Skip to main content
SpringerLink
Log in
Book cover

OTM Confederated International Conferences "On the Move to Meaningful Internet Systems"

OTM 2013: On the Move to Meaningful Internet Systems: OTM 2013 Conferences pp 342–359Cite as

Federated Authorization for Software-as-a-Service Applications

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8185))

Abstract

Software-as-a-Service (SaaS) is a type of cloud computing in which a tenant rents access to a shared, typically web-based application hosted by a provider. Access control for SaaS should enable the tenant to control access to data that are located at the provider based on tenant-specific access control policies. To achieve this, state-of-practice SaaS applications provide application-specific access control configuration interfaces and as a result, the tenant policies are evaluated at the provider side. This approach does not support collaboration between provider-side and tenant-side access control infrastructures, thus scattering tenant access control management and forcing the tenant to disclose sensitive access control data. To address these issues, we describe the concept of federated authorization in which management and evaluation of the tenant policies is externalized from the SaaS application to the tenant. This centralizes tenant access control management and lowers the required trust in the provider. This paper presents a generic middleware architecture for federated authorization, describing required extensions to current policy languages and a distributed execution environment. Our evaluation explores the trade-off between performance and security and shows that federated authorization is a feasible and promising approach.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Security Assertion Markup Language (SAML) v2.0 (March 2005), http://www.oasis-open.org/standards#samlv2.0

  2. OpenID Authentication 2.0 - Final (December 2007), http://openid.net/specs/openid-authentication-2_0.html

  3. 3-D Secure - Wikipedia, the free encyclopedia (July 2013), http://en.wikipedia.org/wiki/3-D_Secure

  4. E-Health Information Platforms (E-HIP) (July 2013), http://distrinet.cs.kuleuven.be/research/projects/showProject.do?projectID=E-HIP

  5. Healthcare professional’s collaboration Space (Share4Health) (July 2013), http://distrinet.cs.kuleuven.be/research/projects/showProject.do?projectID=Share4Health

  6. Permission, User Management and Availability for multi-tenant SaaS applications (PUMA) (July 2013), http://distrinet.cs.kuleuven.be/research/projects/showProject.do?projectID=PUMA

  7. Alam, M., Zhang, X., Khan, K., Ali, G.: xDAuth: a scalable and lightweight framework for cross domain access control and delegation. In: ACM SACMAT, pp. 31–40 (2011)

    Google Scholar 

  8. Ardagna, C.A., De Capitani di Vimercati, S., Neven, G., Paraboschi, S., Preiss, F.-S., Samarati, P., Verdicchio, M.: Enabling privacy-preserving credential-based access control with xacml and saml. In: IEEE CIT, pp. 1090–1095 (2010)

    Google Scholar 

  9. Asghar, M.R., Ion, M., Russello, G., Crispo, B.: ESPOON: Enforcing encrypted security policies in outsourced environments. In: 2011 Sixth International Conference on Availability, Reliability and Security, ARES, pp. 99–108. IEEE (2011)

    Google Scholar 

  10. Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). Technical report, IBM (2003)

    Google Scholar 

  11. European Commision. Directive 95/46/EC. Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995)

    Google Scholar 

  12. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  13. Decat, M., Lagaisse, B., Joosen, W.: Toward efficient and confidentiality-aware federation of access control policies. In: Proceedings of the 7th Workshop on Middleware for Next Generation Internet Computing. ACM (2012)

    Google Scholar 

  14. Cole, G., et al.: Service Provisioning Markup Language (SPML) Version 2.0. OASIS Committee Specification (2006)

    Google Scholar 

  15. Gheorghe, G., Crispo, B., Carbone, R., Desmet, L., Joosen, W.: Deploy, adjust and readjust: Supporting dynamic reconfiguration of policy enforcement. In: Kon, F., Kermarrec, A.-M. (eds.) Middleware 2011. LNCS, vol. 7049, pp. 350–369. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  16. Jin, X., Krishnan, R., Sandhu, R.: A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  17. Karjoth, G.: Access control with IBM Tivoli access manager. ACM TISSEC 6(2), 232–257 (2003)

    Article  Google Scholar 

  18. Lawrence, K., Kaler, C., Nadalin, A., Monzillo, R., Hallam-Baker, P.: Web Services Security: SOAP Message Security 1.1 (WS-Security) (2006)

    Google Scholar 

  19. Lischka, M., Endo, Y., Sánchez Cuenca, M.: Deductive policies with XACML. In: Proceedings of the 2009 ACM Workshop on Secure Web Services, SWS 2009, pp. 37–44. ACM, New York (2009)

    Chapter  Google Scholar 

  20. Lockhart, H., Parducci, B., Rissanen, E.: SAML 2.0 Profile of XACML, Version 2.0

    Google Scholar 

  21. Mell, P., Grance, T.: The NIST definition of cloud computing. National Institute of Standards and Technology 53(6), 50 (2009)

    Google Scholar 

  22. Moses, T., et al.: eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard, 200502 (2005)

    Google Scholar 

  23. Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A community authorization service for group collaboration. In: Proceedings of the Third International Symposium on Policies for Distributed Systems and Networks, pp. 50–59. IEEE (2002)

    Google Scholar 

  24. Stihler, M., Santin, A.O., Calsavara, A., Marcon, A.L.: Distributed usage control architecture for business coalitions. In: IEEE International Conference on Communications, ICC 2009, pp. 1–6. IEEE (2009)

    Google Scholar 

  25. Wei, Q.: Towards improving the availability and performance of enterprise authorization systems. PhD thesis, University of British Columbia (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. iMinds-DistriNet, KU Leuven, 3001, Leuven, Belgium

    Maarten Decat, Bert Lagaisse, Dimitri Van Landuyt & Wouter Joosen

  2. Department of Information Engineering and Computer Science, University of Trento, Trento, Italy

    Bruno Crispo

Authors
  1. Maarten Decat
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bert Lagaisse
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dimitri Van Landuyt
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bruno Crispo
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STAR Lab, Vrije Universiteit Brussel, Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. CRAN, University of Lorraine, Campus Sciences, BP 70239, 54506, Vandoevre-les-Nancy, France

    Hervé Panetto

  3. Computer Science and Computer Engineering, La Trobe University, 3086, Melbourne, Victoria, Australia

    Tharam Dillon

  4. Dept. of Informatics Systems, University of Klagenfurt, Universitaetsstrasse 65, 9020, Klagenfurt, Austria

    Johann Eder

  5. LIRMM, University of Montpellier II, 161 Rue Ada, 34392, Montpellier Cedex 5, France

    Zohra Bellahsene

  6. Department of Informatics, University of Hamburg, 22527, Hamburg, Germany

    Norbert Ritter

  7. Department of Computer Sciences, VU University Amsterdam, De Boelelaan 1081, 1081 HV, Amsterdam, The Netherlands

    Pieter De Leenheer

  8. Computer and Information Science Department, University of Oregon, 97403, Eugene, OR, USA

    Deijing Dou

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Decat, M., Lagaisse, B., Van Landuyt, D., Crispo, B., Joosen, W. (2013). Federated Authorization for Software-as-a-Service Applications. In: Meersman, R., et al. On the Move to Meaningful Internet Systems: OTM 2013 Conferences. OTM 2013. Lecture Notes in Computer Science, vol 8185. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41030-7_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41030-7_25

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41029-1

  • Online ISBN: 978-3-642-41030-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation