Abstract
The existing model of Federated Identity Management (FIM) allows a user to provide attributes only from a single Identity Provider (IdP) per service session. However, this does not cater to the fact that the user attributes are scattered and stored across multiple IdPs. An attribute aggregation mechanism would allow a user to aggregate attributes from multiple providers and pass them to a Service Provider (SP) in a single service session which would enable the SP to offer innovative service scenarios. Unfortunately, there exist only a handful of mechanisms for aggregating attributes and most of them either require complex user interactions or are based on unrealistic assumptions. In this paper, we present a novel approach called the Hybrid Model for aggregating attributes from multiple IdPs using one of the most popular FIM technologies: Security Assertion Markup Language (SAML). We present a thorough analysis of different requirements imposed by our proposed approach and discuss how we have developed a proof of concept using our model and what design choices we have made to meet the majority of these requirements. We also illustrate two use-cases to elaborate the applicability of our approach and analyse the advantages it offers and the limitations it currently has.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hulsebosch, B., Wegdam, M., Zoetekouw, B., van Dijk, N., van Wijnen, R.P.: Virtual collaboration attribute management (2011). http://www.surfnet.nl/nl/Innovatieprogramma’s/gigaport3/Documents/EDS%2011-06%20AttributeManagement%20v1.0.pdf. Accessed 1 May 2013
Cantor, S.: Shibboleth Attribute Release Policies, 7 January 2008. https://wiki.shibboleth.net/confluence/display/SHIB/IdPARPConfig
Chadwick, D., Inman, G.: Attribute aggregation in federated identity management. Computer 42(5), 33–40 (2009)
Chadwick, D., Inman, G.: The trusted attribute aggregation service (TAAS) - providing an attribute aggregation layer for federated identity management. In: Eighth International Conference on Availability, Reliability, Security (ARES), 2013, pp. 285–290, September 2013. doi:10.1109/ARES.2013.38
Chadwick, D.W.: Federated identity management. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007–2009. LNCS, vol. 5705, pp. 96–120. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03829-7_3. http://www.cs.kent.ac.uk/pubs/2009/3030
Chadwick, D.W., Inman, G.L., Siu, K.W., Ferdous, M.S.: Leveraging social networks to gain access to organisational resources. In: Proceedings of the 7th ACM Workshop on Digital Identity Management, pp. 43–52. ACM, New York (2011). doi:10.1145/2046642.2046653
Chappell, D.: Introducing Windows CardSpace, April 2006. http://msdn.microsoft.com/en-us/library/aa480189.aspx
De Cock, D., Wouters, K., Schellekens, D., Singelee, D., Preneel, B.: Threat modelling for security tokens in web applications. In: Chadwick, D., Preneel, B. (eds.) CMS 2004. ITIFIP, vol. 175, pp. 183–193. Springer, Heidelberg (2005). doi:10.1007/0-387-24486-7_14
Desmet, L., Jacobs, B., Piessens, F., Joosen, W.: Threat modelling for web services based web applications. In: Chadwick, D., Preneel, B. (eds.) CMS 2004. ITIFIP, vol. 175, pp. 131–144. Springer, Heidelberg (2005). doi:10.1007/0-387-24486-7_10
Dominicini, C.K., Simplício Jr., M.A., Sakuragui, R.R., Carvalho, T.C., Näslund, M., Pourzandi, M.: Threat modeling an identity management system for mobile internet, Rio de Janeiro, Brasil (2010). http://www.teses.usp.br/teses/disponiveis/3/3141/tde-23032012-101827/publico/Tese_RonySakuragui.pdf
Ferdous, M.S., Chowdhury, M.J.M., Moniruzzaman, M., Chowdhury, F.: Identity federations: a new perspective for Bangladesh. In: 2012 International Conference on Informatics, Electronics Vision (ICIEV), pp. 219–224, May 2012
Ferdous, M.S., Jøsang, A., Singh, K., Borgaonkar, R.: Security usability of petname systems. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 44–59. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04766-4_4
Ferdous, M.S., Norman, G., Poet, R.: Mathematical modelling of identity, identity management and other related topics. In: Proceedings of the 7th International Conference on Security of Information and Networks, p. 9 (2014)
Ferdous, M.S., Poet, R.: Analysing attribute aggregation models in federated identity management. In: Proceedings of the 6th International Conference on Security of Information and Networks, pp. 181–188. ACM (2013a)
Ferdous, M.S., Poet, R.: Dynamic identity federation using security assertion markup language (SAML). In: Fischer-Hübner, S., Leeuw, E., Mitchell, C. (eds.) IDMAN 2013. IAICT, vol. 396, pp. 131–146. Springer, Heidelberg (2013b). doi:10.1007/978-3-642-37282-7_13
Jøsang, A., Zomai, M.A., Suriadi, S.: Usability, privacy in identity management architectures. In: ACSW 2007: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers’, pp. 143–152 (2007)
Khattak, Z.A., Sulaiman, S., Manan, J.: A study on threat model for federated identities in federated identity management system. In: 2010 International Symposium in Information Technology (ITSim), vol. 2, pp. 618–623 (2010)
Klingenstein, N.: Attribute aggregation and federated identity. In: International Symposium on Applications and the Internet Workshops, SAINT Workshops 2007, p. 26 (2007)
Myagmar, S., Lee, A.J., Yurcik, W.: Threat modeling as a basis for security requirements. In: Symposium on Requirements Engineering for Information Security (SREIS), vol. 2005, pp. 1–8 (2005)
NISTWP: Electronic Authentication Guideline: Information Security, April 2006. http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
OpenID Authentication 2.0 - Final (2007). http://openid.net/specs/openid-authentication-2_0.html. Accessed 5 Dec
Kellomäki, S.: Query Extension for SAML AuthnRequest (Draft) (2008). http://zxid.org/tas3/anrq-index.html. Accessed 22 Apr
Shibboleth (2016). http://www.internet2.edu/products-services/trust-identity/shibboleth/
SimpleSAMLphp (2016) http://simplesamlphp.org/
Standard OASIS: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. (2005). http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf. Accessed 15 Mar
ZXID (2016). http://www.zxid.org/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Ferdous, M.S., Chowdhury, F., Poet, R. (2017). A Hybrid Model of Attribute Aggregation in Federated Identity Management. In: Chang, V., Ramachandran, M., Walters, R., Wills, G. (eds) Enterprise Security. ES 2015. Lecture Notes in Computer Science(), vol 10131. Springer, Cham. https://doi.org/10.1007/978-3-319-54380-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-54380-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54379-6
Online ISBN: 978-3-319-54380-2
eBook Packages: Computer ScienceComputer Science (R0)