Overview of “Attribute Aggregation In Federated Identity Management”[1] Presented by Daniel Waymel June 2013 at UT Dallas.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

NZ igovt/RealMe proposed consent service: overview Kantara eGov Working Group April 8 th 2013 CROWN COPYRIGHT © This work is licensed under the Creative.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

© 2010, University of KentPrimeLife Vienna, 10 Sept CardSpace in the Cloud David Chadwick, George Inman University of Kent.

A Survey of Risk: Federated ID Management in Cloud and Grid Computing Presentation by Andy Wood (P )

Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

FIM-ig Federated Identity Management Interest Group.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Identity Management Report By Jean Carreon and Marlon Gonzales.

1 Addressing security challenges on a global scaleGeneva, 6-7 December 2010.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

SUNY System Administration Federation Overview Gavin Hogan July 15th, 2009 A work in progress….

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Integrating Federated Identity and Web services in the RHIO Environment John Richardson Vice-Chair, Liberty Alliance eHealth SIG Intel Corporation Digital.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Government Online Copyright © 2007 Credentica Inc. All Rights Reserved. February 15th - 16th, 2007 Mobile Showcase.

Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

1 The Quest for Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 8, © Ravi Sandhu.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

SAML to LDAP bridging developments Marcus Hardt Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins,

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

Overview of “Attribute Aggregation In Federated Identity Management”[1] Presented by Daniel Waymel November 2013 at UT Dallas.

Using SAML for SIP H. Tschofenig, J. Peterson, J. Polk, D. Sicker, M. Tegnander.

EGovernment Commonalities within Europe and beyond Colin Wallis & Fulup Ar Foll European Identity Conference 2011.

Federated Identity Management

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.

UCTrust Integration for UC Grid David Walker University of California, Davis ucdavis.edu Kejian Jin University of California, Los Angeles kjin.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Secure Single Sign-On Across Security Domains

WLCG Update Hannah Short, CERN Computer Security.

Shibboleth Architecture

Analyn Policarpio Andrew Jazon Gupaal

eduTEAMS platform for collaboration Niels Van Dijk

Data and Applications Security Developments and Directions

AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)

Radius, LDAP, Radius used in Authenticating Users

Federated Identity Management for Scientific Collaborations

OGF 21 Seattle Washington

Policy in harmony: our best practice

Agenda Introductions Brief review of our project charge

AARC Blueprint Architecture and Pilots

Identity Management at the University of Florida

Appropriate Access InCommon Identity Assurance Profiles

The Need for Better Authentication

AAI in EGI Status and Evolution

Doug Bellows – Inteliquent 3/18/2019

User Provisioning Project

eIDAS-enabled Student Mobility

Microsoft Virtual Academy

Presentation transcript:

Overview of “Attribute Aggregation In Federated Identity Management”[1] Presented by Daniel Waymel June 2013 at UT Dallas

Background Foundation – Identity Providers (IdP) – Service Providers (SP) – Attributes Federated Identity Management – ABAC-Based – Unify IdPs In a Trust Relationship – Extends SSO – Enhanced User Convenience – Potentially Enhanced User Privacy Attribute Aggregation – Compilation of Attributes from Multiple IdPs – Greater Convenience Without Complete Loss of Privacy

Existing Solutions [1] SSO certificates Liberty Alliance – Background sharing between IdPs using randomized aliases – Note: User affiliations are known to IdPs – potential privacy leak Partnerships – IdP-Mediated Attribute Aggregation – User-Initiated linking of accounts across IdPs via shared secret – Unified alias can subsequently be passed to SPs along with IdP partnerships – Same privacy issues as with the Liberty Alliance solution myVocs – Identity Proxying – Relies on a single fully trusted IdP which coordinates with all other IdPs – Rarely workable trust relationship as the proxy IdP is trusted absolutely

New Concept John Linking Service 1: Initial Login iBay.com Rainforest.com 2: Ref: IdP1 4: Ref: IdP2 3: Ret: {ibuystuff} 5: Ret: {isellstuff} UserPIDIdPAttributes JohnUid1423iBay.com{PayBuddy account info} JohnUid9687Rainforest.com{Merchant bank account info} Note: A separate user-controlled ACL-like table is also maintained by the Linking Service controlling which attributes are available to which IdPs.

Level of Assurance (LOA) [1] Four levels: 1(lowest) – 4(highest) Registration LOA – Defined by mode of authentication used for initial registration/provisioning Authentication LOA – Defined by the mode of authentication used for return access Session LOA – Defined by the mode of authentication chosen for a given session Registration LOA must dominate Authentication LOA Once authenticated with an LOA of X, only attributes from IdPs whose LOA dominate X may be aggregated, thus maintaining a baseline standard of assurance.

Usage Scenario – Accessing Restricted Content on Rainforest.com John Rainforest.com (SP) Un/pw login screen Two-factor authentication Linking Service 1: Login Request 2: Redir: IdP1 3: Ret: {attributes}, Ref1 4: Ref: LS... IdP3IdPn... 5: Ref: IdP2 6: Ret: {attributes} 5: Ref: IdP3 – IdPn 6: Ret: {attributes} 2.5: login interaction 7: Ret: {aggregated attributes}

Further Details Implementation details are discussed in the paper, but are not discussed here due to scope and brevity.

Reference [1] Chadwick, D. W., & Inman, G. (2009). Attribute aggregation in federated identity management. Computer, 42(5),