1 / 8

Overview of “Attribute Aggregation In Federated Identity Management”[1]

Overview of “Attribute Aggregation In Federated Identity Management”[1]. Presented by Daniel Waymel June 2013 at UT Dallas. Background. Foundation Identity Providers ( IdP ) Service Providers (SP) Attributes Federated Identity Management ABAC-Based Unify IdPs In a Trust Relationship

bryony
Download Presentation

Overview of “Attribute Aggregation In Federated Identity Management”[1]

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of “Attribute Aggregation In Federated Identity Management”[1] Presented by Daniel Waymel June 2013 at UT Dallas

  2. Background • Foundation • Identity Providers (IdP) • Service Providers (SP) • Attributes • Federated Identity Management • ABAC-Based • Unify IdPsIn a Trust Relationship • Extends SSO • Enhanced User Convenience • Potentially Enhanced User Privacy • Attribute Aggregation • Compilation of Attributes from Multiple IdPs • Greater Convenience Without Complete Loss of Privacy

  3. Existing Solutions [1] • SSO certificates • Liberty Alliance • Background sharing between IdPs using randomized aliases • Note: User affiliations are known to IdPs – potential privacy leak • Partnerships – IdP-Mediated Attribute Aggregation • User-Initiated linking of accounts across IdPs via shared secret • Unified alias can subsequently be passed to SPs along with IdP partnerships • Same privacy issues as with the Liberty Alliance solution • myVocs – Identity Proxying • Relies on a single fully trusted IdPwhich coordinates with all other IdPs • Rarely workable trust relationship as the proxy IdP is trusted absolutely

  4. New Concept Linking Service John 1: Initial Login 2: Ref: IdP1 4: Ref: IdP2 5: Ret: {isellstuff} 3: Ret: {ibuystuff} iBay.com Rainforest.com Note: A separate user-controlled ACL-like table is also maintained by the Linking Service controlling which attributes are available to which IdPs.

  5. Level of Assurance (LOA) [1] • Four levels: 1(lowest) – 4(highest) • Registration LOA • Defined by mode of authentication used for initial registration/provisioning • Authentication LOA • Defined by the mode of authentication used for return access • Session LOA • Defined by the mode of authentication chosen for a given session • Registration LOA must dominate Authentication LOA • Once authenticated with an LOA of X, only attributes from IdPs whose LOA dominate X may be aggregated, thus maintaining a baseline standard of assurance.

  6. Usage Scenario – Accessing Restricted Content on Rainforest.com Rainforest.com (SP) John 1: Login Request 2: Redir: IdP1 2.5: login interaction 3: Ret: {attributes}, Ref1 7: Ret: {aggregated attributes} 4: Ref: LS Un/pw login screen Linking Service 5: Ref: IdP2 5: Ref: IdP3 – IdPn 6: Ret: {attributes} . . . Two-factor authentication 6: Ret: {attributes} . . . IdP3 IdPn

  7. Further Details • Implementation details are discussed in the paper, but are not discussed here due to scope and brevity.

  8. Reference • [1] Chadwick, D. W., & Inman, G. (2009). Attribute aggregation in federated identity management. Computer, 42(5), 33-40.

More Related