Your search keyword '"Federated identity"' showing total 191 results

51. MFA and Identity Federations

Author

Montañés Navarro, Edgar, García Font, Víctor, and Guijarro Olivares, Jordi

Subjects

Seguridad informática -- TFM, autenticació multifactor, second factor autentication, multifactor authentication, federated identity, identitat federada, identidad federada, Seguretat informàtica -- TFM, segundo factor de autenticación, Computer security -- TFM, segon factor d'autenticació, autenticación multifactor

Abstract

Cada vez es más habitual que las aplicaciones necesarias para el desarrollo de negocio de la Organización sean accesibles desde Internet mediante un portal web, es por eso que, es necesario poner un control de acceso. El hecho de tener que autenticarse en cada una de las aplicaciones es incómodo para el usuario, por lo que, entra en juego la identidad federada. Por otro lado, se ha visto que un usuario y una contraseña ya no es suficiente como sistema de autenticación y autorización, dado que se están produciendo incidentes de seguridad relacionados con robo de credenciales. Así pues, es necesario implantar un segundo factor de autenticación o sistema multifactor para protegerse de dichos ataques. El objetivo de este estudio es realizar un estado del arte exhaustivo de los diferentes entornos de federación de identidad, así como de las regulaciones existentes en la misma si queremos utilizar un servicio de federación, y las posibles herramientas que se pueden encontrar en Internet para integrarla. Además, se realizará un estudio de los diferentes factores de autenticación existentes, así como de las diferentes tecnologías y servicios que pueden ayudar a implementarlo. Tras el estudio, se construirá un entorno que disponga de identidad federada y se detallará el proceso de autenticación y autorización. Cada vegada és més habitual que les aplicacions necessàries per al desenvolupament de negoci d'una organització siguin accessibles des d'Internet mitjançant un portal web, és per això que, cal posar un control d'accés. El fet d'haver d'autenticar-se en cadascuna de les aplicacions és incòmode per a l'usuari, de manera que, entra en joc la identitat federada. D'altra banda, s'ha vist que un usuari i una contrasenya ja no és suficient com a sistema d'autenticació i autorització, atès que s'estan produint incidents de seguretat relacionats amb robatori de credencials. Així doncs, cal implantar un segon factor d'autenticació o sistema multifactor per protegir-se d'aquests atacs. L'objectiu d'aquest estudi es realitza un estat de l'art exhaustiu dels diferents entorns de federació d'identitat, així com de les regulacions existents en la mateixa si volem utilitzar un servei de federació, i les possibles eines que es poden trobar a Internet per integrar-la. A més, es realitzarà un estudi dels diferents factors d'autenticació existents, així com de les diferents tecnologies i serveis que poden ajudar a implementar-lo. Després de l'estudi, es construirà un entorn que disposi d'identitat federada i es detallarà el procés d'autenticació i autorització. It is becoming more common that the necessary applications for the development of the business of the Organization are accessible from the Internet through a web portal, that is why, it is necessary to put an access control. It can result annoying having to authenticate in each of the applications, therefore, the Federated Identity comes into play. On the other hand, it has been seen that a user and a password is no longer enough as an authentication and authorization system, given that security incidents related to theft of credentials are occurring. For that reason, it is necessary to implement a second factor authentication or multifactor system to protect against such attacks. The aim of this review is to perform an exhaustive study of the different identity federation environments, as well as its existing regulations if we want to use a federation service, and the possible tools that can be found on the Internet to integrate it. In addition, a study of the different existing authentication factors will be conducted, as well as the different technologies and services that can help to implement it. After the study, an environment that has a federated identity will be built and the authentication and authorization process will be detailed.

Published

2019

52. Federación de identidades: estado del arte e implementación de un caso real

Author

García de Marina Martín, Alejandro and Guijarro Olivares, Jordi

Subjects

seguretat de la informació, Seguridad informática -- TFM, information security, gestió d'identitats, federated identity, gestión de identidades, identitat federada, identidad federada, identity management, Seguretat informàtica -- TFM, Computer security -- TFM, seguridad de la información

Abstract

La gestión de identidades (IdM, por sus siglas en ingles Identity Management) es el área que se ocupa de manejar las diversas identidades y su información relacionada, a lo largo de diversos dominios y/o servicios, garantizando así la seguridad y privacidad de los usuarios. Los sistemas de gestión de identidades han ido evolucionando notablemente a lo largo de los años pasando por las listas de control de accesos, sistemas con arquitectura SILO, sistemas con arquitectura centralizada y sistemas con arquitectura federada. Estos últimos (federados) han sido el objeto principal de estudio. A lo largo del presente trabajo, se ha realizado un análisis en profundidad de las peculiaridades y los principales estándares desarrollados para cada uno de estos sistemas. Así, por ejemplo se puede ver en detalle estándares como LDAP, Kerberos o radius para los sistemas con arquitectura centralizada y estándares como SAML, OAuth, OpenID Connect y Mobile Connect para los sistemas con arquitectura federada. El presente trabajo por lo tanto se puede definir con un estado del arte de los sistemas de gestión de identidades focalizado mayormente en los sistemas federados. Además, para poder ahondar en estos últimos, se ha desarrollado una implementación de un sistema de gestión de identidades federado para poner en práctica el uso de OpenID Connect en un entorno de laboratorio lo más fidedigno posible con la realidad. La gestió d'identitats (IdM) és l'àrea que s'ocupa de gestionar les diverses identitats i la seva informació relacionada, al llarg de diversos dominis i / o serveis, garantint així la seguretat i privacitat de les usuaris. Els sistemes de gestió d'identitats han anat evolucionant notablement al llarg dels anys passant per les llistes de control d'accessos, sistemes amb arquitectura SILO, sistemes amb arquitectura centralitzada i sistemes amb arquitectura federada. Aquests últims (federats) han estat l'objecte principal d'estudi. Al llarg del present treball, s'ha realitzat una anàlisi en profunditat de les peculiaritats i els principals estàndards desenvolupats per a cada un d'aquests sistemes. Així, per exemple es pot veure en detall estàndards com LDAP, Kerberos o radius per als sistemes amb arquitectura centralitzada i estàndards com SAML, OAuth, OpenID Connect i Mobile Connect per als sistemes amb arquitectura federada. El present treball per tant es pot definir amb un estat de l'art dels sistemes de gestió d'identitats focalitzat majorment en els sistemes federats. A més, per poder aprofundir en aquests últims, s'ha desenvolupat una implementació d'un sistema de gestió d'identitats federat per posar en pràctica l'ús d'OpenID Connect en un entorn de laboratori el més fidedigne possible amb la realitat. Identity Management (IdM) is the area that handles the various identities and their related information, across various domains and / or services, thus ensuring the security and privacy of users. users Identity management systems have evolved markedly over the years through access control lists, systems with SILO architecture, systems with centralized architecture and systems with federated architecture. The latter (federated) have been the main object of study. Throughout this work, an in-depth analysis of the peculiarities and the main standards developed for each of these systems has been carried out. Thus, for example, you can see in detail standards such as LDAP, Kerberos or radius for systems with centralized architecture and standards such as SAML, OAuth, OpenID Connect and Mobile Connect for systems with federated architecture. The present work can therefore be defined with a state of the art of identity management systems focused mainly on federated systems. In addition, in order to delve into the latter, an implementation of a federated identity management system has been developed to implement the use of OpenID Connect in a laboratory environment as reliable as possible with reality.

Published

2019

53. Capability-Based Authorization for HEP

Author

Jeff Gaynor, Zach Miller, Derek Weitzel, Todd Tannenbaum, Brian Bockelman, and Jim Basney

Subjects

Service (systems architecture), Authentication, JSON Web Token, 010308 nuclear & particles physics, Physics, QC1-999, Certificate, Security token, computer.software_genre, 01 natural sciences, World Wide Web, Data access, 0103 physical sciences, Federated identity, Web service, 010306 general physics, computer

Abstract

Outside the HEP computing ecosystem, it is vanishingly rare to encounter user X509 certificate authentication (and proxy certificates are even more rare). The web never widely adopted the user certificate model, but increasingly sees the need for federated identity services and distributed authorization. For example, Dropbox, Google and Box instead use bearer tokens issued via the OAuth2 protocol to authorize actions on their services. Thus, the HEP ecosystem has the opportunity to reuse recent work in industry that now covers our needs. We present a token-based ecosystem for authorization tailored for use by CMS. We base the tokens on the SciTokens profile for the standardized JSON Web Token (JWT) format. The token embeds a signed description of what capabilities the VO grants the bearer; the site-level service can verify the VO’s signature without contacting a central service. In this paper, we describe the modifications done to enable token-based authorization in various software packages used by CMS, including XRootD, CVMFS, and HTCondor. We describe the token-issuing workflows that would be used to get tokens to running jobs in order to authorize data access and file stageout, and explain the advantages for hosted web services. Finally, we outline what the transition would look like for an experiment like CMS.

Published

2019

54. Cloud Bursting Galaxy: Federated Identity and Access Management

Author

Vahid Jalili, Jeremy Goecks, James Taylor, and Enis Afgan

Subjects

Statistics and Probability, Computer science, Cloud computing, 02 engineering and technology, Access management, Internet security, Biochemistry, World Wide Web, 03 medical and health sciences, Backup, 0202 electrical engineering, electronic engineering, information engineering, Molecular Biology, Computer Security, 030304 developmental biology, Password, 0303 health sciences, Authentication, business.industry, 030305 genetics & heredity, Authorization, Computational Biology, Cloud Computing, Genome Analysis, Original Papers, OpenID Connect, Computer Science Applications, Computational Mathematics, Data access, Computational Theory and Mathematics, Scalability, 020201 artificial intelligence & image processing, Federated identity, business, Software

Abstract

MotivationLarge biomedical datasets, such as those from genomics and imaging, are increasingly being stored on commercial and institutional cloud computing platforms. This is because cloud-scale computing resources, from robust backup to high-speed data transfer to scalable compute and storage, are needed to make these large datasets usable. However, one challenge for large-scale biomedical data on the cloud is providing secure access, especially when datasets are distributed across platforms. While there are open Web protocols for secure authentication and authorization, these protocols are not in wide use in bioinformatics and are difficult to use for even technologically sophisticated users.ResultsWe have developed a generic and extensible approach for securely accessing biomedical datasets distributed across cloud computing platforms. Our approach combines OpenID Connect and OAuth2, best-practice Web protocols for authentication and authorization, together with Galaxy (https://galaxyproject.org), a web-based computational workbench used by thousands of scientists across the world. With our enhanced version of Galaxy, users can access and analyze data distributed across multiple cloud computing providers without any special knowledge of access/authorization protocols. Our approach does not require users to share permanent credentials (e.g., username, password, API key), instead relying on automatically-generated temporary tokens that refresh as needed. Our approach is generalizable to most identity providers and cloud computing platforms. To the best of our knowledge, Galaxy is the only computational workbench where users can access biomedical datasets across multiple cloud computing platforms using best-practice Web security approaches and thereby minimize risks of unauthorized data access and credential use.Availability and ImplementationFreely available for academic and commercial use under the open-source Academic Free License (https://opensource.org/licenses/AFL-3.0) from the following Github repositories:https://github.com/galaxyproject/galaxyandhttps://github.com/galaxyproject/cloudauthzContactjalili@ohsu.edu,goecksj@ohsu.edu

Published

2018

55. FLAT: Federated lightweight authentication for the Internet of Things

Author

Maria L. B. A. Santos, Fernando A. Teixeira, Leonardo B. Oliveira, Jéssica C. Carneiro, Marco Aurelio Amaral Henriques, and Antônio M. R. Franco

Subjects

Authentication, Cryptographic primitive, Computer Networks and Communications, Computer science, business.industry, 010401 analytical chemistry, 020206 networking & telecommunications, 02 engineering and technology, 01 natural sciences, 0104 chemical sciences, Hardware and Architecture, Authentication protocol, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), Federated identity, business, Protocol (object-oriented programming), Implicit certificate, Software, Computer network

Abstract

Federated Identity Management schemes (FIdMs) are of great help for traditional systems as they improve user authentication and privacy. In this paper, we claim that traditional FIdMs are mostly cumbersome and then ill-suited for IoT. As a solution to this problem, we came up with Federated Lightweight Authentication of Things (FLAT), namely a federated identity authentication protocol exclusively tailored to IoT. FLAT replaces weighty protocols and public-key cryptographic primitives used in traditional FIdMs by lighter ones, like symmetric cryptographic primitives and Implicit Certificates. Our results show that FLAT can reduce the data exchange overhead by around 31% when compared to a baseline solution. Also, the FLAT Client, the role played by an IoT device in the protocol, is more efficient than the baseline Client in terms of data exchange, storage, memory, and computation time. Our results indicate that FLAT runs efficiently, even on top of resource-constrained devices like Arduino.

Published

2020

56. Blockchain-based federated identity and auditing

Author

Hany F. ElYamany, Mahmoud El-Gayyar, Miriam A. M. Capretz, Katarina Grolinger, and Syed Mir

Subjects

Service (systems architecture), Blockchain, Computer science, Identity (object-oriented programming), Face (sociological concept), Ocean Engineering, Federated identity, Audit, Computer security, computer.software_genre, computer, TRACE (psycholinguistics), Meaning (linguistics)

Abstract

A federated identity is a single identity that enables users to access multiple services across a network of business parties. Such identities are subject to various threats and attacks and face diverse challenges including identity leaks, centralised management, auditing limitations, and long breach investigation processes. This paper proposes a framework aimed at automating and decentralising the generation and auditing of a robust and secured blockchain-based federated identity in a marketplace. Business parties participating in the marketplace form the nodes of a distributed blockchain network and participate in the creation of federated identities. Users of this network can access services provided by any one of the participating parties using a single federated identity. All transactions are fully audited in the blockchain, meaning that participating parties can monitor access to their service and users can trace the use of their identities. The proposed framework has been evaluated using two blockchain technologies (Ethereum and Hyperledger Fabric) to measure its performance in public and permissioned blockchain environments.

Published

2020

57. A Design of Cross-Realm Authentication Scheme in Openstack Based on Declaration

Author

Yongning Qin, Gefei Li, Yaping Chi, and Shuhao Li

Subjects

021110 strategic, defence & security studies, Authentication, business.industry, Gateway (telecommunications), Computer science, 0211 other engineering and technologies, 020206 networking & telecommunications, Application service provider, Cloud computing, 02 engineering and technology, Secure communication, Default gateway, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), Windows domain, Federated identity, business, Computer network

Abstract

Aiming at the issue how users in Windows domain cross-realm access cloud computing resources, a cross-realm authentication scheme based on federated identity was proposed. Based on the idea of the declaration, the scheme uses the federated identity provider to replace the gateway in the traditional gateway-based cross-realm authentication model, so as to realize the users in Windows domain access the cloud resources without re-authentication. The scheme uses SAML protocol to exchange user identity information between different domains, which ensures versatility and security of the system and realizes seamlessly secure communication between different security domains. Finally, based on claim provider, federated identity provider and application service provider, we give the design of the key components of the three modules, then the feasibility of the scheme is verified with the popular cloud platform OpenStack.

Published

2018

58. Demo Abstract: Federated Authentication of Things

Author

Marco Aurelio Amaral Henriques, Jéssica C. Carneiro, Antônio M. R. Franco, Leonardo B. Oliveira, Maria L. B. A. Santos, and Fernando A. Teixeira

Subjects

Authentication, business.industry, Computer science, 010401 analytical chemistry, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Service provider, Client-side, Computer security, computer.software_genre, 01 natural sciences, 0104 chemical sciences, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), Cryptosystem, Federated identity, business, Implicit certificate, computer

Abstract

In this demo, we will showcase FLAT, a federated identity model tailored to IoT. FLAT's authentication is lightweight because it uses only symmetric cryptosystems on the IoT client side and implicit certificates between the Identity and Service Providers. We show how FLAT can be used to increase security and privacy in automatic toll gate payment applications.

Published

2018

59. Improving Privacy and Trust in Federated Identity Using SAML with Hash Based Encryption Algorithm

Author

Safeeullah Soomroo, S. Veni, and Jissy Ann George

Subjects

User information, FOS: Computer and information sciences, Cloud computing security, Computer Science - Cryptography and Security, business.industry, Computer science, Hash function, Service provider, Computer security, computer.software_genre, Encryption, Security Assertion Markup Language, Identity provider, Federated identity, business, computer, Cryptography and Security (cs.CR)

Abstract

Cloud computing is an upcoming technology that has been designed for commercial needs. One of the major issues in cloud computing is the difficulty to manage federated identities and the trust between the user and the service providers. This paper focuses on how security can be provided between the user and the service provider and how the user information can be authenticated. For the purpose of providing privacy and authentication, Security Assertion Markup Language (SAML) based Single Sign-On is used. Security is provided by using Hash based Encryption algorithm (HBE). HBE algorithm works with the help of Key Exchange Protocol which contains poly hash function. In the algorithm, Identity providers maintain user directory and authenticates user information; service provider provides the service to users. The user has to register their details with the identity provider prior to this. During this stage, Hash based Encryption algorithm is used to provide secure communication between the identity provider and the user. In this paper we suggest that higher security can be given to user login by using an additional cryptographic technique, i.e. Hash based Encryption algorithm with the help of the Key Exchange Protocol., ICETAS Proceedings 2017

Published

2018

60. Privacy-preserving user identity in Identity-as-a-Service

Author

Woldemar Fuhrmann, Tri Hoang Vo, and Klaus-Peter Fischer-Hellmann

Subjects

User information, Authentication, Computer science, business.industry, Internet privacy, Identity (object-oriented programming), ComputingMilieux_COMPUTERSANDSOCIETY, Access control, Cloud computing, Federated identity, business, Encryption, Personally identifiable information

Abstract

In Federated Identity Management, providers from different security domains exchange messages containing authentication and authorisation credentials of users. As a result, a user can use his Personal Identifiable Information (PII) from one or more Identity Providers to gain access to other sites. Disseminating PII over intermediaries also requires protecting PII from being misused and unauthorised access. Identity-as-a- Service (IDaaS) provides a federated identity for users to access multiple Cloud services on demand but may preserve user privacy. In this paper, we present a novel approach for preserving privacy in IDaaS by combining Purpose Based Access Control and Attribute-based Encryption with multi-authorities support. Our approach is suitable for sharing sensitive user information in a large distributed and heterogeneous environment.

Published

2018

61. Comparative Analysis and Framework Evaluating Web Single Sign-On Systems

Author

Furkan Alaca and Paul C. van Oorschot

Subjects

010302 applied physics, Password, FOS: Computer and information sciences, 021110 strategic, defence & security studies, Computer Science - Cryptography and Security, General Computer Science, business.industry, Computer science, 0211 other engineering and technologies, Usability, 02 engineering and technology, Password management, Service provider, 01 natural sciences, Data science, Credential, Theoretical Computer Science, 0103 physical sciences, Identity (object-oriented programming), Single sign-on, Federated identity, business, Cryptography and Security (cs.CR)

Abstract

We perform a comprehensive analysis and comparison of 14 web single sign-on (SSO) systems proposed and/or deployed over the past decade, including federated identity and credential/password management schemes. We identify common design properties and use them to develop a taxonomy for SSO schemes, highlighting the associated tradeoffs in benefits (positive attributes) offered. We develop a framework to evaluate the schemes, in which we identify 14 security, usability, deployability, and privacy benefits. We also discuss how differences in priorities between users, service providers, and identity providers impact the design and deployment of SSO schemes.

Published

2018

62. Can R&E federations trust Research Infrastructures? - The 'Snctfi' Trust Framework

Author

Uros Stevanovic, Vincent Ribaillier, Hannah Short, Ian Neilson, Stefan Paetow, Mikael Linden, Christos Kanellopoulos, David Groep, Licia Florio, Wolfgang Pempe, David Kelsey, Mischa Sallé, and G. Venekamp

Subjects

Authentication, Negotiation, Knowledge management, business.industry, media_common.quotation_subject, Scalability, Quality (business), Business, Federated identity, Service provider, Filter (software), Proxy (climate), media_common

Abstract

Research Infrastructures increasingly use national and global “Research and Education” (R&E) authentication federations to provide access to their services. Studies in the AARC project have shown that research communities connect to the R&E federation using an ‘SP-IdP proxy’. The use of a proxy in itself poses policy challenges. As seen by the R&E federations, the SP-IdP proxy hides all of the research services. Home organisations and R&E federations see just a single service provider, even if the services behind it are provided in hundreds of different administrative domains. Building on the Security for Collaboration among Infrastructures (SCI) framework, the “Security Networked-Community Trust-framework for Federated Identity” (Snctfi) proposes a policy framework that allows determination of the ‘quality’ of such SP-IdP proxies and the research services behind them. “Snctfi” allows comparison between proxies, and it allows a scalable way to negotiate and filter based on such policies. We present here version 1 of the “Snctfi” trust framework.

Published

2017

63. FTS3 / WebFTS – A Powerful File Transfer Service for Scientific Communities

Author

Andrey Kiryanov, Alejandro Alvarez Ayllon, and Oliver Keeble

Subjects

Service (systems architecture), FTS3, Computer science, Interface (Java), business.industry, End user, Data management, File transfer, Computing and Computers, World Wide Web, WebFTS, HPC, Scalability, General Earth and Planetary Sciences, Federated identity, Data storage, User interface, business, General Environmental Science, Graphical user interface

Abstract

FTS3, the service responsible for globally distributing the majority of the LHC data across the WLCG infrastructure, is now available to everybody. Already integrated into LHC experiment frameworks, a new web interface now makes the FTS3's transfer technology directly available to end users. In this article we describe this intuitive new interface, “WebFTS”, which allows users to easily schedule and manage large data transfers right from the browser, profiting from a service which has been proven at the scale of petabytes per month. We will shed light on new development activities to extend FTS3 transfers capabilities outside Grid boundaries with support of non-Grid endpoints like Dropbox and S3. We also describe the latest changes integrated into the transfer engine itself, such as new data management operations like deletions and staging files from archive, all of which may be accessed through our standards-compliant REST API. For the Service Managers, we explain such features as the service's horizontal scalability, advanced monitoring and its “zero configuration” approach to deployment made possible by specialised transfer optimisation logic. For the Data Managers, we will present new tools for management of FTS3 transfer parameters like limits for bandwidth and max active file transfers per endpoint and VO, user and endpoint banning and powerful command line tools. We finish by describing our effort to extend WebFTS's captivating graphical interface with support of Federated Identity technologies, thus demonstrating the use of grid resources without the burden of certificate management. In this manner we show how FTS3 can cover the needs of wide range of parties from casual users to high-load services. The evolution of FTS3 is addressing technical and performance requirements and challenges for LHC Run 2, moreover, its simplicity, generic design, web portal and REST interface makes it an ideal file transfer scheduler both inside and outside of HEP community.

Published

2015

64. NEXTLEAP: Decentralizing Identity with Privacy for Secure Messaging

Author

Harry Halpin, Programming securely with cryptography (PROSECCO), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), and Programming securely with cryptography (PROSECCO )

Subjects

decentralization, Computer science, Access control, 02 engineering and technology, Computer security, computer.software_genre, Encryption, privacy, World Wide Web, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Server, 0202 electrical engineering, electronic engineering, information engineering, identity, secure messaging, anonymity, business.industry, [INFO.INFO-WB]Computer Science [cs]/Web, 020206 networking & telecommunications, OpenID Connect, Metadata, Secure messaging, Identity (object-oriented programming), 020201 artificial intelligence & image processing, Federated identity, business, computer

Abstract

International audience; Identity systems today link users to all of their actions and serve as centralized points of control and data collection. NEXTLEAP proposes an alternative decentralized and privacy-enhanced architecture. First, NEXTLEAP is building privacy-enhanced federated identity systems, using blind signatures based on Algebraic MACs to improve OpenID Connect. Second, secure messaging applications ranging from Signal to WhatsApp may deliver the content in an encrypted form, but they do not protect the metadata of the message and they rely on centralized servers. e EC Project NEXTLEAP is focussed on xing these two problems by decentralizing traditional identities onto a privacy-enhanced based blockchain that can then be used to build access control lists in a decentralized manner, similar to SDSI. Furthermore, we improve on secure mes-saging by then using this notion of decentralized identity to build in group messaging, allowing messaging between diierent servers. NEXTLEAP is also working with the PANORAMIX EC project to use a generic mix networking infrastructure to hide the metadata of the messages themselves and plans to add privacy-enhanced data analytics that work in a decentralized manner.

Published

2017

65. Federated identity hybrid cloud security considerations supporting first responders

Author

Randy Garcia

Subjects

Engineering, Cloud computing security, business.industry, Information sharing, Public policy, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Outcome (game theory), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), 020201 artificial intelligence & image processing, Federated identity, Architecture, business, computer

Abstract

Propose an architecture and policy approach to implement federated identity hybrid cloud enabling first responders. These continue to suffer lack of trusted and secure information sharing. The focus is on the architecture and methodology for federating identity to enable rapid response. The outcome drives successful outcomes in disaster response.

Published

2017

66. Flexible Enforcement of Multi-factor Authentication with SSH via Linux-PAM for Federated Identity Users

Author

Shane Filus and Derek Simmel

Subjects

Service (systems architecture), Engineering, Authentication, business.industry, computer.internet_protocol, Multi-factor authentication, computer.software_genre, Login, Supercomputer, Lightweight Directory Access Protocol, Operating system, Federated identity, Kerberos, business, computer

Abstract

A computational science project with restricted-access data was awarded an allocation by XSEDE in 2016 to use the Bridges supercomputer at the Pittsburgh Supercomputing Center (PSC). As a condition of the license agreement for access to the data, multi-factor authentication (MFA) with XSEDE's Duo MFA service is required for users of this project to login to Bridges via SSH, in addition to filesystem access controls. Since not all Bridges users are required to authenticate to Bridges in this manner, a solution was implemented via Linux-PAM to require XSEDE Duo MFA for SSH login access by specific users, as identified by their local account name or membership in a local group. This paper describes the implementation on Bridges and its extensibility to other systems and environments with similar needs.

Published

2017

67. Federated identity technologies and applications in research and education networks

Author

Konul Aliyeva

Subjects

Knowledge management, business.industry, Political science, Federated identity, business

Published

2017

68. Building Security and Trust in Inter-Federation

Author

Romain Wartel and Hannah Short

Subjects

Authentication, Higher education, business.industry, Best practice, Corporate governance, Internet privacy, Global network, Federated identity, business, Operations security, Transparency (behavior)

Abstract

The expanding network of Higher Education and Research facilities through inter-federation, whilst generally perceived as extremely valuable for collaboration and online security at large, exposes inviting new possibilities for malicious attacks[1]. A single compromised account may provide an entry point to this global network of resources linking thousands of organisations. How can we, the community, coordinate a response spanning countries and continents? How can trust be built between the organisations, and between the people, in our communities? REFEDS (the Research and Education FEDerations group)[2], in conjunction with the European Commission funded AARC Project (Authentication and Authorisation for Research and Collaboration)[3], is spearheading the Security Incident Response Trust Framework for Federated Identity (Sirtfi)[4] as a method for mitigating the impact of security incidents to federations. This framework provides a list of statements which an organisation must self- assert to be deemed Sirtfi compliant, spanning best practices in operational security to traceability. Organic global trust groups already provide a platform for informal alliances within academia, research and industry, however there is a need for heightened transparency, inclusivity and structure to facilitate this process. The lack of centralised governance within this space, in contrast to individual organisations or even national federations, calls for a standard procedure that can be adopted by all participants. What role will individuals play as this network grows in magnitude? This paper, a summary of the presentation given at the International Symposium on Grids and Clouds 2016, explores the practicalities of closing the loop on federated security. A two fold approach is presented, building trust between organisations and between the individuals therein.

Published

2017

69. Kipper – a Grid bridge to Identity Federation

Author

Andrea Manzi, Oliver Keeble, and Andrey Kiryanov

Subjects

World Wide Web, Iota, Computer science, Interface (Java), Identity (object-oriented programming), Federated identity, Grid, JavaScript, Credential, computer, Identity management, Computing and Computers, computer.programming_language

Abstract

Identity Federation (IdF, aka Federated Identity) is the means of interlinking people's electronic identities stored across multiple distinct identity management systems. This technology has gained momentum in the last several years and is becoming popular in academic organisations involved in international collaborations. One example of such a federation is eduGAIN, which interconnects European educational and research organisations, and enables trustworthy exchange of identity-related information. In this work we will show an integrated Web-oriented solution code-named “Kipper” with a goal of providing access to WLCG resources using a user's IdF credentials from their home institute with no need for user-acquired X.509 certificates. Kipper achieves “X.509-free” access to Grid resources with the help of two additional services: STS and IOTA CA. STS allows credential translation from the SAML2 format used by Identity Federation to the VOMS-enabled X.509 used by most of the Grid, and the IOTA CA is responsible for automatic issuing of short-lived X.509 certificates. Kipper comes with a JavaScript API considerably simplifying development of rich and convenient “X.509-free” Web-interfaces to Grid resources, and also encouraging adoption of IOTA-class CAs among WLCG sites. We will describe a working prototype of IdF support in the WebFTS interface to the FTS3 data transfer engine, enabled by integration of multiple services: WebFTS, CERN SSO (member of eduGAIN), CERN IOTA CA, STS, and VOMS.

Published

2017

70. TECHNOLOGY OF FEDERATED IDENTITY AND SECURE LOGGINGS IN CLOUD COMPUTING

Author

Takashi Shitamichi and Ryoichi Sasaki

Subjects

Authentication, business.industry, SOAP, computer.internet_protocol, Computer science, Services computing, Cloud computing, computer.software_genre, Computer security, Identity management, Computer Science Applications, Audit trail, Federated identity, Web service, business, computer

Abstract

Federated services are becoming widely implemented at many sites in multiple domain networks for cloud computing across many industry segments. New technology is required not only for federated authentication, but also for services operating distributed attributes, which are both static and dynamic. In addition to the technology, the sites that provide services across multiple domain networks are required to store every log as audit trails. This paper focuses on SAML and ID-WSF, which are the technology and the architecture for identity management and secure web services, discusses deployments and problems in the real world, then proposes a fast and safe technology that extends the ID-WSF for services and logs. To verify the effectiveness of the proposed technology and architecture, the latencies of SAML SSO that exchange SOAP messages are measured and considered in a cloud computing environment.

Published

2014

71. Federated Identity and Access Management in IoT systems

Author

Paul Fremantle

Subjects

World Wide Web, Computer science, business.industry, Server, Access control, Federated identity, business, Internet of Things, Access management, Web API, Identity management, Domain (software engineering)

Abstract

In this chapter, we look at how identity and access management work in the Internet of Things (IoT). In particular, we propose approaches to apply Federated Identity and Access Management (FIAM) techniques to work with IoT devices, networks and servers. We first look at the motivation for using FIAM with IoT. We then look at the previous work and approaches to identity management and access control for IoT systems. We look at how Web-based approaches to FIAM translate into the world of IoT where non-Web protocols are more common. We outline two separate phases of research where we created new FIAM approaches for IoT systems, and we include a performance analysis of the latter system. One emerging area of interest for FIAM is within the domain of Web API Management, and we explore how this also affects the IoT domain. Finally, we conclude with the outcomes of this research, open questions and propose avenues for further research.

Published

2016

72. Bringing Federated Identity to Grid Computing

Author

Mine Altunay, Dave Dykstra, and Jeny Teheran

Subjects

World Wide Web, Authentication, Data access, Grid computing, Computer science, Federated identity, computer.software_genre, Computer security, Grid, Access Grid, computer

Abstract

The Fermi National Accelerator Laboratory (FNAL) is facing the challenge of providing scientific data access and grid submission to scientific collaborations that span the globe but are hosted at FNAL. Researchers in these collaborations are currently required to register as FNAL users and obtain FNAL credentials to access grid resources to perform their scientific computations. These requirements burden researchers with managing additional authentication credentials, and put additional load on FNAL for managing user identities. Our design integrates the existing InCommon federated identity infrastructure, CILogon Basic CA, and MyProxy with the FNAL grid submission system to provide secure access for users from diverse experiments and collaborations without requiring each user to have authentication credentials from FNAL. The design automates the handling of certificates, so users do not need to manage them manually. Although the initial implementation is for FNAL's grid submission system, the design and the core of the implementation are general and could be applied to other distributed computing systems.

Published

2016

73. Building Privacy-Preserving Cryptographic Credentials from Federated Online Identities

Author

Daniel Jackowitz, David Isaac Wolinsky, Ennan Zhai, Bryan Ford, and John Maheswaran

Subjects

social networks, Authentication, anonymity, Computer science, business.industry, Internet privacy, 020206 networking & telecommunications, Cryptography, security, 02 engineering and technology, privacy, Computer security, computer.software_genre, Ring signature, Server, Communication in small groups, federated identity, 0202 electrical engineering, electronic engineering, information engineering, Cryptosystem, 020201 artificial intelligence & image processing, Federated identity, credentials, business, computer, Anonymity

Abstract

Federated identity providers, e.g., Facebook and PayPal, offer a convenient means for authenticating users to third-party applications. Unfortunately such cross-site authentications carry privacy and tracking risks. For example, federated identity providers can learn what applications users are accessing; meanwhile, the applications can know the users’ identities in reality. This paper presents Crypto-Book, an anonymizing layer enabling federated identity authentications while preventing these risks. Crypto-Book uses a set of independently managed servers that employ a (t,n)-threshold cryptosystem to collectively assign credentials to each federated identity (in the form of either a public/private key-pair or blinded signed messages). With the credentials in hand, clients can then leverage anonymous authentication techniques such as linkable ring signatures or partially blind signatures to log into third-party applications in an anonymous yet accountable way. We have implemented a prototype of Crypto-Book and demonstrated its use with three applications: a Wiki system, an anonymous group communication system, and a whistleblower submission system. Crypto-Book is practical and has low overhead: in a deployment within our research group, Crypto-Book group authentication took 1.607s end-to-end, an overhead of 1.2s compared to traditional non-privacy-preserving federated authentication.

Published

2016

74. PRIMA: Privacy-Preserving Identity and Access Management at Internet-Scale

Author

Michael Backes, Muhammad Rizwan Asghar, and Milivoj Simeonovski

Subjects

FOS: Computer and information sciences, 021110 strategic, defence & security studies, Authentication, Computer Science - Cryptography and Security, business.industry, Computer science, Internet privacy, 0211 other engineering and technologies, 02 engineering and technology, Service provider, Computer security, computer.software_genre, Credential, Identity management, Identity provider, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), Federated identity management, 020201 artificial intelligence & image processing, The Internet, Federated identity, business, Private information retrieval, computer, Cryptography and Security (cs.CR)

Abstract

The management of identities on the Internet has evolved from the traditional approach (where each service provider stores and manages identities) to a federated identity management system (where the identity management is delegated to a set of identity providers). On the one hand, federated identity ensures usability and provides economic benefits to service providers. On the other hand, it poses serious privacy threats to users as well as service providers. The current technology, which is prevalently deployed on the Internet, allows identity providers to track the user's behavior across a broad range of services. In this work, we propose PRIMA, a universal credential-based authentication system for supporting federated identity management in a privacy-preserving manner. Basically, PRIMA does not require any interaction between service providers and identity providers during the authentication process, thus preventing identity providers to profile users' behavior. Moreover, throughout the authentication process, PRIMA provides a mechanism for controlled disclosure of the users' private information. We have conducted comprehensive evaluations of the system to show the feasibility of our approach. Our performance analysis shows that an identity provider can process 1,426 to 3,332 requests per second when the key size is varied from 1024 to 2048-bit, respectively.

Published

2016

75. Solving the legal challenges of trustworthy online identity

Author

Thomas J. Smedinghoff

Subjects

Authentication, Online identity management, Computer Networks and Communications, business.industry, Internet privacy, Identity (social science), Online identity, General Business, Management and Accounting, Credential, Identity management, Digital identity, Business, Federated identity, Law

Abstract

Digital identity management is fundamental to the further development of the Internet economy. It is a foundational requirement for most substantive e-commerce transactions and other online activities. The critical importance of online identity management has led numerous governments, inter-governmental groups, and private organizations to begin work on development of viable and scalable business, technical, and legal frameworks to address the challenge of online identity. The focus of this work is on the emerging “federated” approach to identity, where an enterprise engages in online transactions in reliance on identity credentials issued by any one of several third parties, and individuals can use the same identity credential to engage in transactions with multiple organizations. This article examines this key requirement for online transactions, and explores the legal challenges that businesses must address to reap the benefits of federated identity. It begins with a general overview of digital identity management – what it is, why it is important, and generally how it works. Then, focusing on the federated identity approach, it examines the need for operating rules to ensure that such an identity system functions properly and in a manner deemed trustworthy by the participants. To that end, it identifies the key legal challenges that must be addressed to make identity systems work, and highlights some of the key issues of structuring an appropriate identity system legal framework.

Published

2012

76. Evaluation of Unified Security, Trust and Privacy Framework (UnifiedSTPF) for Federated Identity and Access Management (FIAM) Mode

Author

Suziah Sulaiman, Zubair AhmadKhattak, and Jamalul-lail Ab Manan

Subjects

Authentication, business.industry, Computer science, Internet privacy, Authorization, Access control, Trusted Computing, Access management, Computer security, computer.software_genre, Shibboleth, Identity management, Direct Anonymous Attestation, Federated identity, business, computer

Abstract

identity and access management systems such as Shibboleth may symbolize a boost: (i) to bring the efficiency and effectiveness in collaboration for governments, enterprises and academia, and (iii) conserve the home domain user's identity privacy in a privacy-enhanced fashion. However, the consternation is about the absence of a trusted computing based mutual trust and security establishment in the Shibboleth infrastructure. The Trusted Computing based mutual attestation notion may assist to add-on the mutual trust and security but raises bidirectional platform privacy concerns. Therefore, to enjoy effectively the federated identity and resource (service) access by the home and foreign domain organizations it is necessary to provide an access control that may coalesced at least some security, trust and privacy aspects in a cohesive fashion. The objective of the work appearing in this paper is to provide a viable and feasible unified security, trust and privacy framework access control solution for federated identity and access management systems by fusing the Shibboleth authentication and authorization access control with the trusted computing based trustworthy mutual attestation.

Published

2012

77. Efficient Consistency Achievement of Federated Identity and Access Management Based on a Novel Self-Adaptable Approach

Author

Hsiang-Meng Chang and Shi-Cho Cha

Subjects

Revocation, Computer science, business.industry, Certification, Service provider, Computer security, computer.software_genre, Access management, Consistency (database systems), Identity provider, Artificial Intelligence, Hardware and Architecture, Data integrity, Single sign-on, The Internet, Computer Vision and Pattern Recognition, Federated identity, Electrical and Electronic Engineering, business, computer, Software

Abstract

Federated identity and access management (FIAM) systems enable a user to access services provided by various organizations seamlessly. In FIAM systems, service providers normally stipulate that their users show assertions issued by allied parties to use their services as well as determine user privileges based on attributes in the assertions. However, the integrity of the attributes is important under certain circumstances. In such a circumstance, all released assertions should reflect modifications made to user attributes. Despite the ability to adopt conventional certification revocation technologies, including CRL or OCSP, to revoke an assertion and request the corresponding user to obtain a new assertion, re-issuing an entirely new assertion if only one attribute, such as user location or other environmental information, is changed would be inefficient. Therefore, this work presents a self-adaptive framework to achieve consistency in federated identity and access management systems (SAFIAM). In SAFIAM, an identity provider (IdP), which authenticates users and provides user attributes, should monitor access probabilities according to user attributes. The IdP can then adopt the most efficient means of ensuring data integrity of attributes based on related access probabilities. While Internet-based services emerge daily that have various access probabilities with respect to their user attributes, the proposed self-adaptive framework significantly contributes to efforts to streamline the use of FIAM systems.

Published

2012

78. Towards Scalability for Federated Identity Systems for Cloud-Based Environments

Author

João Bosco Mangueira Sobral, André Albino Pereira, and Carla Merkle Westphall

Subjects

Computer science, Distributed computing, Access control, Cloud computing, lcsh:QA75.5-76.95, federated identity, escalabilidade, scalability, business.industry, cloud computing, computação em nuvem, access control, Provisioning, identidade federada, controle de acesso, General Medicine, Shibboleth, autenticação, Shared memory, Authentication protocol, Scalability, authentication, lcsh:Electronic computers. Computer science, Federated identity, business, Computer network

Abstract

As multi-tenant authorization and federated identity management systems for cloud computing matures, the provisioning of services using this paradigm allows maximum efficiency on business that requires access control. However, regarding scalability support, mainly horizontal, some characteristics of those approaches based on central authentication protocols are problematic. The objective of this work is to address these issues by providing an adapted sticky-session mechanism for a Shibboleth architecture using JASIG CAS. This alternative, compared with the recommended distributed memory approach, shown improved efficiency and less overall infrastructure complexity, as well as demanding less 58% of computational resources and improving throughput (requests per second) by 11%. Com o amadurecimento de abordagens de autorização multi-inquilino e gerenciamento de identidade federada para computação em nuvem, a provisão de serviços utilizando esse paradigma permite maximizar a eficiência para organizações em que o controle de acesso é imprescindível. No entanto, no que tange o suporte à escalabilidade, principalmente horizontal, algumas características dessas abordagens baseadas em protocolos de autenticação central apresentam problemas. Este trabalho visa abordar as soluções existentes, contribuindo com uma adaptação do mecanismo sticky-session em uma arquitetura Shibboleth utilizando JASIG CAS. Essa alternativa, comparada com a abordagem recomendada baseada em memória distribuída, mostra uma maior eficiência com redução de complexidade na infraestrutura, além de demandar menos 58% de recursos computacionais e aumento da capacidade de requisições por segundo em 11%.

Published

2015

79. Architecting a Cloud-Scale Identity Fabric

Author

E Olden

Subjects

Cloud computing security, General Computer Science, business.industry, Computer science, Authorization, Access control, Cloud computing, Computer security, computer.software_genre, Application software, Identity management, World Wide Web, Scalability, Identity (object-oriented programming), Federated identity, business, computer

Abstract

The cloud has not kept pace with the enormous volume of user identities that network administrators must manage and secure. An identity fabric that links multiple applications to a single identity would address this problem, enabling full-scale cloud adoption.

Published

2011

80. Implementation of a secure genome sequence search platform on public cloud-leveraging open source solutions

Author

Saxena, Vikas, Doddavula, Shyam Kumar, and Jain, Akansha

Published

2012

81. Challenges to Supporting Federated Assurance

Author

P. Madsen and H. Itoh

Subjects

Information privacy, Authentication, General Computer Science, Transaction processing, business.industry, Computer science, Authorization, Access control, Login, Computer security, computer.software_genre, Identity management, World Wide Web, Identity (object-oriented programming), Message authentication code, The Internet, Federated identity, business, Database transaction, computer

Abstract

Federation is an identity management model in which various tasks associated with an identity transaction are distributed among the actors involved in the transaction. This model works from the premise that distributing tasks among the actors can achieve usability and privacy advantages for the user, as well as business efficiencies for businesses or applications. Typically, federated identity manifests itself as transferring some aspect of a user's identity from one entity to another. Web single sign-on is an archetypical example of a federated transaction, in which a user authenticates to one Web site and can then access another with the same login.

Published

2009

82. Whose Name Is It, Anyway? Decentralized Identity Systems on the Web

Author

Daniel J. Weitzner

Subjects

Authentication, Computer Networks and Communications, business.industry, Computer science, Computer security, computer.software_genre, Knowledge sharing, law.invention, World Wide Web, Identifier, Identification (information), law, Identity (object-oriented programming), The Internet, Federated identity, Hypertext, business, computer

Abstract

A new form of personal identity is emerging on the Web. Decentralized identification protocols are a departure from traditional distributed authentication approaches developed for the Internet. From a technical perspective, they're quite similar to distributed systems based on public-key infrastructures or federated identity systems, such as those proposed by the Liberty Alliance, or Microsoft's Passport. What distinguishes the new decentralized approach is its use of URIs as the underlying identifier. The Web - using URIs as the basis for a global hypertext system of documents - set off an unprecedented explosion of human communication and knowledge sharing. So, too, could these new decentralized identity systems potentially augment the Web to let us reliably and scalably communicate with each other about our identities in a more trustworthy manner.

Published

2007

83. Trust Negotiation in Identity Management

Author

Anna Squicciarini, Elisa Bertino, and Abhilasha Bhargav-Spantzel

Subjects

Information privacy, Authentication, Computer Networks and Communications, business.industry, Computer science, Collaborative network, Internet privacy, Authorization, Access control, Information security, Identity management, Identity (object-oriented programming), Federated identity management, Federated identity, Electrical and Electronic Engineering, business, Law, Personally identifiable information

Abstract

Most organizations require the verification of personal information before providing services, and the privacy of such information is of growing concern. The authors show how federated identity management systems can better protect users' information when integrated with trust negotiation. In today's increasingly competitive business environment, more and more leading organizations are building Web-based infrastructures to gain the strategic advantages of collaborative networking. However, to facilitate collaboration and fully exploit such infrastructures, organizations must identify each user in the collaborative network as well as the resources each user is authorized to access. User identification and access control must be carried out so as to maximize user convenience and privacy without increasing organizations1 operational costs. A federation can serve as the basic context for determining suitable solutions to this issue. A federation is a set of organizations that establish trust relationships with respect to the identity information-the federated identity information-that is considered valid. A federated identity management system (idM) provides a group of organizations that collaborate with mechanisms for managing and gaining access to user identity information and other resources across organizational boundaries

Published

2007

84. An integrated approach to federated identity and privilege management in open systems

Author

Elisa Bertino, Rafae Bhatti, and Arif Ghafoor

Subjects

World Wide Web, General Computer Science, Computer science, business.industry, Access control, Privilege Management Infrastructure, Entitlement, Federated identity, Integrated approach, business, Computer security, computer.software_genre, computer

Abstract

Online partnerships depend on federations of not only user identities but also of user entitlements across organizational boundaries.

Published

2007

85. Managing Access to Service Providers in Federated Identity Environments: A Case Study in a Cloud Storage Service

Author

Carlos Eduardo da Silva, Andre Castro de Felippe, Taina Medeiros, Thomas Diniz, and Roberto Araújo

Subjects

Service (business), Computer access control, business.industry, Internet privacy, Access control, Service provider, Computer security, computer.software_genre, Identity provider, Role-based access control, Federated identity, business, computer, Cloud storage

Abstract

© 2015 IEEE. Currently the diversity of services, which are adhering to Identity Federation, has raised new challenges in the area. Increasingly, service providers need to control the access to their resources by users from the federation as, even though the user is authenticated by the federation, its access to resources cannot be taken for granted. Each Service Provider (SP) of a federation implements their own access control mechanism. Moreover, SPs might need to allow different access control granularity. For instance, all users from a particular Identity Provider (IdP) may access the resources due to some financial agreement. On the other hand, it might be the case that only specific users, or groups of users, have access to the resources. This paper proposes a solution to this problem through a hierarchical authorization system. Our approach, which can be customized to different SPs, allows the SP administrator to manage which IdPs, or users, have access to the provided resources. In order to demonstrate the feasibility of our approach, we present a case study in the context of a cloud storage solution.

Published

2015

86. Identity and access management- a comprehensive study

Author

Sarita Sharma, Anuja Sharma, and Meenu Dave

Subjects

Authentication, business.industry, Computer science, Internet privacy, Security as a service, Service provider, Computer security, computer.software_genre, Identity management, Identity (object-oriented programming), Single sign-on, Federated identity, business, OpenID, computer

Abstract

With advent of cloud computing and web 2.0, both users and organizations have benefitted. But security still remains a major concern. Identity and access management provides a solution to manage user credentials, authenticate and authorize users. Concept of federated identity based on trust relationship among various identity providers and service providers has made it possible for user to access multiple services without the need of providing passwords to various service providers. Single Sign On has solved the problem of maintaining multiple passwords for different services. In this paper we have briefly discussed what is Identity and access management, its services and popular standards like SAML2.0, OAuth, OpenID.

Published

2015

87. Federated identity in real-life applications

Author

Marcin Niemiec and Weronika Kolucka-Szypula

Subjects

World Wide Web, Service (systems architecture), Authentication, Service quality, Computer science, Single sign-on, Federated identity, Computer security, computer.software_genre, Login, Credential, computer, Identity management

Abstract

This paper describes scenarios and services based on Federated Identity technology. The authors emphasize the Single Sign On mechanism, in which a user's single authentication credential is used to log in once without being prompted to authenticate again to other systems. The overview of Federated Identity and a Federated Identity Management System is presented first. Next, federation approaches used in different fields of human activity are discussed. A few examples of such domains are presented: E-health, E-government, E-learning, and E-business. Also, two different use cases were proposed: a federated approach for tourism which provide a better service for customers, and in the health care sector, which improves medical service quality and reduces treatment costs. The last section describes the prototype which was implemented and tested in network environment.

Published

2015

88. The Sci-GaIA project

Author

Bruce Becker

Subjects

CSIR, chain-reds, e-Infrastructure, sci-gaia, federated identity, science gateways

Abstract

Presentation to the CHAIN-REDS workshop at EGI2015 in Lisbon Outline : The Sci-GaIA project: facts and figures and objectives The legacy of other projects (ei4Africa and CHAIN-REDS) The Sci-GaIA work programme

Published

2015

89. The Current Use of Authentication Technologies: An Investigative Review

Author

Nathan Clarke, Abdulwahid Al Abdulwahid, Christoph Reich, Ingo Stengel, and Steven Furnell

Subjects

Challenge-Handshake Authentication Protocol, Authentication, User authentication, Computer access control, business.industry, Computer science, Internet privacy, Access control, Multi-factor authentication, Computer security, computer.software_genre, NTLMSSP, Chip Authentication Program, Network Access Control, Authentication protocol, Lightweight Extensible Authentication Protocol, Single sign-on, Federated identity, business, computer

Abstract

Individuals, businesses and governments undertake an ever-growing range of activities online and via various Internet-enabled digital devices. Unfortunately, these activities, services, information and devices are the targets of cybercrimes. Verifying the user legitimacy to use/access a digital device or service has become of the utmost importance. Authentication is the frontline countermeasure of ensuring only the authorized user is granted access; however, it has historically suffered from a range of issues related to the security and usability of the approaches. Further to this, they are still mostly functioning at the point of entry and those performing sort of re-authentication executing it in an intrusive manner. This paper reviews the authentication methods along with the current use of authentication technologies, aiming at developing a current state-of-the-art understanding addressing the open problems to be tackled and available solutions to be adopted. Furthermore, it investigates whether these authentication technologies have the capability to fill the gap between high security and user satisfaction. Ultimately, it concludes that providing users with adequate protection and convenience requires innovative robust authentication mechanisms to be utilized in a universal level, thus operating in a transparent, continuous and user-friendly manner.

Published

2015

90. Challenges in federated identity management in the aviation domain

Author

Victor Brown and Paul Comitz

Subjects

Engineering, business.industry, Aviation, Computer security, computer.software_genre, Security token, Identity management, Domain (software engineering), World Wide Web, Audit trail, Federated identity management, Identity (object-oriented programming), Federated identity, business, computer

Abstract

About Federated Identity Management (FIM) • FIM — provides cross-organizational, role-based access controls — transformation of local user credentials into standards-based security token that a remote system can trust • Exchange some token to establish user identity on a remote system — Can use attributes in token to determine user roles and privileges • How can identity federation be useful? — Don't have to replicate or synchronize local user repositories — Users need to remember/maintain fewer logon credentials — Dynamic access improves efficiency and security • 2 Parts — Business agreement and technical implementation — Federated identity ensures that a user's or system's trusted identity provides a secure means of identifying all entities across systems and enterprises regardless of where the data flows. It also provides and audit trail on what people and systems accessed the data.

Published

2015

91. OpenID connect as a security service in Cloud-based diagnostic imaging systems

Author

Weina Ma, Kamran Sartipi, David Koff, Hassan Sharghi, and Peter Bak

Subjects

Cloud computing security, Computer science, business.industry, Provisioning, Cloud computing, Computer security, computer.software_genre, OpenID Connect, Identity management, Security service, Federated identity, OpenID, business, Mobile device, computer

Abstract

The evolution of cloud computing is driving the next generation of diagnostic imaging (DI) systems. Cloud-based DI systems are able to deliver better services to patients without constraining to their own physical facilities. However, privacy and security concerns have been consistently regarded as the major obstacle for adoption of cloud computing by healthcare domains. Furthermore, traditional computing models and interfaces employed by DI systems are not ready for accessing diagnostic images through mobile devices. RESTful is an ideal technology for provisioning both mobile services and cloud computing. OpenID Connect, combining OpenID and OAuth together, is an emerging REST-based federated identity solution. It is one of the most perspective open standards to potentially become the de-facto standard for securing cloud computing and mobile applications, which has ever been regarded as “Kerberos of Cloud”. We introduce OpenID Connect as an identity and authentication service in cloud-based DI systems and propose enhancements that allow for incorporating this technology within distributed enterprise environment. The objective of this study is to offer solutions for secure radiology image sharing among DI-r (Diagnostic Imaging Repository) and heterogeneous PACS (Picture Archiving and Communication Systems) as well as mobile clients in the cloud ecosystem. Through using OpenID Connect as an open-source identity and authentication service, deploying DI-r and PACS to private or community clouds should obtain equivalent security level to traditional computing model.

Published

2015

92. Federated Identity and Access Management for the Internet of Things

Author

Philip Scott, Benjamin Aziz, Paul Fremantle, and Jacek Kopecky

Subjects

MQTT, IoT, business.industry, Network security, Computer science, Internet of Things, Computing, Access control, security, Access Management, Access management, World Wide Web, Federated Identity, The Internet, Federated identity, business, Protocol (object-oriented programming), Strengths and weaknesses, Computer Network Security

Abstract

We examine the use of Federated Identity and Access Management (FIAM) approaches for the Internet of Things (IoT). We look at specific challenges that devices, sensors and actuators have, and look for approaches to address them. OAuth is a widely deployed protocol - built on top of HTTP - for applying FIAM to Web systems. We explore the use of OAuth for IoT systems that instead use the lightweight MQTT 3.1 protocol. In order to evaluate this area, we built a prototype that uses OAuth 2.0 to enable access control to information distributed via MQTT. We evaluate the results of this prototyping activity, and assess the strengths and weaknesses of this approach, and the benefits of using the FIAM approaches with IoT and Machine to Machine (M2M) scenarios. Finally we outline areas for further research.

Published

2015

93. Multi-factor Authentication as a Service

Author

Lakshmi Subramanian, Yogendra C. Shah, and Vinod Kumar Choyi

Subjects

Challenge-Handshake Authentication Protocol, Internet Authentication Service, Computer science, Generic Bootstrapping Architecture, Authentication protocol, Lightweight Extensible Authentication Protocol, Federated identity, Multi-factor authentication, Computer security, computer.software_genre, computer, Chip Authentication Program

Abstract

An architecture for providing multi-factor authentication as a service is proposed, resting on the principle of a loose coupling and separation of duties between network entities and end user devices. The multi-factor authentication architecture leverages Identity Federation and Single-Sign-On technologies, such as the OpenID framework, in order to provide for a modular integration of various factors of authentication. The architecture is robust and scalable enabling service providers to define risk-based authentication policies by way of assurance level requirements, which map to concrete authentication factor capabilities on user devices.

Published

2015

94. A Proposal and Implementation of an ID Federation that Conceals a Web Service from an Authentication Server

Author

Yuto Iso and Takamichi Saito

Subjects

Challenge-Handshake Authentication Protocol, Authentication, business.industry, Computer science, Internet privacy, Multi-factor authentication, Authentication server, Computer security, computer.software_genre, NTLMSSP, Identity management, Chip Authentication Program, Security Assertion Markup Language, Identity provider, Generic Bootstrapping Architecture, Authentication protocol, Lightweight Extensible Authentication Protocol, Single sign-on, Federated identity, Challenge–response authentication, Web service, OpenID, business, computer, Data Authentication Algorithm

Abstract

Recently, it is becoming more common for a website to authenticate its users with an external identity provider by using Open ID Authentication or Security Assertion Markup Language. However, such authentication schemes tell the identity provider where the user is going. Consequently, for instance, an identity provider can track its users and refuse access to services offered by competitors. In this paper, we propose an authentication method whereby an identity provider cannot track users.

Published

2015

95. User identity and Access Management trends in IT infrastructure- an overview

Author

Rahul Gaikwad and Manav A. Thakur

Subjects

Computer access control, Computer science, business.industry, Access control, Computer security, computer.software_genre, Access management, Security information and event management, Identity management, World Wide Web, Identity management system, The Internet, Federated identity, business, computer

Abstract

Nowadays, people around the world completely depend and mostly use the Internet to maintain communication, contact with family, friends and with people around the world, access and exchange information, and enjoy multimedia communication. As the use of internet increase then users those who use internet and Access the information using internet in the organization or outside organization also increase. User Data security is very tedious and important part of IT system and its user lifecycle control system. Because of this the reason user data security is always consider while designing security systems for an organization. Modern approaches are to maintain the track of users and records of user access, Identity management systems and Access Management Systems are used. Identity management system help to provide a super-set of user provisioning systems that provide easy management of user credentials and their identity information to users and others those who need that information. Similarly Access Management Systems provide strong authentication and authorization solution using SSO, WebSEAL, and policy-based approach to identify who can access the resource at what level. The new research and approaches provide such a new functions base on organization policies that help to re-engine the access of user base on security procedures to the resources which are available. This paper provides an overview of the Identity Management Systems Access Management System and Federated Identity Manager that how they are use to manage the user security and also the challenges or risks in implementing a Secure system.

Published

2015

96. Digital Identity Management

Author

Philip J. Hallin, Thomas C. Jones, David B. Cross, and Matthew W. Thomlinson

Subjects

World Wide Web, Application programming interface, Computer science, Management system, Process (computing), Federated identity, Layer (object-oriented design), Identity management, Digital identity

Abstract

One aspect relates to a process and associated device for managing digital ID lifecycles for application programs, and abstracting application programs for multiple types of credentials through a common Digital Identity Management System (DIMS) and Application Programming Interface (API) layer.

Published

2015

97. Unlocking data: Federated identity with LSDMA and dCache

Author

M Hardt, K Schwank, C Bernardt, P Fuhrmann, A Hayrapetyan, G Behrmann, AP Millar, Tigran Mkrtchyan, Dmitry Litvintsev, and Albert Rossi

Subjects

Password, History, Engineering, business.industry, DATA processing & computer science, Computer security, computer.software_genre, Credential, OpenID Connect, Backward compatibility, Computer Science Applications, Education, World Wide Web, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Grid computing, Identity (object-oriented programming), Road map, Federated identity, ddc:004, business, computer

Abstract

X.509, the dominant identity system from grid computing, has proved unpopular for many user communities. More popular alternatives generally assume the user is interacting via their web-browser. Such alternatives allow a user to authenticate with many services with the same credentials (user-name and password). They also allow users from different organisations form collaborations quickly and simply. Scientists generally require that their custom analysis software has direct access to the data. Such direct access is not currently supported by alternatives to X.509, as they require the use of a web-browser. Various approaches to solve this issue are being investigated as part of the Large Scale Data Management and Analysis (LSDMA) project, a German funded national R&D project. These involve dynamic credential translation (creating an X.509 credential) to allow backwards compatibility in addition to direct SAML- and OpenID Connect-based authentication. We present a summary of the current state of art and the current status of the federated identity work funded by the LSDMA project along with the future road map.

Published

2015

98. The case for federated identity

Author

Roger K. Sullivan

Subjects

Information Systems and Management, Computer Networks and Communications, business.industry, Internet privacy, Globe, Computer security, computer.software_genre, medicine.anatomical_structure, Identity theft, Political science, medicine, Federated identity, Safety, Risk, Reliability and Quality, business, computer

Abstract

More than 80 years ago, a reporter asked the infamous thief Willy Sutton why he robbed banks. Sutton's reply was, ''Because that's where the money is, stupid.'' Today, the money is in information and there's a lot of information out there - vulnerable in databases, exposed in transactions and circulating on the Web - helping to make identity theft the fastest growing crime in the world. Organizations across the globe are quickly learning that one of the best ways to prevent identity theft is through 'federation'.

Published

2005

99. Federated identity and web services

Author

Paul Madsen

Subjects

WS-Addressing, Web standards, Web development, Computer Networks and Communications, business.industry, WS-I Basic Profile, Computer science, Internet privacy, computer.software_genre, World Wide Web, Federated identity, Web service, Safety, Risk, Reliability and Quality, WS-Policy, business, computer, Software, Data Web

Published

2004

100. Virtual organisations in computer grids and identity management

Author

Yuri Demchenko

Subjects

Service (systems architecture), Computer Networks and Communications, Computer science, Enterprise information security architecture, Computer security, computer.software_genre, Security token, Identity management, World Wide Web, Identity provider, Key (cryptography), Federated identity, Safety, Risk, Reliability and Quality, computer, Software, Open Grid Services Architecture

Abstract

This paper provides insight into one of the key concepts of Open Grid Services Architecture (OGSA) Virtual Organisations (VO) and analyses problems related to Identity management in VOs and their possible solution based on using WS-Federation and related WS-Security standards. This paper provides basic information about OGSA, OGSA Security Architecture and analyses VO security services. A detailed description is provided for WS-Federation Federated Identity Model and operation of basic services such as Security Token Service or Identity Provider, Attribute and Pseudonym services for typical usage scenarios.

Published

2004