a new web interface now makes the FTS3's transfer technology directly available to end users. In this article we describe this intuitive new interface, “WebFTS”, which allows users to easily schedule and manage large data transfers right from the browser, profiting from a service which has been proven at the scale of petabytes per month. We will shed light on new development activities to extend FTS3 transfers capabilities outside Grid boundaries with support of non-Grid endpoints like Dropbox and S3. We also describe the latest changes integrated into the transfer engine itself, such as new data management operations like deletions and staging files from archive, all of which may be accessed through our standards-compliant REST API. For the Service Managers, we explain such features as the service's horizontal scalability, advanced monitoring and its “zero configuration” approach to deployment made possible by specialised transfer optimisation logic. For the Data Managers, we will present new tools for management of FTS3 transfer parameters like limits for bandwidth and max active file transfers per endpoint and VO, user and endpoint banning and powerful command line tools. We finish by describing our effort to extend WebFTS's captivating graphical interface with support of Federated Identity technologies, thus demonstrating the use of grid resources without the burden of certificate management. In this manner we show how FTS3 can cover the needs of wide range of parties from casual users to high-load services. The evolution of FTS3 is addressing technical and performance requirements and challenges for LHC Run 2, moreover, its simplicity, generic design, web portal and REST interface makes it an ideal file transfer scheduler both inside and outside of HEP community. [ABSTRACT FROM AUTHOR]

Published

2015

28. The Galaxy platform for accessible, reproducible and collaborative biomedical analyses: 2020 update

Author

Vahid Jalili, Daniel Blankenberg, James Taylor, Jeremy Goecks, Qiang Gu, Anton Nekrutenko, Dave Clements, and Enis Afgan

Subjects

Data Analysis, Proteomics, Biomedical Research, ComputerSystemsOrganization_COMPUTERSYSTEMIMPLEMENTATION, AcademicSubjects/SCI00010, Datasets as Topic, Computational biology, Biology, Access management, computer.software_genre, GeneralLiterature_MISCELLANEOUS, Server, Genetics, Metabolomics, business.industry, Published Erratum, ComputingMilieux_PERSONALCOMPUTING, Reproducibility of Results, Data science, Galaxy, Software framework, Web Server Issue, Nucleic acid, The Internet, Federated identity, Metagenomics, User interface, Single-Cell Analysis, business, Corrigendum, computer, Software

Abstract

Galaxy (https://galaxyproject.org) is a web-based computational workbench used by tens of thousands of scientists across the world to analyze large biomedical datasets. Since 2005, the Galaxy project has fostered a global community focused on achieving accessible, reproducible, and collaborative research. Together, this community develops the Galaxy software framework, integrates analysis tools and visualizations into the framework, runs public servers that make Galaxy available via a web browser, performs and publishes analyses using Galaxy, leads bioinformatics workshops that introduce and use Galaxy, and develops interactive training materials for Galaxy. Over the last two years, all aspects of the Galaxy project have grown: code contributions, tools integrated, users, and training materials. Key advances in Galaxy's user interface include enhancements for analyzing large dataset collections as well as interactive tools for exploratory data analysis. Extensions to Galaxy's framework include support for federated identity and access management and increased ability to distribute analysis jobs to remote resources. New community resources include large public servers in Europe and Australia, an increasing number of regional and local Galaxy communities, and substantial growth in the Galaxy Training Network.

Published

2020

29. Toward Educational Virtual Worlds: Should Identity Federation Be a Concern?

Author

Cruz, Gonçalo, Costa, António, Martins, Paulo, Gonçalves, Ramiro, and Barroso, João

Subjects

*VIRTUAL reality in education, *EDUCATIONAL technology, *INNOVATION adoption, *CLASSROOM management, *ONLINE identities, *INTERNETWORKING

Abstract

3D Virtual Worlds are being used for education and training purposes in a cross-disciplinary way. However, its widespread adoption, particularly in formal learning contexts, is far from being a reality due a broad range of technological challenges. In this reflection paper, our main goal is to argue why and how identity federation should be discussed and adopted as a solution to several barriers that educators and institutions face when using Virtual Worlds. By presenting a clear set of scenarios within different dimensions of the educational process, as classroom management, content reuse, learning analytics, accessibility, and research, we consider identity, traceability, privacy, accountability, and interoperability as main concerns in order to support our argument. Finally, we conclude the paper by presenting paths to a proposal for a workable solution, through the analysis and reflection of different and current efforts that has been made by other teams, towards future technological developments. [ABSTRACT FROM AUTHOR]

Published

2015

30. An identity-matching process to strengthen trust in federated-identity architectures

Author

Nesrine Kaaniche, Mikaël Ates, Maryline Laurent, Paul Marillonnet, Entr'ouvert (.), Département Réseaux et Services de Télécommunications (RST), Institut Mines-Télécom [Paris] (IMT)-Télécom SudParis (TSP), Institut Polytechnique de Paris (IP Paris), Réseaux, Systèmes, Services, Sécurité (R3S-SAMOVAR), Services répartis, Architectures, MOdélisation, Validation, Administration des Réseaux (SAMOVAR), Institut Mines-Télécom [Paris] (IMT)-Télécom SudParis (TSP)-Institut Mines-Télécom [Paris] (IMT)-Télécom SudParis (TSP), and University of Sheffield [Sheffield]

Subjects

Matching (statistics), Process (engineering), Computer science, Identity (social science), 020206 networking & telecommunications, Trust enforcement, 02 engineering and technology, 16. Peace & justice, Federated-identity architecture, World Wide Web, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Identity management, 0202 electrical engineering, electronic engineering, information engineering, Citizen-relationship management, 020201 artificial intelligence & image processing, Federated identity, Identity matching

Abstract

International audience; To smoothly counteract privilege escalation in federated-identity architectures, the cross-checking of asserted Personally Identifiable Information (PII) among different sources is highly recommended and advisable. Identity matching is thus a key component for supporting the automated PII cross-checking process. This paper proposes an efficient identity-matching solution, adapted to a chosen User-Relationship Management (URM) platform, relying on a French Territorial Collectivities and Public Administrations (TCPA) use case. The originality of the paper is threefold. (1) It presents an original solution to identity-matching issues raised by a concrete use case from the Territorial Collectivities and the Public Administration (TCPA), formalizing concepts such as information completeness, PII normalization and Levenshtein-distance matrix generation. (2) Implementation guidelines are given to deploy the solution on an operational Publik platform. (3) A precise security analysis is provid ed, relying on an original attacker model.

Published

2020

31. The Case for Federated Identity Management in 5G Communications

Author

Mahdi Aiash, Ed Kamya Kiyemba Edris, and Jonathan Loo

Subjects

Authentication, Computer science, business.industry, Service provider, Computer security, computer.software_genre, Identity management, User experience design, Network service, Cellular network, Single sign-on, Federated identity, business, computer

Abstract

The heterogeneous nature of fifth generation mobile network (5G) makes the access and provision of network services very difficult and raises security concerns. With multi-users and multi-operators, Service-Oriented Authentication (SOA) and authorization mechanisms are required to provide quick access and interaction between network services. The users require seamless access to services regardless of the domain, type of connectivity or security mechanism used. Hence a need for Identity and Access Management (IAM) mechanism to complement the improved user experience promised in 5G. Federated Identity Management (FIdM) a feature of IAM, can provide a user with use Single Sign On (SSO) to access services from multiple Service Providers (SP). This addresses security requirements such as authentication, authorization and user’s privacy from the end user perspectives, however 5G networks access lacks such solution. We propose a Network Service Federated Identity (NS-FId) model that address these security requirements and complements the 5G Service-\ud Based Architecture (SBA). We present different scenarios and applications of the proposed model. We also discuss the benefits of identity management in 5G.

Published

2020

32. Network Service Federated Identity (NS- FId) Protocol for Service Authorization in 5G Network

Author

Ed Kamya Kiyemba Edris, Mahdi Aiash, and Jonathan Loo

Subjects

business.industry, Computer science, Network service, Cellular network, Single sign-on, Provisioning, Federated identity, Service provider, business, Heterogeneous network, Mobile network operator, Computer network

Abstract

Fifth generation mobile network (5G) will make network services available anywhere from multiple Service Providers (SP) and its provisioning raises security concerns. The users will require seamless connectivity and secure access to these services. Mobile Network Operator (MNO) will want to provide services to users and be able to share infrastructure resources with other MNOs. This requires robust authentication and authorization mechanisms that can provide secure access and provisioning of service to multiple users and providers in heterogeneous network. Therefore, Federated Identity (FId) with Single Sign On (SSO) could be used for seamless access and provisioning to network services in 5G. So, we propose Network Service Federated Identity (NS-FId) protocol, a federated protocol that provides secure access to services from multiple SPs and provides SSO to users. We formally verify and analyse the proposed NSFId protocol using ProVerif. We also conduct a security analysis of the protocol’s security properties.

Published

2020

33. Servicios de identidad federada en el ámbito empresarial

Author

Ruiz Torres, Rubén, García Font, Víctor, and Méndez Muñoz, Víctor

Subjects

distributed systems, Seguridad informática -- TFM, federated identity, identitat digital, identitat federada, identidad federada, Seguretat informàtica -- TFM, Computer security -- TFM, sistemes distribuïts, digital identity, identidad digital, sistemas distribuidos

Abstract

Los servicios de identidad federada permiten al usuario identificarse en distintos servicios haciendo uso de las mismas credenciales y del mismo proveedor de identidad. En el ámbito empresarial, donde los procesos de identificación y la autorización de los usuarios y de las aplicaciones que integran el ecosistema de cada empresa requieren de especial fiabilidad y seguridad, suelen emplearse servicios de identidad federada privados. En el presente proyecto se analizan varias soluciones para la adopción de servicios de identidad federada privados en el ámbito empresarial, como son los estándares utilizados de proporción de servicios de identidad federada SAML, CAS y OpenID Connect, los proveedores de identidad Keycloak, Apereo CAS y OpenAM, además de los frameworks de programación para Java Spring, Play y Quarkus. Asimismo se ha desarrollado un prototipo con el que estudiar el funcionamiento de una de estas soluciones en cada uno de estos frameworks en el contexto simulado del ecosistema de aplicaciones de una empresa constituido por una aplicación de gestión de vacaciones, una aplicación de gestión de pedidos y un microservicio de generación de informes. Federated identity services allow users to identify themselves in different services using both the same credentials and the same identity provider. In a corporate environment, where the identification and authorization of users and of the applications included in a company's ecosystem must be especially reliable and secure, private federated identity services are typically used. In this study we analyze several possible solutions regarding the implementation of private federated identity services in a corporate environment, including several standards used to provide federated identity services such as SAML, CAS and OpenID Connect and several identity providers such as Keycloak, Apereo CAS and OpenAM, as well as the Java programming frameworks Spring, Play and Quarkus. We have likewise developed a prototype intended to allow us to study how one of these solutions works in each of the aforementioned frameworks within the simulated context of a company's application ecosystem, which includes a holiday manager application, an order generating application and an order report generating microservice. Els serveis d'identitat federada permeten a l'usuari identificar-se en diferents serveis fent ús de les mateixes credencials i del mateix proveïdor d'identitat. En l'àmbit empresarial, on els processos d'identificació i l'autorització dels usuaris i de les aplicacions que integren l'ecosistema de cada empresa requereixen d'especial fiabilitat i seguretat, solen emprar-se serveis d'identitat federada privats. En el present projecte s'analitzen diverses solucions per a l'adopció de serveis d'identitat federada privats en l'àmbit empresarial, com són els estàndards utilitzats de proporció de serveis d'identitat federada SAML, CAS i OpenID Connect, els proveïdors d'identitat Keycloak, Apereo CAS i OpenAM, a més dels frameworks de programació per a Java Spring, Play i Quarkus. Així mateix s'ha desenvolupat un prototip amb el qual estudiar el funcionament d'una d'aquestes solucions en cadascun d'aquests frameworks en el context simulat de l'ecosistema d'aplicacions d'una empresa constituït per una aplicació de gestió de vacances, una aplicació de gestió de comandes i un microservei de generació d'informes.

Published

2020

34. Análisis de sistemas de autenticación y autorización para entornos web distribuidos

Author

Parra Boldú, Oriol, García Font, Víctor, and Méndez Muñoz, Víctor

Subjects

distributed systems, OAuth, identitat federada, autenticació, Computer security -- TFM, digital identity, identidad digital, Seguridad informática -- TFM, autenticación, federated identity, identitat digital, authentication, identidad federada, Seguretat informàtica -- TFM, sistemes distribuïts, sistemas distribuidos

Abstract

En los últimos años se ha producido una importante evolución en la seguridad, capacidad y escalabilidad de los sistemas distribuidos debido a la necesidad de compartir recursos entre diferentes sistemas. Parte de estos recursos deben compartirse de forma segura debido a que contienen datos sobre la identidad de los potenciales usuarios de los sistemas, cobrando una gran importancia los sistemas de gestión de identidad federada. En el presente trabajo, se han analizado los diferentes estándares de autenticación y autorización. Estos estándares son utilizados por los sistemas de gestión de identidad federada para compartir información de los usuarios garantizando su privacidad. Posteriormente, para profundizar en los conceptos estudiados, se ha diseñado e implementado un sistema de autenticación y autorización utilizando los estándares OAuth 2.0 y tokens JWT. De esta forma, se propagara la identidad y los privilegios de los usuarios del sistema sin exponer sus credenciales. Finalmente, se ha simulado la compartición segura de recursos distribuidos entre diferentes sistemas para realizar un estudio de la seguridad que ofrece el sistema diseñado. En els últims anys s'ha produït una important evolució en la seguretat, capacitat i escalabilitat dels sistemes distribuïts a causa de la necessitat de compartir recursos entre diferents sistemes. Part d'aquests recursos s'han de compartir de forma segura pel fet que contenen dades sobre la identitat dels potencials usuaris dels sistemes, cobrant una gran importància els sistemes de gestió d'identitat federada. En el present treball, s'han analitzat els diferents estàndards d'autenticació i autorització. Aquests estàndards són utilitzats pels sistemes de gestió d'identitat federada per compartir informació dels usuaris garantint la seva privacitat. Posteriorment, per aprofundir en els conceptes estudiats, s'ha dissenyat i implementat un sistema d'autenticació i autorització utilitzant els estàndards OAuth 2.0 i tokens JWT. D'aquesta manera, es propagui la identitat i els privilegis dels usuaris de sistema sense exposar les seves credencials. Finalment, s'ha simulat la compartició segura de recursos distribuïts entre diferents sistemes per realitzar un estudi de la seguretat que ofereix el sistema dissenyat. In the last few years there¿s been an important evolution regarding security, capacity and scalability of the distributed systems due to the necessity to share resources amongst different systems. Part of these resources must be shared in a secured way as they contain data regarding the identity of potential system users, especially management of federal identity systems. This study analyses the different standards of authentication and authorization. These standards are used by the Management of Federal Identity System in order to share the user information whilst guaranteeing their privacy. Further to this analysis, a system of authentication and authorization used on OAuth 2.0 and tokens JWT standards has been designed and implemented to ensure that the identities and rights of the system users are shared without exposing their credentials. Finally, a simulation shows the secure way of sharing resources distributed amongst the different systems, in order to create a study about the security that the designed system offers.

Published

2020

35. The DODAS Experience on the EGI Federated Cloud

Author

Doina Cristina Duma, Daniele Spiga, Enol Fernandez, Giacinto Donvito, Diego Ciangottini, Vincenzo Spinoso, Mirco Tracolli, Marica Antonacci, Luciano Gaido, Andrea Ceccanti, and Davide Salomoni

Subjects

Service (systems architecture), 010308 nuclear & particles physics, business.industry, Physics, QC1-999, Cloud computing, 01 natural sciences, Replication (computing), OpenID Connect, World Wide Web, Software portability, 0103 physical sciences, Orchestration (computing), Information discovery, Federated identity, 010306 general physics, business

Abstract

The EGI Cloud Compute service offers a multi-cloud IaaS federation that brings together research clouds as a scalable computing platform for research accessible with OpenID Connect Federated Identity. The federation is not limited to single sign-on, it also introduces features to facilitate the portability of applications across providers: i) a common VM image catalogue VM image replication to ensure these images will be available at providers whenever needed; ii) a GraphQL information discovery API to understand the capacities and capabilities available at each provider; and iii) integration with orchestration tools (such as Infrastructure Manager) to abstract the federation and facilitate using heterogeneous providers. EGI also monitors the correct function of every provider and collects usage information across all the infrastructure. DODAS (Dynamic On Demand Analysis Service) is an open-source Platform-as-a-Service tool, which allows to deploy software applications over heterogeneous and hybrid clouds. DODAS is one of the so-called Thematic Services of the EOSC-hub project and it instantiates on-demand container-based clusters offering a high level of abstraction to users, allowing to exploit distributed cloud infrastructures with a very limited knowledge of the underlying technologies.This work presents a comprehensive overview of DODAS integration with EGI Cloud Federation, reporting the experience of the integration with CMS Experiment submission infrastructure system.

Published

2020

36. Accessing Patient Electronic Health Record Portals Safely Using Social Credentials: Demonstration Pilot Study

Author

Spencer L. SooHoo, Anil Goud, Lyna Truong, Michelle S. Keller, Pamela Roberts, Benjamin Robbins, Abigail Harrison, Harold Moyse, Lilith Huang, Donaldo Rodriguez, Sho-Chi Huang, Matthew McLaughlin, and Arora Ajay

Subjects

Password, business.industry, Computer science, Internet privacy, Patient portal, Medicine (miscellaneous), Health Informatics, Login, Credential, Computer Science Applications, Health care, Identity (object-oriented programming), Federated identity, business, Social identity theory

Abstract

Background Patient portals allow communication with clinicians, access to test results, appointments, etc, and generally requires another set of log-ins and passwords, which can become cumbersome, as patients often have records at multiple institutions. Social credentials (eg, Google and Facebook) are increasingly used as a federated identity to allow access and reduce the password burden. Single Federated Identity Log-in for Electronic health records (Single-FILE) is a real-world test of the feasibility and acceptability of federated social credentials for patients to access their electronic health records (EHRs) at multiple organizations with a single sign-on (SSO). Objective This study aims to deploy a federated identity system for health care in a real-world environment so patients can safely use a social identity to access their EHR data at multiple organizations. This will help identify barriers and inform guidance for the deployment of such systems. Methods Single-FILE allowed patients to pick a social identity (such as Google or Facebook) as a federated identity for multisite EHR patient portal access with an SSO. Binding the identity to the patient’s EHR records was performed by confirming that the patient had a valid portal log-in and sending a one-time passcode to a telephone (SMS text message or voice) number retrieved from the EHR. This reduced the risk of stolen EHR portal credentials. For a real-world test, we recruited 8 patients and (or) their caregivers who had EHR data at 2 independent health care facilities, enrolled them into Single-FILE, and allowed them to use their social identity credentials to access their patient records. We used a short qualitative interview to assess their interest and use of a federated identity for SSO. Single-FILE was implemented as a web-based patient portal, although the concept can be readily implemented on a variety of mobile platforms. Results We interviewed the patients and their caregivers to assess their comfort levels with using a social identity for access. Patients noted that they appreciated only having to remember 1 log-in as part of Single-FILE and being able to sign up through Facebook. Conclusions Our results indicate that from a technical perspective, a social identity can be used as a federated identity that is bound to a patient’s EHR data. The one-time passcode sent to the patient’s EHR phone number provided assurance that the binding is valid. The patients indicated that they were comfortable with using their social credentials instead of having to remember the log-in credentials for their EHR portal. Our experience will help inform the implementation of federated identity systems in health care in the United States.

Published

2022

37. Cloud-based federated identity for the Internet of Things

Author

Benjamin Aziz and Paul Fremantle

Subjects

IoT, Exploit, Computer Networks and Communications, Computer science, Cloud computing, identity management, security, 02 engineering and technology, privacy, Computer security, computer.software_genre, 01 natural sciences, Identity management, 0202 electrical engineering, electronic engineering, information engineering, Isolation (database systems), Electrical and Electronic Engineering, Authentication, business.industry, 010401 analytical chemistry, Computing, 020206 networking & telecommunications, 0104 chemical sciences, Personal cloud, Identity (object-oriented programming), authentication, Federated identity, business, computer

Abstract

The Internet of Things (IoT) has significant security and privacy risks. Recent attacks have shown that not only are many IoT devices at risk of exploit, but those devices can be successfully used to attack wider systems and cause economic damage. Currently, most devices connect to a cloud service that is provided by the manufacturer of the device, offering no choice to move to more secure systems. We outline a proposed model for IoT that allows the identity of users and devices to be federated. Users and devices are issued with secure, random, anonymised identities that are not shared with third-parties. We demonstrate how devices can be connected to third-party applications without inherently de-anonymising them. Sensor data and actuator commands are federated through APIs to cloud services. All access to device data and commands is based on explicit consent from users. Each user’s data is handled by a personal cloud instance providing improved security and isolation, as well as providing a trusted intermediary for both devices and cloud services. We demonstrate this model is workable with a prototype system that implements the major features of the model. We present experiment results including performance, energy usage, capacity and cost metrics from the prototype. We compare this work with other related work, and outline areas for discussion and future work.

Published

2018

38. Federated Identity Architecture of the European eID System

Author

Javier Garcia-Blas, Mario Vasile-Cabezas, Guillermo Izquierdo-Moreno, Jesus Carretero, and European Commission

Subjects

authentication and authorization infrastructure (AAI), General Computer Science, single sign-on, federated identity architecture (FIA), Computer science, Control (management), identity and access management (IAM), 02 engineering and technology, Computer security, computer.software_genre, single sing-on, Public-key cryptography, user authentication, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Architecture, identity federation, Informática, Authentication, business.industry, General Engineering, 020206 networking & telecommunications, User authentication, Federated identity management, Identity (object-oriented programming), 020201 artificial intelligence & image processing, Smart card, Federated identity, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971

Abstract

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in mid-term also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments.

Published

2018

39. Federated Identity Concept Between the Institute of Archaeology and Viminacium Localities

Author

Vanja Korać, Dragan Prlja, and Milan Todorović

Subjects

History, General Medicine, Federated identity, Archaeology

Published

2017

40. CILogon: Enabling Federated Identity and Access Management for Scientific Collaborations

Author

Terry Fleury, Scott Koranda, Jim Basney, Heather Flanagan, Benn Oshrin, and Jeff Gaynor

Subjects

World Wide Web, Collaborative software, Service (systems architecture), Computer science, business.industry, Component-based software engineering, Federated identity, business, Access management, Shibboleth, OpenID Connect, Identity management

Abstract

CILogon provides a software platform that enables scientists to work together to meet their identity and access management (IAM) needs more effectively so they can allocate more time and effort to their core mission of scientific research. CILogon builds on open source Shibboleth and COmanage software to provide an integrated IAM platform for science, federated worldwide via eduGAIN. CILogon serves the unique needs of research collaborations, namely to dynamically form collaboration groups across organizations and countries, sharing access to data, instruments, compute clusters, and other resources to enable scientific discovery. We operate CILogon via a software-as-a-service model to ease integration with a variety of science applications, while making all CILogon software components publicly available under open source licenses to enable re-use. Since CILogon operations began in 2010, our service has expanded from a federated X.509 certification authority (CA) to an OpenID Connect provider, SAML Attribute Authority, and multi-tenant collaboration platform. In this article, we describe the current CILogon system.

Published

2019

41. MFA and Identity Federations

Author

Montañés Navarro, Edgar, García Font, Víctor, and Guijarro Olivares, Jordi

Subjects

Seguridad informática -- TFM, autenticació multifactor, second factor autentication, multifactor authentication, federated identity, identitat federada, identidad federada, Seguretat informàtica -- TFM, segundo factor de autenticación, Computer security -- TFM, segon factor d'autenticació, autenticación multifactor

Abstract

Cada vez es más habitual que las aplicaciones necesarias para el desarrollo de negocio de la Organización sean accesibles desde Internet mediante un portal web, es por eso que, es necesario poner un control de acceso. El hecho de tener que autenticarse en cada una de las aplicaciones es incómodo para el usuario, por lo que, entra en juego la identidad federada. Por otro lado, se ha visto que un usuario y una contraseña ya no es suficiente como sistema de autenticación y autorización, dado que se están produciendo incidentes de seguridad relacionados con robo de credenciales. Así pues, es necesario implantar un segundo factor de autenticación o sistema multifactor para protegerse de dichos ataques. El objetivo de este estudio es realizar un estado del arte exhaustivo de los diferentes entornos de federación de identidad, así como de las regulaciones existentes en la misma si queremos utilizar un servicio de federación, y las posibles herramientas que se pueden encontrar en Internet para integrarla. Además, se realizará un estudio de los diferentes factores de autenticación existentes, así como de las diferentes tecnologías y servicios que pueden ayudar a implementarlo. Tras el estudio, se construirá un entorno que disponga de identidad federada y se detallará el proceso de autenticación y autorización. Cada vegada és més habitual que les aplicacions necessàries per al desenvolupament de negoci d'una organització siguin accessibles des d'Internet mitjançant un portal web, és per això que, cal posar un control d'accés. El fet d'haver d'autenticar-se en cadascuna de les aplicacions és incòmode per a l'usuari, de manera que, entra en joc la identitat federada. D'altra banda, s'ha vist que un usuari i una contrasenya ja no és suficient com a sistema d'autenticació i autorització, atès que s'estan produint incidents de seguretat relacionats amb robatori de credencials. Així doncs, cal implantar un segon factor d'autenticació o sistema multifactor per protegir-se d'aquests atacs. L'objectiu d'aquest estudi es realitza un estat de l'art exhaustiu dels diferents entorns de federació d'identitat, així com de les regulacions existents en la mateixa si volem utilitzar un servei de federació, i les possibles eines que es poden trobar a Internet per integrar-la. A més, es realitzarà un estudi dels diferents factors d'autenticació existents, així com de les diferents tecnologies i serveis que poden ajudar a implementar-lo. Després de l'estudi, es construirà un entorn que disposi d'identitat federada i es detallarà el procés d'autenticació i autorització. It is becoming more common that the necessary applications for the development of the business of the Organization are accessible from the Internet through a web portal, that is why, it is necessary to put an access control. It can result annoying having to authenticate in each of the applications, therefore, the Federated Identity comes into play. On the other hand, it has been seen that a user and a password is no longer enough as an authentication and authorization system, given that security incidents related to theft of credentials are occurring. For that reason, it is necessary to implement a second factor authentication or multifactor system to protect against such attacks. The aim of this review is to perform an exhaustive study of the different identity federation environments, as well as its existing regulations if we want to use a federation service, and the possible tools that can be found on the Internet to integrate it. In addition, a study of the different existing authentication factors will be conducted, as well as the different technologies and services that can help to implement it. After the study, an environment that has a federated identity will be built and the authentication and authorization process will be detailed.

Published

2019

42. Federación de identidades: estado del arte e implementación de un caso real

Author

García de Marina Martín, Alejandro and Guijarro Olivares, Jordi

Subjects

seguretat de la informació, Seguridad informática -- TFM, information security, gestió d'identitats, federated identity, gestión de identidades, identitat federada, identidad federada, identity management, Seguretat informàtica -- TFM, Computer security -- TFM, seguridad de la información

Abstract

La gestión de identidades (IdM, por sus siglas en ingles Identity Management) es el área que se ocupa de manejar las diversas identidades y su información relacionada, a lo largo de diversos dominios y/o servicios, garantizando así la seguridad y privacidad de los usuarios. Los sistemas de gestión de identidades han ido evolucionando notablemente a lo largo de los años pasando por las listas de control de accesos, sistemas con arquitectura SILO, sistemas con arquitectura centralizada y sistemas con arquitectura federada. Estos últimos (federados) han sido el objeto principal de estudio. A lo largo del presente trabajo, se ha realizado un análisis en profundidad de las peculiaridades y los principales estándares desarrollados para cada uno de estos sistemas. Así, por ejemplo se puede ver en detalle estándares como LDAP, Kerberos o radius para los sistemas con arquitectura centralizada y estándares como SAML, OAuth, OpenID Connect y Mobile Connect para los sistemas con arquitectura federada. El presente trabajo por lo tanto se puede definir con un estado del arte de los sistemas de gestión de identidades focalizado mayormente en los sistemas federados. Además, para poder ahondar en estos últimos, se ha desarrollado una implementación de un sistema de gestión de identidades federado para poner en práctica el uso de OpenID Connect en un entorno de laboratorio lo más fidedigno posible con la realidad. La gestió d'identitats (IdM) és l'àrea que s'ocupa de gestionar les diverses identitats i la seva informació relacionada, al llarg de diversos dominis i / o serveis, garantint així la seguretat i privacitat de les usuaris. Els sistemes de gestió d'identitats han anat evolucionant notablement al llarg dels anys passant per les llistes de control d'accessos, sistemes amb arquitectura SILO, sistemes amb arquitectura centralitzada i sistemes amb arquitectura federada. Aquests últims (federats) han estat l'objecte principal d'estudi. Al llarg del present treball, s'ha realitzat una anàlisi en profunditat de les peculiaritats i els principals estàndards desenvolupats per a cada un d'aquests sistemes. Així, per exemple es pot veure en detall estàndards com LDAP, Kerberos o radius per als sistemes amb arquitectura centralitzada i estàndards com SAML, OAuth, OpenID Connect i Mobile Connect per als sistemes amb arquitectura federada. El present treball per tant es pot definir amb un estat de l'art dels sistemes de gestió d'identitats focalitzat majorment en els sistemes federats. A més, per poder aprofundir en aquests últims, s'ha desenvolupat una implementació d'un sistema de gestió d'identitats federat per posar en pràctica l'ús d'OpenID Connect en un entorn de laboratori el més fidedigne possible amb la realitat. Identity Management (IdM) is the area that handles the various identities and their related information, across various domains and / or services, thus ensuring the security and privacy of users. users Identity management systems have evolved markedly over the years through access control lists, systems with SILO architecture, systems with centralized architecture and systems with federated architecture. The latter (federated) have been the main object of study. Throughout this work, an in-depth analysis of the peculiarities and the main standards developed for each of these systems has been carried out. Thus, for example, you can see in detail standards such as LDAP, Kerberos or radius for systems with centralized architecture and standards such as SAML, OAuth, OpenID Connect and Mobile Connect for systems with federated architecture. The present work can therefore be defined with a state of the art of identity management systems focused mainly on federated systems. In addition, in order to delve into the latter, an implementation of a federated identity management system has been developed to implement the use of OpenID Connect in a laboratory environment as reliable as possible with reality.

Published

2019

43. Capability-Based Authorization for HEP

Author

Jeff Gaynor, Zach Miller, Derek Weitzel, Todd Tannenbaum, Brian Bockelman, and Jim Basney

Subjects

Service (systems architecture), Authentication, JSON Web Token, 010308 nuclear & particles physics, Physics, QC1-999, Certificate, Security token, computer.software_genre, 01 natural sciences, World Wide Web, Data access, 0103 physical sciences, Federated identity, Web service, 010306 general physics, computer

Abstract

Outside the HEP computing ecosystem, it is vanishingly rare to encounter user X509 certificate authentication (and proxy certificates are even more rare). The web never widely adopted the user certificate model, but increasingly sees the need for federated identity services and distributed authorization. For example, Dropbox, Google and Box instead use bearer tokens issued via the OAuth2 protocol to authorize actions on their services. Thus, the HEP ecosystem has the opportunity to reuse recent work in industry that now covers our needs. We present a token-based ecosystem for authorization tailored for use by CMS. We base the tokens on the SciTokens profile for the standardized JSON Web Token (JWT) format. The token embeds a signed description of what capabilities the VO grants the bearer; the site-level service can verify the VO’s signature without contacting a central service. In this paper, we describe the modifications done to enable token-based authorization in various software packages used by CMS, including XRootD, CVMFS, and HTCondor. We describe the token-issuing workflows that would be used to get tokens to running jobs in order to authorize data access and file stageout, and explain the advantages for hosted web services. Finally, we outline what the transition would look like for an experiment like CMS.

Published

2019

44. Cloud Bursting Galaxy: Federated Identity and Access Management

Author

Vahid Jalili, Jeremy Goecks, James Taylor, and Enis Afgan

Subjects

Statistics and Probability, Computer science, Cloud computing, 02 engineering and technology, Access management, Internet security, Biochemistry, World Wide Web, 03 medical and health sciences, Backup, 0202 electrical engineering, electronic engineering, information engineering, Molecular Biology, Computer Security, 030304 developmental biology, Password, 0303 health sciences, Authentication, business.industry, 030305 genetics & heredity, Authorization, Computational Biology, Cloud Computing, Genome Analysis, Original Papers, OpenID Connect, Computer Science Applications, Computational Mathematics, Data access, Computational Theory and Mathematics, Scalability, 020201 artificial intelligence & image processing, Federated identity, business, Software

Abstract

MotivationLarge biomedical datasets, such as those from genomics and imaging, are increasingly being stored on commercial and institutional cloud computing platforms. This is because cloud-scale computing resources, from robust backup to high-speed data transfer to scalable compute and storage, are needed to make these large datasets usable. However, one challenge for large-scale biomedical data on the cloud is providing secure access, especially when datasets are distributed across platforms. While there are open Web protocols for secure authentication and authorization, these protocols are not in wide use in bioinformatics and are difficult to use for even technologically sophisticated users.ResultsWe have developed a generic and extensible approach for securely accessing biomedical datasets distributed across cloud computing platforms. Our approach combines OpenID Connect and OAuth2, best-practice Web protocols for authentication and authorization, together with Galaxy (https://galaxyproject.org), a web-based computational workbench used by thousands of scientists across the world. With our enhanced version of Galaxy, users can access and analyze data distributed across multiple cloud computing providers without any special knowledge of access/authorization protocols. Our approach does not require users to share permanent credentials (e.g., username, password, API key), instead relying on automatically-generated temporary tokens that refresh as needed. Our approach is generalizable to most identity providers and cloud computing platforms. To the best of our knowledge, Galaxy is the only computational workbench where users can access biomedical datasets across multiple cloud computing platforms using best-practice Web security approaches and thereby minimize risks of unauthorized data access and credential use.Availability and ImplementationFreely available for academic and commercial use under the open-source Academic Free License (https://opensource.org/licenses/AFL-3.0) from the following Github repositories:https://github.com/galaxyproject/galaxyandhttps://github.com/galaxyproject/cloudauthzContactjalili@ohsu.edu,goecksj@ohsu.edu

Published

2018

45. FLAT: Federated lightweight authentication for the Internet of Things

Author

Maria L. B. A. Santos, Fernando A. Teixeira, Leonardo B. Oliveira, Jéssica C. Carneiro, Marco Aurelio Amaral Henriques, and Antônio M. R. Franco

Subjects

Authentication, Cryptographic primitive, Computer Networks and Communications, Computer science, business.industry, 010401 analytical chemistry, 020206 networking & telecommunications, 02 engineering and technology, 01 natural sciences, 0104 chemical sciences, Hardware and Architecture, Authentication protocol, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), Federated identity, business, Protocol (object-oriented programming), Implicit certificate, Software, Computer network

Abstract

Federated Identity Management schemes (FIdMs) are of great help for traditional systems as they improve user authentication and privacy. In this paper, we claim that traditional FIdMs are mostly cumbersome and then ill-suited for IoT. As a solution to this problem, we came up with Federated Lightweight Authentication of Things (FLAT), namely a federated identity authentication protocol exclusively tailored to IoT. FLAT replaces weighty protocols and public-key cryptographic primitives used in traditional FIdMs by lighter ones, like symmetric cryptographic primitives and Implicit Certificates. Our results show that FLAT can reduce the data exchange overhead by around 31% when compared to a baseline solution. Also, the FLAT Client, the role played by an IoT device in the protocol, is more efficient than the baseline Client in terms of data exchange, storage, memory, and computation time. Our results indicate that FLAT runs efficiently, even on top of resource-constrained devices like Arduino.

Published

2020

46. Blockchain-based federated identity and auditing

Author

Hany F. ElYamany, Mahmoud El-Gayyar, Miriam A. M. Capretz, Katarina Grolinger, and Syed Mir

Subjects

Service (systems architecture), Blockchain, Computer science, Identity (object-oriented programming), Face (sociological concept), Ocean Engineering, Federated identity, Audit, Computer security, computer.software_genre, computer, TRACE (psycholinguistics), Meaning (linguistics)

Abstract

A federated identity is a single identity that enables users to access multiple services across a network of business parties. Such identities are subject to various threats and attacks and face diverse challenges including identity leaks, centralised management, auditing limitations, and long breach investigation processes. This paper proposes a framework aimed at automating and decentralising the generation and auditing of a robust and secured blockchain-based federated identity in a marketplace. Business parties participating in the marketplace form the nodes of a distributed blockchain network and participate in the creation of federated identities. Users of this network can access services provided by any one of the participating parties using a single federated identity. All transactions are fully audited in the blockchain, meaning that participating parties can monitor access to their service and users can trace the use of their identities. The proposed framework has been evaluated using two blockchain technologies (Ethereum and Hyperledger Fabric) to measure its performance in public and permissioned blockchain environments.

Published

2020

47. A Design of Cross-Realm Authentication Scheme in Openstack Based on Declaration

Author

Yongning Qin, Gefei Li, Yaping Chi, and Shuhao Li

Subjects

021110 strategic, defence & security studies, Authentication, business.industry, Gateway (telecommunications), Computer science, 0211 other engineering and technologies, 020206 networking & telecommunications, Application service provider, Cloud computing, 02 engineering and technology, Secure communication, Default gateway, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), Windows domain, Federated identity, business, Computer network

Abstract

Aiming at the issue how users in Windows domain cross-realm access cloud computing resources, a cross-realm authentication scheme based on federated identity was proposed. Based on the idea of the declaration, the scheme uses the federated identity provider to replace the gateway in the traditional gateway-based cross-realm authentication model, so as to realize the users in Windows domain access the cloud resources without re-authentication. The scheme uses SAML protocol to exchange user identity information between different domains, which ensures versatility and security of the system and realizes seamlessly secure communication between different security domains. Finally, based on claim provider, federated identity provider and application service provider, we give the design of the key components of the three modules, then the feasibility of the scheme is verified with the popular cloud platform OpenStack.

Published

2018

48. Demo Abstract: Federated Authentication of Things

Author

Marco Aurelio Amaral Henriques, Jéssica C. Carneiro, Antônio M. R. Franco, Leonardo B. Oliveira, Maria L. B. A. Santos, and Fernando A. Teixeira

Subjects

Authentication, business.industry, Computer science, 010401 analytical chemistry, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Service provider, Client-side, Computer security, computer.software_genre, 01 natural sciences, 0104 chemical sciences, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), Cryptosystem, Federated identity, business, Implicit certificate, computer

Abstract

In this demo, we will showcase FLAT, a federated identity model tailored to IoT. FLAT's authentication is lightweight because it uses only symmetric cryptosystems on the IoT client side and implicit certificates between the Identity and Service Providers. We show how FLAT can be used to increase security and privacy in automatic toll gate payment applications.

Published

2018

49. Improving Privacy and Trust in Federated Identity Using SAML with Hash Based Encryption Algorithm

Author

Safeeullah Soomroo, S. Veni, and Jissy Ann George

Subjects

User information, FOS: Computer and information sciences, Cloud computing security, Computer Science - Cryptography and Security, business.industry, Computer science, Hash function, Service provider, Computer security, computer.software_genre, Encryption, Security Assertion Markup Language, Identity provider, Federated identity, business, computer, Cryptography and Security (cs.CR)

Abstract

Cloud computing is an upcoming technology that has been designed for commercial needs. One of the major issues in cloud computing is the difficulty to manage federated identities and the trust between the user and the service providers. This paper focuses on how security can be provided between the user and the service provider and how the user information can be authenticated. For the purpose of providing privacy and authentication, Security Assertion Markup Language (SAML) based Single Sign-On is used. Security is provided by using Hash based Encryption algorithm (HBE). HBE algorithm works with the help of Key Exchange Protocol which contains poly hash function. In the algorithm, Identity providers maintain user directory and authenticates user information; service provider provides the service to users. The user has to register their details with the identity provider prior to this. During this stage, Hash based Encryption algorithm is used to provide secure communication between the identity provider and the user. In this paper we suggest that higher security can be given to user login by using an additional cryptographic technique, i.e. Hash based Encryption algorithm with the help of the Key Exchange Protocol., ICETAS Proceedings 2017

Published

2018

50. Privacy-preserving user identity in Identity-as-a-Service

Author

Woldemar Fuhrmann, Tri Hoang Vo, and Klaus-Peter Fischer-Hellmann

Subjects

User information, Authentication, Computer science, business.industry, Internet privacy, Identity (object-oriented programming), ComputingMilieux_COMPUTERSANDSOCIETY, Access control, Cloud computing, Federated identity, business, Encryption, Personally identifiable information

Abstract

In Federated Identity Management, providers from different security domains exchange messages containing authentication and authorisation credentials of users. As a result, a user can use his Personal Identifiable Information (PII) from one or more Identity Providers to gain access to other sites. Disseminating PII over intermediaries also requires protecting PII from being misused and unauthorised access. Identity-as-a- Service (IDaaS) provides a federated identity for users to access multiple Cloud services on demand but may preserve user privacy. In this paper, we present a novel approach for preserving privacy in IDaaS by combining Purpose Based Access Control and Attribute-based Encryption with multi-authorities support. Our approach is suitable for sharing sensitive user information in a large distributed and heterogeneous environment.

Published

2018