Your search keyword '"Federated identity"' showing total 191 results

1. Two Factor Authentication: Voice Biometric and Token-Based Authentication

Author

Hamid, Herny Ramadhani Mohd Husny, Nordin, Nur Wazir, Abdullah, Norhaiza Ya, Ismail, Wan Hazimah Wan, Abdullah, Dalilah, Ismail, Azman, editor, Zulkipli, Fatin Nur, editor, Mohd Daril, Mohd Amran, editor, and Öchsner, Andreas, editor

Published

2024

2. Why Are There So Many Digital Identities?

Author

Mitchell Landrigan, Stephen Wilson, and Hamish Fraser

Subjects

digital identity, personal identity, federated identity, profiling, Law in general. Comparative and uniform law. Jurisprudence, K1-7720

Abstract

This article analyses why people have so many digital identities and offers suggestions to reduce the numbers to more reasonable levels. Digital identity thinking has been dominated by the objective of general-purpose reusable identity as a response to the unwieldy profusion of identifiers that came with expanding ecommerce. The notion of reusable digital identity is somewhat intuitive, energised by the mental model of humans exercising a virtual self in cyberspace. Many user interfaces are constructed to exhibit an intentional stance suggestive of humans having a digital counterpart making our digital actions more lifelike and comprehensible. In some nations, there is a precedent for national identity, which makes general-purpose digital identity culturally more logical, even appealing. In common law countries, however, the market for reusable digital identity is still not mature. To date, there is no solid business case for general purpose reusable identity - largely because it proves costlier than expected to reengineer transactional identifiers to align (or federate) with an intuitive singular digital identity. Thus, individuals must manage many siloed, special purpose identifiers, account names, passwords, and piecemeal authenticators. If transactional identifiers go hand in hand with transaction systems, then there will likely remain a need for about as many identifiers as there are transactional services. Recent technology developments, especially in cryptographic verifiable credentials and mobile digital wallets, may provide ways to automate the management of multiple identifiers and achieve the desired usability anticipated from singular identity without disrupting the forces that have led to transaction specific identification.

Published

2024

3. Why Are There So Many Digital Identities?

Author

Landrigan, Mitchell, Wilson, Stephen, and Fraser, Hamish

Subjects

DIGITAL certificates, ELECTRONIC commerce, COMPUTER passwords, SOCIAL media, CYBERSPACE

Abstract

This article analyses why people have so many digital identities and offers suggestions to reduce the numbers to more reasonable levels. Paradigmatic digital identity thinking has been dominated by the objective of general purpose reusable identity as a response to the unwieldy profusion of identifiers that came with expanding ecommerce. The things called 'digital identity' in this paradigm are intended to be general purpose insofar as they are meant to be relied upon in different settings beyond the immediate control of the original issuer. The notion of reusable digital identity is somewhat intuitive, energised by the mental model of humans exercising a virtual self in cyberspace. Many user interfaces are constructed to exhibit an intentional stance suggestive of humans having a digital counterpart, making our digital actions more lifelike and comprehensible. A reusable identity can limit inconvenience to end users and some of the risks of loss of personal data associated with end users creating multiple digital identities for discrete transactional situations. In some nations, there is a precedent for 'national identity', a concept that manifests as attributes necessary for a person to be identified or distinguished as a member of a state, typically to allow that person to be eligible to receive government services of the state. In these nations, national identity makes general purpose digital identity culturally more logical, even appealing. However, in most countries, the market for reusable digital identity is still not mature, except for low-stakes transactions, such as social media logins. To date, there is no solid business case for general purpose reusable identity--largely because it proves costlier than expected to re-engineer transactional identifiers to align (or federate) with an intuitive singular digital identity. Thus, individuals must manage many siloed, special purpose identifiers, account names, passwords and piecemeal authenticators. If transactional identifiers go hand in hand with transaction systems, then there will likely remain a need for about as many identifiers as there are transactional services. Recent technology developments, especially in cryptographically verifiable credentials and mobile digital wallets, may provide ways to automate the management of multiple identifiers and achieve the desired usability anticipated from singular identity without disrupting the forces that have led to transaction-specific identification. [ABSTRACT FROM AUTHOR]

Published

2024

4. Accessing Patient Electronic Health Record Portals Safely Using Social Credentials: Demonstration Pilot Study.

Author

SooHoo, Spencer, Keller, Michelle S, Moyse, Harold, Robbins, Benjamin, McLaughlin, Matthew, Arora, Ajay, Burger, Abigail, Huang, Lilith, Huang, Shao-Chi, Goud, Anil, Truong, Lyna, Rodriguez, Donaldo, and Roberts, Pamela

Subjects

EHR, acceptability, clinical support, communication, credentials, electronic health records, feasibility, federated identity, patient communication, patient portal, patient portal access, single sign-on, social credentials, social identity, Biomedical and clinical sciences, Health sciences

Abstract

BackgroundPatient portals allow communication with clinicians, access to test results, appointments, etc, and generally requires another set of log-ins and passwords, which can become cumbersome, as patients often have records at multiple institutions. Social credentials (eg, Google and Facebook) are increasingly used as a federated identity to allow access and reduce the password burden. Single Federated Identity Log-in for Electronic health records (Single-FILE) is a real-world test of the feasibility and acceptability of federated social credentials for patients to access their electronic health records (EHRs) at multiple organizations with a single sign-on (SSO).ObjectiveThis study aims to deploy a federated identity system for health care in a real-world environment so patients can safely use a social identity to access their EHR data at multiple organizations. This will help identify barriers and inform guidance for the deployment of such systems.MethodsSingle-FILE allowed patients to pick a social identity (such as Google or Facebook) as a federated identity for multisite EHR patient portal access with an SSO. Binding the identity to the patient's EHR records was performed by confirming that the patient had a valid portal log-in and sending a one-time passcode to a telephone (SMS text message or voice) number retrieved from the EHR. This reduced the risk of stolen EHR portal credentials. For a real-world test, we recruited 8 patients and (or) their caregivers who had EHR data at 2 independent health care facilities, enrolled them into Single-FILE, and allowed them to use their social identity credentials to access their patient records. We used a short qualitative interview to assess their interest and use of a federated identity for SSO. Single-FILE was implemented as a web-based patient portal, although the concept can be readily implemented on a variety of mobile platforms.ResultsWe interviewed the patients and their caregivers to assess their comfort levels with using a social identity for access. Patients noted that they appreciated only having to remember 1 log-in as part of Single-FILE and being able to sign up through Facebook.ConclusionsOur results indicate that from a technical perspective, a social identity can be used as a federated identity that is bound to a patient's EHR data. The one-time passcode sent to the patient's EHR phone number provided assurance that the binding is valid. The patients indicated that they were comfortable with using their social credentials instead of having to remember the log-in credentials for their EHR portal. Our experience will help inform the implementation of federated identity systems in health care in the United States.

Published

2022

5. Towards a Methodology for Formally Analyzing Federated Identity Management Systems

Author

Ksystra, Katerina, Dimarogkona, Maria, Triantafyllou, Nikolaos, Stefaneas, Petros, Kavassalis, Petros, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, and Margaria, Tiziana, editor

Published

2022

6. Digitale Identitäten in der physischen Welt: Eine Abwägung von Privatsphäreschutz und Praktikabilität.

Author

Roland, Michael, Höller, Tobias, and Mayrhofer, René

Abstract

Copyright of HMD: Praxis der Wirtschaftsinformatik is the property of Springer Nature and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2023

7. Trust and identity: designing an identity solution for digital innovation.

Author

Cunha, Lucas do M. N., Wangham, Michelle S., and Machado, Iara

Subjects

DIGITAL technology, TECHNOLOGICAL innovations, TRUST, DESIGN thinking, DESIGN research

Abstract

Innovation ecosystems are based on the dynamics of trust relationships between entities that enable technology development and innovation. This study addresses the issue of trust and identity in these environments, inquiring how to design a 'digital federated identity and access management system' for science and technology parks (STPs) in the state of Rio Grande do Sul. For this purpose, it draws on design thinking as a method of 'creative inquiry', which sets a conceptual framework for generating insights in product discovery. As a research-in-progress, this paper presents preliminary findings on the evaluation of the suitability of the FIM model for STPs. [ABSTRACT FROM AUTHOR]

Published

2022

8. Adaptive security architectural model for protecting identity federation in service oriented computing

Author

Mohamed Ibrahim Beer Mohamed, Mohd Fadzil Hassan, Sohail Safdar, and Muhammad Qaiser Saleem

Subjects

Federated identity, SSO, Security, SOA, EAI, Trust, Electronic computers. Computer science, QA75.5-76.95

Abstract

With the tremendous growth of Internet and its related technologies, the Service Oriented Architecture (SOA) became a dominant paradigm shift for enterprise computing. In SOA, business functionalities are offered by many different Service Providers as services. In order to get served by different service providers, the client has to authenticate with those service providers at multiple times. Single Sign On (SSO) mechanism provides the client to login only one time so that access to different services is made possible without needing to re-authenticate. Here, the identity of the logged-in client is federated among the enterprise computing nodes. This is one of the simplest forms of federated identity. The goal of identity federation is to benefit ease of use, flexibility, productivity and reduced cost of the authentication process, but trust and security is a major concern in this situation. Major threats on federated identity management are due to identity misuse, identity theft, and trust deficit between identity providers and services providers. As of now, the Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID are the three important federated identity management standards in the industry. However, none of them is equipped by itself to provide comprehensive security protection for identity federation even within a single enterprise computing environment. In fact, these federated solutions result in additional security vulnerabilities due to their openness of identity federation. The security threats are becoming severe when federated identity is spanned into the inter-organizational and intra-organizational computing environment. This paper analyses the vulnerabilities and security gaps in the existing federated identity solutions. To overcome these gaps, an adaptive security architectural model is proposed for identity federation at inter and intra-organizational level using public key infrastructure that adheres to the SOA security standards and specifications. The proposed architecture is implemented and tested in a large-scale federated identity enterprise computing environment with security-centric financial data to acquire the desired results. A cross-sectional comparative analysis is done between existing and proposed solutions to validate the improvement in the protection of identity federation environment.

Published

2021

9. Federation in Dynamic Environments: Can Blockchain Be the Solution?

Author

Antevski, Kiril and Bernardos, Carlos J.

Subjects

*TELECOMMUNICATION network management, *BLOCKCHAINS

Abstract

Deploying multi-domain network services is becoming a need for operators. However, achieving that in a real operational environment is not easy and requires the use of federation. Federation is a multi-domain concept that enables the use and orchestration of network services/resources to/from external administrative domains. In this article, we first characterize the federation concept and involved procedures, and then dive into the challenges that emerge when federation is performed in dynamic environments. To tackle these challenges, we propose the application of blockchain technology, identifying some associated high-level benefits. Last, we validate our proposed approach by conducting a small experimental scenario using Tendermint, an application-based blockchain. [ABSTRACT FROM AUTHOR]

Published

2022

10. Health-X dataLOFT: A Sovereign Federated Cloud for Personalized Health Care Services.

Author

Boll, Susanne and Meyer, Jochen

Subjects

MEDICAL care, PREVENTIVE medicine, MOBILE apps, COMMUNICATION infrastructure, MOBILE health, ACCESS control

Abstract

Future preventative health care will rely more and more on our personal health data that comes both from clinical sources, but also from many wearable and mobile health devices and apps. However, data from such devices is distributed and partly locked in different data stores, impeding the use for advanced health and care services. To unlock the large potential of such data for future personalized health care, it must be unlocked and released and made accessible for joint use. Health-X is an interdisciplinary scientific research project that will develop and offer a federated cloud infrastructure which puts the individual at the center of the access and control of future health care services. [ABSTRACT FROM AUTHOR]

Published

2022

11. Adaptive security architectural model for protecting identity federation in service oriented computing.

Author

Beer Mohamed, Mohamed Ibrahim, Hassan, Mohd Fadzil, Safdar, Sohail, and Saleem, Muhammad Qaiser

Subjects

MATHEMATICAL models of finance, PUBLIC key cryptography, IDENTITY theft, SERVICE-oriented architecture (Computer science)

Abstract

With the tremendous growth of Internet and its related technologies, the Service Oriented Architecture (SOA) became a dominant paradigm shift for enterprise computing. In SOA, business functionalities are offered by many different Service Providers as services. In order to get served by different service providers, the client has to authenticate with those service providers at multiple times. Single Sign On (SSO) mechanism provides the client to login only one time so that access to different services is made possible without needing to re-authenticate. Here, the identity of the logged-in client is federated among the enterprise computing nodes. This is one of the simplest forms of federated identity. The goal of identity federation is to benefit ease of use, flexibility, productivity and reduced cost of the authentication process, but trust and security is a major concern in this situation. Major threats on federated identity management are due to identity misuse, identity theft, and trust deficit between identity providers and services providers. As of now, the Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID are the three important federated identity management standards in the industry. However, none of them is equipped by itself to provide comprehensive security protection for identity federation even within a single enterprise computing environment. In fact, these federated solutions result in additional security vulnerabilities due to their openness of identity federation. The security threats are becoming severe when federated identity is spanned into the inter-organizational and intra-organizational computing environment. This paper analyses the vulnerabilities and security gaps in the existing federated identity solutions. To overcome these gaps, an adaptive security architectural model is proposed for identity federation at inter and intra-organizational level using public key infrastructure that adheres to the SOA security standards and specifications. The proposed architecture is implemented and tested in a large-scale federated identity enterprise computing environment with security-centric financial data to acquire the desired results. A cross-sectional comparative analysis is done between existing and proposed solutions to validate the improvement in the protection of identity federation environment. [ABSTRACT FROM AUTHOR]

Published

2021

12. Anonymous Authentication with a Bi-directional Identity Federation in the Cloud

Author

Rashid, Fatema, Miri, Ali, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, and Tryfonas, Theo, editor

Published

2016

13. A Lightweight Formal Approach for Analyzing Security of Web Protocols

Author

Kumar, Apurva, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Kobsa, Alfred, Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Stavrou, Angelos, editor, Bos, Herbert, editor, and Portokalidis, Georgios, editor

Published

2014

14. A shared responsibility model to support cross border and cross organizational federation on top of decentralized and self-sovereign identity: Architecture and first PoC

Author

Kubach, Michael, Henderson, Isaac, Bithin, Alangot, Dimitrakos, Theo, Vargas, Juan, Winterstetter, Matthias, and Krontiris, Ioannis

Subjects

decentralized identity, trust infrastructure, gaia-x, ssi, trust policy, self-sovereign identity, data spaces, verifiable credentials, federated identity

Abstract

This paper discusses the challenges of transitioning from legacy federated identity systems to emerging decentralized identity technologies based on self-sovereign identities (SSI) and verifiable credentials, which are being used in initiatives such as Gaia-X and Catena-X for secure and sovereign data sharing. The adoption of SSI and decentralized identity technologies requires a standardized reference model that addresses challenges around trust in cross-border and crossorganizational federations based on decentralized identities. To facilitate this transition, the paper proposes a new Fed2SSI architecture that introduces a middle layer of abstraction for the policybased transformation of credentials, enabling interoperability between legacy federated identity solutions and SSI/decentralized identity environments. The architecture is implemented in a prototype and an exemplary use case is presented to illustrate the added value of this approach.

Published

2023

15. HMD Praxis der Wirtschaftsinformatik / Digitale Identitäten in der physischen Welt: Eine Abwägung von Privatsphäreschutz und Praktikabilität : Digital Identities in the Physical World: A Trade-off Between Privacy and Practicability

Author

Roland, Michael, Höller, Tobias, and Mayrhofer, René

Subjects

Authentifizierung, Authentication, eID, Privacy-by-Design, Biometrics, föderierte Identität, Federated identity, Biometrie, digitaler Zwilling, Digital twin

Abstract

Anforderungen an Datenschutz und Informationssicherheit, aber auch an Datenaktualität und Vereinfachung bewirken einen kontinuierlichen Trend hin zu plattformübergreifenden ID-Systemen für die digitale Welt. Das sind typischerweise föderierte Single-Sign-On-Lösungen großer internationaler Konzerne wie Apple, Facebook und Google. Dieser Beitrag beleuchtet die Frage, wie ein dezentrales, offenes, globales Ökosystem nach dem Vorbild des Single-Sign-On für die digitale, biometrische Identifikation in der physischen Welt aussehen könnte. Im Vordergrund steht dabei die implizite Interaktion mit vorhandener Sensorik, mit der Vision, dass Individuen in der Zukunft weder Plastikkarten noch mobile Ausweise am Smartphone mit sich führen müssen, sondern ihre Berechtigung für die Nutzung von Diensten rein anhand ihrer biometrischen Merkmale nachweisen können. Während diese Vision bereits jetzt problemlos durch Systeme mit einer zentralisierten Datenbank mit umfangreichen biometrischen Daten aller Bürger*innen möglich ist, wäre ein Ansatz mit selbstverwalteten, dezentralen digitalen Identitäten erstrebenswert, bei dem die Nutzer*in in den Mittelpunkt der Kontrolle über ihre eigene digitale Identität gestellt wird und die eigene digitale Identität an beliebigen Orten hosten kann. Anhand einer Analyse des Zielkonflikts zwischen umfangreichem Privatsphäreschutz und Praktikabilität, und eines Vergleichs der Abwägung dieser Ziele mit bestehenden Ansätzen für digitale Identitäten wird ein Konzept für ein dezentrales, offenes, globales Ökosystem zur privaten, digitalen Authentifizierung in der physischen Welt abgeleitet. Requirements on data privacy and information security, as well as data quality and simplification, cause a continuous trend towards federated identity systems for the digital world. These are often the single sign-on platforms offered by large international companies like Apple, Facebook and Google. This article evaluates how a decentralized, open, and global ecosystem for digital biometric identification in the physical world could be designed based on the model of federated single sign-on. The main idea behind such a concept is implicit interaction with existing sensors, in order to get rid of plastic cards and smartphone-based mobile IDs in a far future. Instead, individuals should be capable of proving their permissions to use a service solely based on their biometrics. While this vision is already proven feasible using centralized databases collecting biometrics of the whole population, an approach based on self-sovereign, decentralized digital identities would be favorable. In the ideal case, users of such a system would retain full control over their own digital identity and would be able to host their own digital identity wherever they prefer. Based on an analysis of the trade-off between privacy and practicability, and a comparison of this trade-off with observable design choices in existing digital ID approaches, we derive a concept for a decentralized, open, and global-scale ecosystem for private digital authentication in the physical world. Version of record

Published

2023

16. A Practical Approach to Identity on Digital Ecosystems Using Claim Verification and Trust

Author

McLaughlin, Mark, Malone, Paul, Akan, Ozgur, Series editor, Bellavista, Paolo, Series editor, Cao, Jiannong, Series editor, Dressler, Falko, Series editor, Ferrari, Domenico, Series editor, Gerla, Mario, Series editor, Kobayashi, Hisashi, Series editor, Palazzo, Sergio, Series editor, Sahni, Sartaj, Series editor, Shen, Xuemin (Sherman), Series editor, Stan, Mircea, Series editor, Xiaohua, Jia, Series editor, Zomaya, Albert, Series editor, Coulson, Geoffrey, Series editor, Antonio Basile Colugnati, Fernando, editor, Lopes, Lia Carrari Rodrigues, editor, and Barretto, Saulo Faria Almeida, editor

Published

2010

17. Personal identifiable information privacy model for securing of users’ attributes transmitted to a federated cloud environment

Author

Afolayan A. Obiniyi, Maria Abur, and Sahalu B. Junaidu

Subjects

Computer Networks and Communications, business.industry, Computer science, Applied Mathematics, Privacy policy, Advanced Encryption Standard, Cryptography, Cloud computing, Computer security, computer.software_genre, Encryption, Identity management, Computer Science Applications, Computational Theory and Mathematics, Artificial Intelligence, Federated identity, Electrical and Electronic Engineering, business, Personally identifiable information, computer, Information Systems

Abstract

One of the security issues affecting Federated Cloud Environment users is privacy. It is the ability to secure and control the Personal Identifiable Information (PII) of a user during and after being communicated to the Cloud. Existing studies addressed the problem using techniques such as: uApprove, uApprove.jp, enhanced privacy and dynamic federation in Identity Management (IdM), privacy-preserving authorization system, end-to-end Privacy Policy Enforcement in Cloud Infrastructure, multi-tenancy authorization system with federated identity, and a Cryptography Encryption Key and Template Data Dissemination (CEKTTDD). Users’ PIIremains vulnerable as existing researches lack efficient control of user's attributes in the Cloud. This paper proposes a PIIPrivacy model for protecting user’s attributes on transit to the Federated Cloud Environment. The approach used, combined Advanced Encryption Standard (AES 128) and Discrete Cosine Transform Modulus three (DCTM3) steganography to improve CEKTTDD technique. This was achieved by techniques to encrypt user’s PIIs. The model was implemented using Matrix Laboratory (MATLAB) and evaluated using undetectability, robustness, match (%), encryption time and decryption time. Chi-square attack was applied to prove the security of the proposed model. Results obtained showed that the proposed model was stronger in robustness with values of ((59.10 dB) and (55.45 dB) than the existing model of values ((55.76 dB) and (54.15 dB)). Similarly, the proposed system successfully minimizes undetectability than the former model, while evaluation for match (%) yielded 17% increase better than the existing system. This study has achieved a state-of-the-art model for a secured user’s attributes in the cloud.

Published

2021

18. DCSS Protocol for Data Caching and Sharing Security in a 5G Network

Author

Jonathan Loo, Ed Kamya Kiyemba Edris, Mahdi Aiash, and Seeling, Patrick

Subjects

formal methods, Computer science, data sharing, applied pi calculus, Access control, 02 engineering and technology, 0203 mechanical engineering, network services, federated identity, ProVerif, 0202 electrical engineering, electronic engineering, information engineering, Information-security, business.industry, security protocol, 020302 automobile design & engineering, 020206 networking & telecommunications, Provisioning, General Medicine, Information security, Cryptographic protocol, Service provider, Data sharing, Cellular network, authorization, Distributed-computing, Federated identity, business, 5G, data caching, Computer-networking, Computer network

Abstract

Fifth Generation mobile networks (5G) promise to make network services provided by various Service Providers (SP) such as Mobile Network Operators (MNOs) and third-party SPs accessible from anywhere by the end-users through their User Equipment (UE). These services will be pushed closer to the edge for quick, seamless, and secure access. After being granted access to a service, the end-user will be able to cache and share data with other users. However, security measures should be in place for SP not only to secure the provisioning and access of those services but also, should be able to restrict what the end-users can do with the accessed data in or out of coverage. This can be facilitated by federated service authorization and access control mechanisms that restrict the caching and sharing of data accessed by the UE in different security domains. In this paper, we propose a Data Caching and Sharing Security (DCSS) protocol that leverages federated authorization to provide secure caching and sharing of data from multiple SPs in multiple security domains. We formally verify the proposed DCSS protocol using ProVerif and applied pi-calculus. Furthermore, a comprehensive security analysis of the security properties of the proposed DCSS protocol is conducted.

Published

2021

19. Adaptive security architectural model for protecting identity federation in service oriented computing

Author

Muhammad Qaiser Saleem, Sohail Safdar, Mohd Fadzil Hassan, and Mohamed Ibrahim Beer Mohamed

Subjects

General Computer Science, computer.internet_protocol, Computer science, 02 engineering and technology, Trust, Computer security, computer.software_genre, Security Assertion Markup Language, Identity theft, 0202 electrical engineering, electronic engineering, information engineering, SOA, SOA Security, EAI, Authentication, SSO, 020206 networking & telecommunications, QA75.5-76.95, Service-oriented architecture, Service provider, Electronic computers. Computer science, Security, Identity (object-oriented programming), 020201 artificial intelligence & image processing, Federated identity, computer

Abstract

With the tremendous growth of Internet and its related technologies, the Service Oriented Architecture (SOA) became a dominant paradigm shift for enterprise computing. In SOA, business functionalities are offered by many different Service Providers as services. In order to get served by different service providers, the client has to authenticate with those service providers at multiple times. Single Sign On (SSO) mechanism provides the client to login only one time so that access to different services is made possible without needing to re-authenticate. Here, the identity of the logged-in client is federated among the enterprise computing nodes. This is one of the simplest forms of federated identity. The goal of identity federation is to benefit ease of use, flexibility, productivity and reduced cost of the authentication process, but trust and security is a major concern in this situation. Major threats on federated identity management are due to identity misuse, identity theft, and trust deficit between identity providers and services providers. As of now, the Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID are the three important federated identity management standards in the industry. However, none of them is equipped by itself to provide comprehensive security protection for identity federation even within a single enterprise computing environment. In fact, these federated solutions result in additional security vulnerabilities due to their openness of identity federation. The security threats are becoming severe when federated identity is spanned into the inter-organizational and intra-organizational computing environment. This paper analyses the vulnerabilities and security gaps in the existing federated identity solutions. To overcome these gaps, an adaptive security architectural model is proposed for identity federation at inter and intra-organizational level using public key infrastructure that adheres to the SOA security standards and specifications. The proposed architecture is implemented and tested in a large-scale federated identity enterprise computing environment with security-centric financial data to acquire the desired results. A cross-sectional comparative analysis is done between existing and proposed solutions to validate the improvement in the protection of identity federation environment.

Published

2021

20. A Federated Framework for Fine-Grained Cloud Access Control for Intelligent Big Data Analytic by Service Providers

Author

Gyeong-Jin Ra, Donghyun Kim, Im-Yeong Lee, and Dae-Hee Seo

Subjects

Information privacy, General Computer Science, Computer science, Big data, Data_MISCELLANEOUS, 0211 other engineering and technologies, Cloud computing, Access control, 02 engineering and technology, Computer security, computer.software_genre, Outsourcing, outsourcing cloud, Server, intelligent big data analytics, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, 021110 strategic, defence & security studies, business.industry, federated cloud, General Engineering, access control, Service provider, Privacy, self-sovereign, 020201 artificial intelligence & image processing, Federated identity, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971

Abstract

This paper proposes a novel data-owner-driven privacy-aware cloud data acquisition framework for intelligent big data analytics for service providers and users. To realize this idea, we propose three main components. The first one is a new global identity provider concept to support fine-grained access control for a federated outsourcing cloud, namely called P-FIPS (Privacy-enhanced Federated Identity Provider System), in which data owners perform identity access control with the operator of the federated outsourcing cloud so that the service providers can selectively use their encrypted data on the cloud for various purpose such as intelligent big data analytics. In P-FIPS, data owners manage the access privilege of service providers over their encrypted data on the cloud by (a) labeling the scope of use (e.g., user connection, user disconnection, user tracking) on each encrypted data on the cloud, and (b) by selectively providing the information regarding the data owners to the service provider. The label also includes the attributes related to the data owner’s identity, and this allows service providers to locate the target data with the assist of cryptographic computation according to the scope of the use at the cloud outsourcing server. The second one is a new ambiguous data acquisition mechanism integrated with P-FIPS from a cloud to a service provider. The last one is the Decentralized Audit and Ordering (DAO) Chain mechanism which provides the correctness of obtained data to the service provider as well as ensures the owners that their data is being used for the approved purpose only. Most importantly, we show that our framework is much more efficient than the existing alternative in the scheme.

Published

2021

21. Multi-factor authentication for shibboleth identity providers

Author

Carlos Eduardo da Silva, Gabriela Cavalcanti da Silva, Bruno Bristot Loli, Michelle S. Wangham, Samuel Bristot Loli, Emerson Ribeiro de Mello, and Shirlei Aparecida de Chaves

Subjects

Password, lcsh:Computer engineering. Computer hardware, Computer Networks and Communications, Computer science, Computer Applications, Federated identity management, lcsh:TK7885-7895, Multi-factor authentication, Service provider, Computer security, computer.software_genre, Shibboleth, Computer Science Applications, lcsh:Telecommunication, Robustness (computer science), Phone, lcsh:TK5101-6720, Shibboleth identity provider, Federated identity, computer

Abstract

The federated identity model provides a solution for user authentication across multiple administrative domains. The academic federations, such as the Brazilian federation, are examples of this model in practice. The majority of institutions that participate in academic federations employ password-based authentication for their users, with an attacker only needing to find out one password in order to personify the user in all federated service providers. Multi-factor authentication emerges as a solution to increase the robustness of the authentication process. This article aims to introduce a comprehensive and open source solution to offer multi-factor authentication for Shibboleth Identity Providers. Based on the Multi-factor Authentication Profile standard, our solution provides three extra second factors (One-Time Password, FIDO2 and Phone Prompt). The solution has been deployed in the Brazilian academic federation, where it was evaluated using functional and integration testing, as well as security and case study analysis.

Published

2020

22. Can We Create a Cross-Domain Federated Identity for the Industrial Internet of Things without Google?

Author

Hyoungshick Kim, Seok Hyun Kim, Woojoong Ji, Simon S. Woo, Eunsoo Kim, Youngseob Cho, and Bedeuro Kim

Subjects

Authentication, Blockchain, Computer science, business.industry, Authorization, Service provider, Identity management, World Wide Web, Identity provider, Next-generation network, Federated identity management, Identity (object-oriented programming), The Internet, Federated identity, business

Abstract

Providing a cross-domain federated identity is essential for next-generation Internet services because information about user identity should be seamlessly exchanged across different domains for authentication and authorization. Federated identity can enable users to use various services through a single account. However, conventional federated identity management systems necessarily require a trustworthy identity provider who stores user identity information and presents it to other service providers. Unfortunately, this requirement may not be acceptable in Industrial Internet of Things (IIoT) applications, which often require interacting and authenticating with users and devices across different domains. Who will take full responsibility for managing and issuing all digital identities for IIoT devices? Can we really trust one superpower organization to manage all the identities and credentials of IIoT devices? In this article, we provide an overview of centralized and decentralized identity management methods and examine the feasibility of those methods for IIoT applications. To overcome the inherent limitations of existing approaches, we are specifically interested in designing decentralized cross-domain federated identity management using blockchain. Our Copernican idea brings new and important perspectives in establishing universal cosmopolitan cross-domain federated identity management in a secure and fair manner.

Published

2020

23. 基于Ｓｈｉｂｂｏｌｅｔｈ的在线实验平台多资源访问认证.

Author

张　禹, 陆慧梅, and 向　勇

Abstract

Federated identity was applied to achieve single-sign-on for the situation in which users were from different organizations. However.the diversity of resources brought about trouble of management. To solve the problem, this paper selected Shibboleth as a method of federated identity. System in federation provided REST API of their own resources, and released the authorization code which identified the access rights of resource by the attribute publishing policy in Shibboleth. thus it accessed multi-resouce by users from different organazations after unified authentication. Taking online experimental platform based on OpenEdX as an example, it implemented unified authentication and authorization of complex resources. It applied Shibboleth to authenticate users,coupled with REST API and authorization code,and it shared complex resources during several systems. Moreover,it developed some XRlocks on OpenEdX to share data with other systems. [ABSTRACT FROM AUTHOR]

Published

2017

24. Proxying the Data Body: Artificial Intelligence, Federated Identity, and Machinic Subjection

Author

Sam Popowich

Subjects

lcsh:LC8-6691, Authentication, lcsh:Special aspects of education, business.industry, Computer science, media_common.quotation_subject, Corporate governance, 05 social sciences, Cloud computing, Ambiguity, Intellectual property, Artificial intelligence, Federated identity, 0509 other social sciences, 050904 information & library sciences, business, Host (network), Implementation, media_common

Abstract

Academic libraries have recently seen a shift from self-management of user-authentication of licensed resources themselves, to cloud-based implementations of "federated identity" technologies. Such technologies aim to solve the problems of fragile access to licensed resources while also better protecting publishers' intellectual property. However, federated identity systems raise a host of issues regarding privacy, surveillance, machinic subjection, and algorithmic governance. This paper traces the development of federated identity systems out of earlier authentication processes, shows how such systems use artificial intelligence techniques to create a trackable "data body" for each student, and then analyzes this whole procedure through the critical theories of Maurizio Lazzarato and Bernard Stiegler. In conclusion, the article argues that the emergent nature of the "data body" creates ambiguity between the hyper-control of contemporary technologies and the possibility of resisting them.

Published

2020

25. Sabiá: an authentication, authorization, and user data delivery architecture based on user consent for health information systems in Brazil

Author

Ricardo Alexsandro de Medeiros Valentim, Carlos Breno Pereira Silva, Túlio de Paiva Marques Carvalho, Jailton Carlos de Paiva, Diêgo Ferreira de Lima, and Emerson Costa Silva

Subjects

Authentication, Database, business.industry, Computer science, 0206 medical engineering, Interoperability, Biomedical Engineering, Context (language use), 02 engineering and technology, computer.software_genre, 020601 biomedical engineering, Health informatics, 030218 nuclear medicine & medical imaging, 03 medical and health sciences, Consistency (database systems), 0302 clinical medicine, Information system, Data Protection Act 1998, Federated identity, business, computer

Abstract

Health information systems in Brazil have been designed and developed in a heterogeneous manner based on local regional characteristics, resulting in a lack of health information integrity. In this context, the Brazilian Ministry of Health pointed out the need for interoperability solutions of health information systems, noting the importance of integration with national databases and alignment with Brazilian data protection laws. Therefore, this paper presents Sabia, a platform for authentication, authorization, and data delivery based on user consent for health information systems in Brazil. Sabia’s architecture is designed to achieve the following requirements: (R1) Provide a Federated Identity; (R2) Be a Federated Resource Manager; (R3) Collect user data from different information systems; and (R4) Deliver user data to systems based on user consent. Sabia consists of three main components: (1) Sabia Authorization Server, responsible for implementing Open Authentication; (2) Sabia Collector, responsible for collecting data from different information systems; and (3) Sabia Resource Server, responsible for delivering data previously authorized by the user to the systems. After analyzing historical data, R4 functionality was selected to be submitted to performance testing because it is the process that most affects overall system performance. The tests aimed at analyzing Sabia’s behavior in the heaviest scenario based on historical data. The results showed no flaws and indicated system stability and consistency, in which the user perceives a system reaction instantaneous, whose response time averages remained below 100 ms.

Published

2020

26. Federation in dynamic environments: Can Blockchain be the solution?

Author

Kiril Antevski, Carlos J. Bernardos, and European Commission

Subjects

Telecomunicaciones, Computer Networks and Communications, Electrical and Electronic Engineering, Federated identity, Blockchains, Computer Science Applications, Telecommunication network management

Abstract

Deploying multi-domain network services is be-coming a need for operators. However, achieving that in a real operational environment is not easy and requires the use of federation. Federation is a multi-domain concept that enables the use and orchestration of network services/resources to/from external administrative domains. In this article, we first characterize the federation concept, and involved procedures, to then dive into the challenges that emerge when federation is performed in dynamic environments. To tackle these challenges, we propose the application of Blockchain technology, identifying some associated high-level benefits. Last, we validate our proposed approach by conducting a small experimental scenario using Tendermint, an application-based Blockchain. This work has been partially supported by EC H2020 5GPPP 5Growth project (Grant 856709).

Published

2022

27. Towards Scalability for Federated Identity Systems for Cloud-Based Environments

Author

André Albino Pereira, João Bosco M. Sobral, and Carla M. Westphall

Subjects

scalability, federated identity, cloud computing, authentication, access control, Electronic computers. Computer science, QA75.5-76.95

Abstract

As multi-tenant authorization and federated identity management systems for cloud computing matures, the provisioning of services using this paradigm allows maximum efficiency on business that requires access control. However, regarding scalability support, mainly horizontal, some characteristics of those approaches based on central authentication protocols are problematic. The objective of this work is to address these issues by providing an adapted sticky-session mechanism for a Shibboleth architecture using JASIG CAS. This alternative, compared with the recommended distributed memory approach, shown improved efficiency and less overall infrastructure complexity, as well as demanding less 58% of computational resources and improving throughput (requests per second) by 11%.

Published

2015

28. Decentralized Identity: Where Did It Come From and Where Is It Going?

Author

Eve Maler, Pamela Dingle, Drummond Reed, Manu Sporny, Joni Brenan, Kim Hamilton Duffy, Alan Bachmann, Abbie Barbir, and Oscar Avellaneda

Subjects

Cryptocurrency, Computer Networks and Communications, Computer science, business.industry, Computer security, computer.software_genre, OpenID Connect, Digital identity, Data sharing, Management of Technology and Innovation, Identity (object-oriented programming), The Internet, Federated identity, Enhanced Data Rates for GSM Evolution, Safety, Risk, Reliability and Quality, business, Law, computer

Abstract

The technology category now widely known as “decentralized identity” and more narrowly as “self-sovereign identity” didn’t even exist four years ago. At that time, the cutting edge of digital identity technology consisted of Internet- scale federated identity protocols such as OpenID Connect and user-centric data sharing protocols such as User-Managed Access (UMA). Then along came Bitcoin and a surge of interest in blockchain and distributed ledger technology (DLT). Although the initial uses of this technology focused primarily on cryptocurrency, it didn’t take long for the digital identity community to begin applying it to digital identity scenarios.

Published

2019

29. FTS3 / WebFTS – A Powerful File Transfer Service for Scientific Communities.

Author

Kiryanov, Andrey, Ayllon, Alejandro Alvarez, and Keeble, Oliver

Subjects

FILE transfer (Computer science), LARGE Hadron Collider, DATA mining, DATA transmission systems, GRID computing

Abstract

FTS3, the service responsible for globally distributing the majority of the LHC data across the WLCG infrastructure, is now available to everybody. Already integrated into LHC experiment frameworks, a new web interface now makes the FTS3's transfer technology directly available to end users. In this article we describe this intuitive new interface, “WebFTS”, which allows users to easily schedule and manage large data transfers right from the browser, profiting from a service which has been proven at the scale of petabytes per month. We will shed light on new development activities to extend FTS3 transfers capabilities outside Grid boundaries with support of non-Grid endpoints like Dropbox and S3. We also describe the latest changes integrated into the transfer engine itself, such as new data management operations like deletions and staging files from archive, all of which may be accessed through our standards-compliant REST API. For the Service Managers, we explain such features as the service's horizontal scalability, advanced monitoring and its “zero configuration” approach to deployment made possible by specialised transfer optimisation logic. For the Data Managers, we will present new tools for management of FTS3 transfer parameters like limits for bandwidth and max active file transfers per endpoint and VO, user and endpoint banning and powerful command line tools. We finish by describing our effort to extend WebFTS's captivating graphical interface with support of Federated Identity technologies, thus demonstrating the use of grid resources without the burden of certificate management. In this manner we show how FTS3 can cover the needs of wide range of parties from casual users to high-load services. The evolution of FTS3 is addressing technical and performance requirements and challenges for LHC Run 2, moreover, its simplicity, generic design, web portal and REST interface makes it an ideal file transfer scheduler both inside and outside of HEP community. [ABSTRACT FROM AUTHOR]

Published

2015

30. Raising Acceptance of Cross-Border eID Federation in e-Government and e-Business.

Author

Brugger, Jérôme, Fraefel, Marianne, and Riedl, Reinhard

Abstract

A common identification and authentication space is one of the goals set in Europe's Digital Agenda. Interoperability of electronic identities (eIDs) across Europe will facilitate mobility and cross-border e-business and therefore contribute to growth. Large Scale Pilots STORK and STORK 2.0 have designed a technical solution and are developing a model for offering cross-border eID use as service. A major challenge remains in growing acceptance for such a system by end users, service providers and national governments alike. This paper examines the different aspects influencing the long-term success of European identity federation, which enables cross-border eID use for accessing e-Government and private services. Based on a literature review, it offers a framework for analysing acceptance criteria according to different stakeholder groups (governments, service providers, end users). It takes into account the trust component, the mutual influence of acceptance decisions and the importance of contextual factors influencing the actors' choices. The discussion is based on a reflection of existing conceptual approaches in the field of technology acceptance in general and eID development in particular and draws on preliminary empirical data from the STORK 2.0 project. The paper outlines the challenges of creating a European interoperability solution, which allows a convergence with the development of national eID strategies and fits the value expectations of all stakeholders. In an organizational perspective, it touches upon requirements for creating an identity ecosystem with a network character but centralized services and decisions. In conclusion, the paper presents critical success factors for advanced collaboration between private service providers and government agencies across Europe on the subject of eID development. Thereby it assesses the current status of realization and outlines the challenges and opportunities ahead. [ABSTRACT FROM AUTHOR]

Published

2014

31. The Galaxy platform for accessible, reproducible and collaborative biomedical analyses: 2020 update

Author

Vahid Jalili, Daniel Blankenberg, James Taylor, Jeremy Goecks, Qiang Gu, Anton Nekrutenko, Dave Clements, and Enis Afgan

Subjects

Data Analysis, Proteomics, Biomedical Research, ComputerSystemsOrganization_COMPUTERSYSTEMIMPLEMENTATION, AcademicSubjects/SCI00010, Datasets as Topic, Computational biology, Biology, Access management, computer.software_genre, GeneralLiterature_MISCELLANEOUS, Server, Genetics, Metabolomics, business.industry, Published Erratum, ComputingMilieux_PERSONALCOMPUTING, Reproducibility of Results, Data science, Galaxy, Software framework, Web Server Issue, Nucleic acid, The Internet, Federated identity, Metagenomics, User interface, Single-Cell Analysis, business, Corrigendum, computer, Software

Abstract

Galaxy (https://galaxyproject.org) is a web-based computational workbench used by tens of thousands of scientists across the world to analyze large biomedical datasets. Since 2005, the Galaxy project has fostered a global community focused on achieving accessible, reproducible, and collaborative research. Together, this community develops the Galaxy software framework, integrates analysis tools and visualizations into the framework, runs public servers that make Galaxy available via a web browser, performs and publishes analyses using Galaxy, leads bioinformatics workshops that introduce and use Galaxy, and develops interactive training materials for Galaxy. Over the last two years, all aspects of the Galaxy project have grown: code contributions, tools integrated, users, and training materials. Key advances in Galaxy's user interface include enhancements for analyzing large dataset collections as well as interactive tools for exploratory data analysis. Extensions to Galaxy's framework include support for federated identity and access management and increased ability to distribute analysis jobs to remote resources. New community resources include large public servers in Europe and Australia, an increasing number of regional and local Galaxy communities, and substantial growth in the Galaxy Training Network.

Published

2020

32. Toward Educational Virtual Worlds: Should Identity Federation Be a Concern?

Author

Cruz, Gonçalo, Costa, António, Martins, Paulo, Gonçalves, Ramiro, and Barroso, João

Subjects

*VIRTUAL reality in education, *EDUCATIONAL technology, *INNOVATION adoption, *CLASSROOM management, *ONLINE identities, *INTERNETWORKING

Abstract

3D Virtual Worlds are being used for education and training purposes in a cross-disciplinary way. However, its widespread adoption, particularly in formal learning contexts, is far from being a reality due a broad range of technological challenges. In this reflection paper, our main goal is to argue why and how identity federation should be discussed and adopted as a solution to several barriers that educators and institutions face when using Virtual Worlds. By presenting a clear set of scenarios within different dimensions of the educational process, as classroom management, content reuse, learning analytics, accessibility, and research, we consider identity, traceability, privacy, accountability, and interoperability as main concerns in order to support our argument. Finally, we conclude the paper by presenting paths to a proposal for a workable solution, through the analysis and reflection of different and current efforts that has been made by other teams, towards future technological developments. [ABSTRACT FROM AUTHOR]

Published

2015

33. OnTimeSecure: Secure middleware for federated Network Performance Monitoring.

Author

Calyam, Prasad, Kulkarni, Shweta, Berryman, Alex, Zhu, Kunpeng, Sridharan, Mukundan, Ramnath, Rajiv, and Springer, Gordon

Abstract

Multi-domain network monitoring systems based on active measurements are being widely deployed in high-performance computing and other communities that support large-scale data transfers. Security mechanisms such as policy-driven access to related federated Network Performance Monitoring (NPM) services are important to protect measurement resources and data. In this paper, we present a novel, secure middleware framework viz., “OnTimeSecure” that enables ‘user-to-service’ and ‘service-to-service’ authentication, and enforces federated authorization entitlement policies for timely orchestration of NPM services. OnTimeSecure is built using RESTful APIs and features a hierarchical policy-engine that interfaces with a meta-scheduler for prioritization of measurement requests when there is contention of users concurrently attempting to utilize measurement resources. We validate OnTimeSecure in a federated multi-domain NPM infrastructure by performing threat modeling and security risk assessments based on overall attack likelihood and impact factors. [ABSTRACT FROM PUBLISHER]

Published

2013

34. A survey on security issues of federated identity in the cloud computing.

Author

Ghazizadeh, Eghbal, Zamani, Mazdak, Ab Manan, Jamalul-lail, and Pashang, Abolghasem

Abstract

Cloud computing is a new generation of the technology that has been designed to cater for commercial necessities and to run suitable applications or solve IT management issues. While cost and ease of use are two top benefits of cloud, trust and security are the two top concerns of cloud computing users. Federated identity as a useful feature for user management and Single Sign-on (SSO) has also become an important part of federated identity environment. Misuse of the identity, identity theft, and platform trustworthiness are some of the problems in the federated identity environment. OAuth, OpenID, SAML are three main concept in cloud authentication and federated environment. This paper overviews the security issues of federated identity in the cloud authentication and highlights the proposed models to solve identity theft in the federated environment. [ABSTRACT FROM PUBLISHER]

Published

2012

35. Processes View Modeling of Identity-related Privacy Business Interoperability: Considering User-Supremacy Federated Identity Technical Model and Identity Contract Negotiation.

Author

Ayed, Ghazi Ben and Ghernaouti-Helie, Solange

Abstract

Federated identity is a distributed system that is deployed across multiple parties. Service providers still hold the absolute power over people identities. So, identity-related privacy is considered as a mean to entrench subjects' control over identities and foster trust among multiple involved parties. Thus, identity-related privacy should interoperable, which can be guaranteed through the capture of requirements from different polices related to identity. In this article, we provide and explain a BPMN processes view of the requirements allowing them to be ready to-implement, clear, easy to-understand by each party wishing to collaborate within or across federated identity systems. We highlight that present-day practitioners should be able to translate requirements with user-supremacy federated identity technical model concepts into a set of rules and take into consideration details of identity contract negotiation in order to successfully deliver processes view. BPMN collaboration and choreography diagrams are used to describe seven processes and a sub-process, which would provide a useful way to gain alignment between requirements and IT. [ABSTRACT FROM PUBLISHER]

Published

2012

36. IMPLEMENTING SHIBBOLETH AT A UK NATIONAL ACADEMIC DATA CENTRE.

Author

MacIntyre, Ross and Chaplin, David

Subjects

DATA libraries, DATA warehousing, INTERNET, COMPUTER software

Abstract

The UK education sector is embarking upon the adoption of Internet2's Shibboleth software for federated access management. This paper recounts the early experiences of a large academic data centre in implementing support for Shibboleth across its range of services. It covers the practical approach adopted, a worked example and the significant issues raised. Familiarity with federated access and identity management is assumed. [ABSTRACT FROM AUTHOR]

Published

2005

37. An identity-matching process to strengthen trust in federated-identity architectures

Author

Nesrine Kaaniche, Mikaël Ates, Maryline Laurent, Paul Marillonnet, Entr'ouvert (.), Département Réseaux et Services de Télécommunications (RST), Institut Mines-Télécom [Paris] (IMT)-Télécom SudParis (TSP), Institut Polytechnique de Paris (IP Paris), Réseaux, Systèmes, Services, Sécurité (R3S-SAMOVAR), Services répartis, Architectures, MOdélisation, Validation, Administration des Réseaux (SAMOVAR), Institut Mines-Télécom [Paris] (IMT)-Télécom SudParis (TSP)-Institut Mines-Télécom [Paris] (IMT)-Télécom SudParis (TSP), and University of Sheffield [Sheffield]

Subjects

Matching (statistics), Process (engineering), Computer science, Identity (social science), 020206 networking & telecommunications, Trust enforcement, 02 engineering and technology, 16. Peace & justice, Federated-identity architecture, World Wide Web, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Identity management, 0202 electrical engineering, electronic engineering, information engineering, Citizen-relationship management, 020201 artificial intelligence & image processing, Federated identity, Identity matching

Abstract

International audience; To smoothly counteract privilege escalation in federated-identity architectures, the cross-checking of asserted Personally Identifiable Information (PII) among different sources is highly recommended and advisable. Identity matching is thus a key component for supporting the automated PII cross-checking process. This paper proposes an efficient identity-matching solution, adapted to a chosen User-Relationship Management (URM) platform, relying on a French Territorial Collectivities and Public Administrations (TCPA) use case. The originality of the paper is threefold. (1) It presents an original solution to identity-matching issues raised by a concrete use case from the Territorial Collectivities and the Public Administration (TCPA), formalizing concepts such as information completeness, PII normalization and Levenshtein-distance matrix generation. (2) Implementation guidelines are given to deploy the solution on an operational Publik platform. (3) A precise security analysis is provid ed, relying on an original attacker model.

Published

2020

38. The Case for Federated Identity Management in 5G Communications

Author

Mahdi Aiash, Ed Kamya Kiyemba Edris, and Jonathan Loo

Subjects

Authentication, Computer science, business.industry, Service provider, Computer security, computer.software_genre, Identity management, User experience design, Network service, Cellular network, Single sign-on, Federated identity, business, computer

Abstract

The heterogeneous nature of fifth generation mobile network (5G) makes the access and provision of network services very difficult and raises security concerns. With multi-users and multi-operators, Service-Oriented Authentication (SOA) and authorization mechanisms are required to provide quick access and interaction between network services. The users require seamless access to services regardless of the domain, type of connectivity or security mechanism used. Hence a need for Identity and Access Management (IAM) mechanism to complement the improved user experience promised in 5G. Federated Identity Management (FIdM) a feature of IAM, can provide a user with use Single Sign On (SSO) to access services from multiple Service Providers (SP). This addresses security requirements such as authentication, authorization and user’s privacy from the end user perspectives, however 5G networks access lacks such solution. We propose a Network Service Federated Identity (NS-FId) model that address these security requirements and complements the 5G Service-\ud Based Architecture (SBA). We present different scenarios and applications of the proposed model. We also discuss the benefits of identity management in 5G.

Published

2020

39. Network Service Federated Identity (NS- FId) Protocol for Service Authorization in 5G Network

Author

Ed Kamya Kiyemba Edris, Mahdi Aiash, and Jonathan Loo

Subjects

business.industry, Computer science, Network service, Cellular network, Single sign-on, Provisioning, Federated identity, Service provider, business, Heterogeneous network, Mobile network operator, Computer network

Abstract

Fifth generation mobile network (5G) will make network services available anywhere from multiple Service Providers (SP) and its provisioning raises security concerns. The users will require seamless connectivity and secure access to these services. Mobile Network Operator (MNO) will want to provide services to users and be able to share infrastructure resources with other MNOs. This requires robust authentication and authorization mechanisms that can provide secure access and provisioning of service to multiple users and providers in heterogeneous network. Therefore, Federated Identity (FId) with Single Sign On (SSO) could be used for seamless access and provisioning to network services in 5G. So, we propose Network Service Federated Identity (NS-FId) protocol, a federated protocol that provides secure access to services from multiple SPs and provides SSO to users. We formally verify and analyse the proposed NSFId protocol using ProVerif. We also conduct a security analysis of the protocol’s security properties.

Published

2020

40. Servicios de identidad federada en el ámbito empresarial

Author

Ruiz Torres, Rubén, García Font, Víctor, and Méndez Muñoz, Víctor

Subjects

distributed systems, Seguridad informática -- TFM, federated identity, identitat digital, identitat federada, identidad federada, Seguretat informàtica -- TFM, Computer security -- TFM, sistemes distribuïts, digital identity, identidad digital, sistemas distribuidos

Abstract

Los servicios de identidad federada permiten al usuario identificarse en distintos servicios haciendo uso de las mismas credenciales y del mismo proveedor de identidad. En el ámbito empresarial, donde los procesos de identificación y la autorización de los usuarios y de las aplicaciones que integran el ecosistema de cada empresa requieren de especial fiabilidad y seguridad, suelen emplearse servicios de identidad federada privados. En el presente proyecto se analizan varias soluciones para la adopción de servicios de identidad federada privados en el ámbito empresarial, como son los estándares utilizados de proporción de servicios de identidad federada SAML, CAS y OpenID Connect, los proveedores de identidad Keycloak, Apereo CAS y OpenAM, además de los frameworks de programación para Java Spring, Play y Quarkus. Asimismo se ha desarrollado un prototipo con el que estudiar el funcionamiento de una de estas soluciones en cada uno de estos frameworks en el contexto simulado del ecosistema de aplicaciones de una empresa constituido por una aplicación de gestión de vacaciones, una aplicación de gestión de pedidos y un microservicio de generación de informes. Federated identity services allow users to identify themselves in different services using both the same credentials and the same identity provider. In a corporate environment, where the identification and authorization of users and of the applications included in a company's ecosystem must be especially reliable and secure, private federated identity services are typically used. In this study we analyze several possible solutions regarding the implementation of private federated identity services in a corporate environment, including several standards used to provide federated identity services such as SAML, CAS and OpenID Connect and several identity providers such as Keycloak, Apereo CAS and OpenAM, as well as the Java programming frameworks Spring, Play and Quarkus. We have likewise developed a prototype intended to allow us to study how one of these solutions works in each of the aforementioned frameworks within the simulated context of a company's application ecosystem, which includes a holiday manager application, an order generating application and an order report generating microservice. Els serveis d'identitat federada permeten a l'usuari identificar-se en diferents serveis fent ús de les mateixes credencials i del mateix proveïdor d'identitat. En l'àmbit empresarial, on els processos d'identificació i l'autorització dels usuaris i de les aplicacions que integren l'ecosistema de cada empresa requereixen d'especial fiabilitat i seguretat, solen emprar-se serveis d'identitat federada privats. En el present projecte s'analitzen diverses solucions per a l'adopció de serveis d'identitat federada privats en l'àmbit empresarial, com són els estàndards utilitzats de proporció de serveis d'identitat federada SAML, CAS i OpenID Connect, els proveïdors d'identitat Keycloak, Apereo CAS i OpenAM, a més dels frameworks de programació per a Java Spring, Play i Quarkus. Així mateix s'ha desenvolupat un prototip amb el qual estudiar el funcionament d'una d'aquestes solucions en cadascun d'aquests frameworks en el context simulat de l'ecosistema d'aplicacions d'una empresa constituït per una aplicació de gestió de vacances, una aplicació de gestió de comandes i un microservei de generació d'informes.

Published

2020

41. Análisis de sistemas de autenticación y autorización para entornos web distribuidos

Author

Parra Boldú, Oriol, García Font, Víctor, and Méndez Muñoz, Víctor

Subjects

distributed systems, OAuth, identitat federada, autenticació, Computer security -- TFM, digital identity, identidad digital, Seguridad informática -- TFM, autenticación, federated identity, identitat digital, authentication, identidad federada, Seguretat informàtica -- TFM, sistemes distribuïts, sistemas distribuidos

Abstract

En los últimos años se ha producido una importante evolución en la seguridad, capacidad y escalabilidad de los sistemas distribuidos debido a la necesidad de compartir recursos entre diferentes sistemas. Parte de estos recursos deben compartirse de forma segura debido a que contienen datos sobre la identidad de los potenciales usuarios de los sistemas, cobrando una gran importancia los sistemas de gestión de identidad federada. En el presente trabajo, se han analizado los diferentes estándares de autenticación y autorización. Estos estándares son utilizados por los sistemas de gestión de identidad federada para compartir información de los usuarios garantizando su privacidad. Posteriormente, para profundizar en los conceptos estudiados, se ha diseñado e implementado un sistema de autenticación y autorización utilizando los estándares OAuth 2.0 y tokens JWT. De esta forma, se propagara la identidad y los privilegios de los usuarios del sistema sin exponer sus credenciales. Finalmente, se ha simulado la compartición segura de recursos distribuidos entre diferentes sistemas para realizar un estudio de la seguridad que ofrece el sistema diseñado. En els últims anys s'ha produït una important evolució en la seguretat, capacitat i escalabilitat dels sistemes distribuïts a causa de la necessitat de compartir recursos entre diferents sistemes. Part d'aquests recursos s'han de compartir de forma segura pel fet que contenen dades sobre la identitat dels potencials usuaris dels sistemes, cobrant una gran importància els sistemes de gestió d'identitat federada. En el present treball, s'han analitzat els diferents estàndards d'autenticació i autorització. Aquests estàndards són utilitzats pels sistemes de gestió d'identitat federada per compartir informació dels usuaris garantint la seva privacitat. Posteriorment, per aprofundir en els conceptes estudiats, s'ha dissenyat i implementat un sistema d'autenticació i autorització utilitzant els estàndards OAuth 2.0 i tokens JWT. D'aquesta manera, es propagui la identitat i els privilegis dels usuaris de sistema sense exposar les seves credencials. Finalment, s'ha simulat la compartició segura de recursos distribuïts entre diferents sistemes per realitzar un estudi de la seguretat que ofereix el sistema dissenyat. In the last few years there¿s been an important evolution regarding security, capacity and scalability of the distributed systems due to the necessity to share resources amongst different systems. Part of these resources must be shared in a secured way as they contain data regarding the identity of potential system users, especially management of federal identity systems. This study analyses the different standards of authentication and authorization. These standards are used by the Management of Federal Identity System in order to share the user information whilst guaranteeing their privacy. Further to this analysis, a system of authentication and authorization used on OAuth 2.0 and tokens JWT standards has been designed and implemented to ensure that the identities and rights of the system users are shared without exposing their credentials. Finally, a simulation shows the secure way of sharing resources distributed amongst the different systems, in order to create a study about the security that the designed system offers.

Published

2020

42. The DODAS Experience on the EGI Federated Cloud

Author

Doina Cristina Duma, Daniele Spiga, Enol Fernandez, Giacinto Donvito, Diego Ciangottini, Vincenzo Spinoso, Mirco Tracolli, Marica Antonacci, Luciano Gaido, Andrea Ceccanti, and Davide Salomoni

Subjects

Service (systems architecture), 010308 nuclear & particles physics, business.industry, Physics, QC1-999, Cloud computing, 01 natural sciences, Replication (computing), OpenID Connect, World Wide Web, Software portability, 0103 physical sciences, Orchestration (computing), Information discovery, Federated identity, 010306 general physics, business

Abstract

The EGI Cloud Compute service offers a multi-cloud IaaS federation that brings together research clouds as a scalable computing platform for research accessible with OpenID Connect Federated Identity. The federation is not limited to single sign-on, it also introduces features to facilitate the portability of applications across providers: i) a common VM image catalogue VM image replication to ensure these images will be available at providers whenever needed; ii) a GraphQL information discovery API to understand the capacities and capabilities available at each provider; and iii) integration with orchestration tools (such as Infrastructure Manager) to abstract the federation and facilitate using heterogeneous providers. EGI also monitors the correct function of every provider and collects usage information across all the infrastructure. DODAS (Dynamic On Demand Analysis Service) is an open-source Platform-as-a-Service tool, which allows to deploy software applications over heterogeneous and hybrid clouds. DODAS is one of the so-called Thematic Services of the EOSC-hub project and it instantiates on-demand container-based clusters offering a high level of abstraction to users, allowing to exploit distributed cloud infrastructures with a very limited knowledge of the underlying technologies.This work presents a comprehensive overview of DODAS integration with EGI Cloud Federation, reporting the experience of the integration with CMS Experiment submission infrastructure system.

Published

2020

43. Accessing Patient Electronic Health Record Portals Safely Using Social Credentials: Demonstration Pilot Study

Author

Spencer L. SooHoo, Anil Goud, Lyna Truong, Michelle S. Keller, Pamela Roberts, Benjamin Robbins, Abigail Harrison, Harold Moyse, Lilith Huang, Donaldo Rodriguez, Sho-Chi Huang, Matthew McLaughlin, and Arora Ajay

Subjects

Password, business.industry, Computer science, Internet privacy, Patient portal, Medicine (miscellaneous), Health Informatics, Login, Credential, Computer Science Applications, Health care, Identity (object-oriented programming), Federated identity, business, Social identity theory

Abstract

Background Patient portals allow communication with clinicians, access to test results, appointments, etc, and generally requires another set of log-ins and passwords, which can become cumbersome, as patients often have records at multiple institutions. Social credentials (eg, Google and Facebook) are increasingly used as a federated identity to allow access and reduce the password burden. Single Federated Identity Log-in for Electronic health records (Single-FILE) is a real-world test of the feasibility and acceptability of federated social credentials for patients to access their electronic health records (EHRs) at multiple organizations with a single sign-on (SSO). Objective This study aims to deploy a federated identity system for health care in a real-world environment so patients can safely use a social identity to access their EHR data at multiple organizations. This will help identify barriers and inform guidance for the deployment of such systems. Methods Single-FILE allowed patients to pick a social identity (such as Google or Facebook) as a federated identity for multisite EHR patient portal access with an SSO. Binding the identity to the patient’s EHR records was performed by confirming that the patient had a valid portal log-in and sending a one-time passcode to a telephone (SMS text message or voice) number retrieved from the EHR. This reduced the risk of stolen EHR portal credentials. For a real-world test, we recruited 8 patients and (or) their caregivers who had EHR data at 2 independent health care facilities, enrolled them into Single-FILE, and allowed them to use their social identity credentials to access their patient records. We used a short qualitative interview to assess their interest and use of a federated identity for SSO. Single-FILE was implemented as a web-based patient portal, although the concept can be readily implemented on a variety of mobile platforms. Results We interviewed the patients and their caregivers to assess their comfort levels with using a social identity for access. Patients noted that they appreciated only having to remember 1 log-in as part of Single-FILE and being able to sign up through Facebook. Conclusions Our results indicate that from a technical perspective, a social identity can be used as a federated identity that is bound to a patient’s EHR data. The one-time passcode sent to the patient’s EHR phone number provided assurance that the binding is valid. The patients indicated that they were comfortable with using their social credentials instead of having to remember the log-in credentials for their EHR portal. Our experience will help inform the implementation of federated identity systems in health care in the United States.

Published

2022

44. Cloud-based federated identity for the Internet of Things

Author

Benjamin Aziz and Paul Fremantle

Subjects

IoT, Exploit, Computer Networks and Communications, Computer science, Cloud computing, identity management, security, 02 engineering and technology, privacy, Computer security, computer.software_genre, 01 natural sciences, Identity management, 0202 electrical engineering, electronic engineering, information engineering, Isolation (database systems), Electrical and Electronic Engineering, Authentication, business.industry, 010401 analytical chemistry, Computing, 020206 networking & telecommunications, 0104 chemical sciences, Personal cloud, Identity (object-oriented programming), authentication, Federated identity, business, computer

Abstract

The Internet of Things (IoT) has significant security and privacy risks. Recent attacks have shown that not only are many IoT devices at risk of exploit, but those devices can be successfully used to attack wider systems and cause economic damage. Currently, most devices connect to a cloud service that is provided by the manufacturer of the device, offering no choice to move to more secure systems. We outline a proposed model for IoT that allows the identity of users and devices to be federated. Users and devices are issued with secure, random, anonymised identities that are not shared with third-parties. We demonstrate how devices can be connected to third-party applications without inherently de-anonymising them. Sensor data and actuator commands are federated through APIs to cloud services. All access to device data and commands is based on explicit consent from users. Each user’s data is handled by a personal cloud instance providing improved security and isolation, as well as providing a trusted intermediary for both devices and cloud services. We demonstrate this model is workable with a prototype system that implements the major features of the model. We present experiment results including performance, energy usage, capacity and cost metrics from the prototype. We compare this work with other related work, and outline areas for discussion and future work.

Published

2018

45. Federated Identity Architecture of the European eID System

Author

Javier Garcia-Blas, Mario Vasile-Cabezas, Guillermo Izquierdo-Moreno, Jesus Carretero, and European Commission

Subjects

authentication and authorization infrastructure (AAI), General Computer Science, single sign-on, federated identity architecture (FIA), Computer science, Control (management), identity and access management (IAM), 02 engineering and technology, Computer security, computer.software_genre, single sing-on, Public-key cryptography, user authentication, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Architecture, identity federation, Informática, Authentication, business.industry, General Engineering, 020206 networking & telecommunications, User authentication, Federated identity management, Identity (object-oriented programming), 020201 artificial intelligence & image processing, Smart card, Federated identity, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971

Abstract

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in mid-term also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments.

Published

2018

46. Vertrauen und Identitätsnachweis im Internet.

Author

Reichl, W., Wimmreuter, W., Malleck, H., and Ruhle, E.-O.

Published

2009

47. Cross-domain authorization for federated virtual organizations using the myVocs collaboration environment.

Author

Gemmill, Jill, Robinson, John-Paul, Scavo, Tom, and Bangalore, Purushotham

Subjects

VIRTUAL machine systems, COMPUTER security, COMPUTERS, DIGITAL computer simulation, COMPUTER networks

Abstract

This paper describes our experiences building and working with the reference implementation of myVocs (my Virtual Organization Collaboration System). myVocs provides a flexible environment for exploring new approaches to security, application development, and access control built from Internet services without a central identity repository. The myVocs framework enables virtual organization (VO) self-management across unrelated security domains for multiple, unrelated VOs. By leveraging the emerging distributed identity management infrastructure. myVocs provides an accessible, secure collaborative environment using standards for federated identity management and open-source software developed through the National Science Foundation Middleware Initiative. The Shibboleth software, an early implementation of the Organization for the Advancement of Structured Information Standards Security Assertion Markup Language standard for browser single sign-on, provides the middleware needed to assert identity and attributes across domains so that access control decisions can be determined at each resource based on local policy. The eduPerson object class for lightweight directory access protocol (LDAP) provides standardized naming, format, and semantics for a global identifier. We have found that a Shibboleth deployment supporting VOs requires the addition of a new VO service component allowing VOs to manage their own membership and control access to their distributed resources. The myVocs system can be integrated with Grid authentication and authorization using GridShib. Copyright © 2008 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]

Published

2009

48. Knowledge management in a collaborative business framework.

Author

Kumar, Sameer and Thondikulam, Ganesh

Subjects

*KNOWLEDGE management research, *KNOWLEDGE acquisition (Expert systems), *INFORMATION resources management, *INFORMATION sharing, *ORGANIZATIONAL learning, *SUPPLY chains, *GAME theory, *BUSINESS models, *KNOWLEDGE base

Abstract

Knowledge Management (KM) is a newly emerging, interdisciplinary business model that has knowledge within the framework of trading partners as its focus. It is rooted in many disciplines, including business, economics, psychology and information management. Knowledge management involves people, process and technology in overlapping parts. It helps in building a competitive advantage for today's firm. Examples of two companies that successfully implemented knowledge management are presented. A precursor to organization decision-making includes – the creation of a knowledge representation process; the knowledge acquisition process; and the organization of a knowledge facilitating creation of an enterprise knowledge base as described in this paper. The progression over time of a business organization through three stages to become a knowledge organization is outlined. In order to gain and sustain a strategic advantage in a global economy, it is becoming increasingly critical for organizations to share knowledge with their customers, trading partners, suppliers, and to competitors as well. One of the key factors that acts as a barrier to successful knowledge management is lack of knowledge sharing or trust. Knowledge sharing scenarios are also outlined to illustrate the impact on the payoffs to trading partners based on the intents of partners involved. [ABSTRACT FROM AUTHOR]

Published

2006

49. Federated Identity Concept Between the Institute of Archaeology and Viminacium Localities

Author

Vanja Korać, Dragan Prlja, and Milan Todorović

Subjects

History, General Medicine, Federated identity, Archaeology

Published

2017

50. CILogon: Enabling Federated Identity and Access Management for Scientific Collaborations

Author

Terry Fleury, Scott Koranda, Jim Basney, Heather Flanagan, Benn Oshrin, and Jeff Gaynor

Subjects

World Wide Web, Collaborative software, Service (systems architecture), Computer science, business.industry, Component-based software engineering, Federated identity, business, Access management, Shibboleth, OpenID Connect, Identity management

Abstract

CILogon provides a software platform that enables scientists to work together to meet their identity and access management (IAM) needs more effectively so they can allocate more time and effort to their core mission of scientific research. CILogon builds on open source Shibboleth and COmanage software to provide an integrated IAM platform for science, federated worldwide via eduGAIN. CILogon serves the unique needs of research collaborations, namely to dynamically form collaboration groups across organizations and countries, sharing access to data, instruments, compute clusters, and other resources to enable scientific discovery. We operate CILogon via a software-as-a-service model to ease integration with a variety of science applications, while making all CILogon software components publicly available under open source licenses to enable re-use. Since CILogon operations began in 2010, our service has expanded from a federated X.509 certification authority (CA) to an OpenID Connect provider, SAML Attribute Authority, and multi-tenant collaboration platform. In this article, we describe the current CILogon system.

Published

2019