Abstract
With Federated Identity Management (FIM) protocols, service providers can request user attributes, such as the billing address, from the user’s identity provider. Access to this information is managed using so-called Attribute Release Policies (ARPs). In this paper, we first analyze various shortcomings of existing ARP implementations; then, we demonstrate that the eXtensible Access Control Markup Language (XACML) is very suitable for the task. We present an architecture for the integration of XACML ARPs into SAML-based identity providers and specify the policy evaluation workflows. We also introduce our implementation and its integration into the Shibboleth architecture.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Cantor, S., Kemp, J., Philpott, R., Maler, E.: Security Assertion Markup Language v2.0. OASIS Security Services Technical Committee Standard (2005)
Varney, C.: Liberty Alliance — Privacy and Security Best Practices 2.0 (2003), http://project-liberty.org/specs/
Kaler, C., Nadalin, A.: Web Services Federation Language, WS-Federation (2003), http://www-106.ibm.com/developerworks/webservices/library/ws-fed/
Erdos, M., Cantor, S.: Shibboleth architecture (v05) (2002), http://shibboleth.internet2.edu/docs/
Moses, T.: OASIS eXtensible Access Control Markup Language 2.0, core specification. OASIS XACML Technical Committee Standard (2005)
Reagle, J., Cranor, L.F.: The Platform for Privacy Preferences. Communications of the ACM 42, 48–55 (1999)
Langheinrich, M.: A P3P Preference Exchange Language — APPEL 1.0 (2002), http://www.w3.org/TR/P3P-preferences/
Nazareth, S., Smith, S.: Using SPKI/SDSI for Distributed Maintenance of Attribute Release Policies in Shibboleth. Technical Report TR2004-485, Department of Computer Science, Dartmouth College, Hanover, HN 03744 USA (2004)
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylnen, T.: SPKI Certificate Theory. IETF Proposed Standard, RFC 2693 (1999)
Rivest, R., Lampson, B.: SDSI — A Simple Distributed Security Infrastructure. In: Presented at CRYPTO 1996 Rumpsession (1996)
Lepro, R.: Cardea: Dynamic Access Control in Distributed Systems. Technical Report TR NAS–03–020, NASA Advanced Supercomputing Division, Ames (2003)
Mazzuca, P.: Access Control in a Distributed Decentralized Network: An XML Approach to Network Security. Honors Thesis, Dartmouth College (2004)
Chadwick, D., Otenko, A.: The PERMIS X.509 Role Based Privilege Management Infrastructure. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. SACMAT, pp. 135–140. ACM Press, New York (2002)
Anderson, A.H.: The Relationship Between XACML and P3P Privacy Policies (2004), http://research.sun.com/projects/xacml/
Proctor, S.: Sun’s XACML implementation (2004), http://sunxacml.sf.net/
Anderson, A.: XML Digital Signature profile of XACML 2.0. OASIS TC Committee draft (September 16, 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 IFIP International Federation for Information Processing
About this paper
Cite this paper
Hommel, W. (2005). Using XACML for Privacy Control in SAML-Based Identity Federations. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds) Communications and Multimedia Security. CMS 2005. Lecture Notes in Computer Science, vol 3677. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11552055_16
Download citation
DOI: https://doi.org/10.1007/11552055_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28791-9
Online ISBN: 978-3-540-31978-8
eBook Packages: Computer ScienceComputer Science (R0)