Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of “Attribute Aggregation In Federated Identity Management”[1] Presented by Daniel Waymel June 2013 at UT Dallas.

Published byPriscilla Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "Overview of “Attribute Aggregation In Federated Identity Management”[1] Presented by Daniel Waymel June 2013 at UT Dallas."— Presentation transcript:

1 Overview of “Attribute Aggregation In Federated Identity Management”[1] Presented by Daniel Waymel June 2013 at UT Dallas

2 Background Foundation – Identity Providers (IdP) – Service Providers (SP) – Attributes Federated Identity Management – ABAC-Based – Unify IdPs In a Trust Relationship – Extends SSO – Enhanced User Convenience – Potentially Enhanced User Privacy Attribute Aggregation – Compilation of Attributes from Multiple IdPs – Greater Convenience Without Complete Loss of Privacy

3 Existing Solutions [1] SSO certificates Liberty Alliance – Background sharing between IdPs using randomized aliases – Note: User affiliations are known to IdPs – potential privacy leak Partnerships – IdP-Mediated Attribute Aggregation – User-Initiated linking of accounts across IdPs via shared secret – Unified alias can subsequently be passed to SPs along with IdP partnerships – Same privacy issues as with the Liberty Alliance solution myVocs – Identity Proxying – Relies on a single fully trusted IdP which coordinates with all other IdPs – Rarely workable trust relationship as the proxy IdP is trusted absolutely

4 New Concept John Linking Service 1: Initial Login iBay.com Rainforest.com 2: Ref: IdP1 4: Ref: IdP2 3: Ret: {ibuystuff} 5: Ret: {isellstuff} UserPIDIdPAttributes JohnUid1423iBay.com{PayBuddy account info} JohnUid9687Rainforest.com{Merchant bank account info} Note: A separate user-controlled ACL-like table is also maintained by the Linking Service controlling which attributes are available to which IdPs.

5 Level of Assurance (LOA) [1] Four levels: 1(lowest) – 4(highest) Registration LOA – Defined by mode of authentication used for initial registration/provisioning Authentication LOA – Defined by the mode of authentication used for return access Session LOA – Defined by the mode of authentication chosen for a given session Registration LOA must dominate Authentication LOA Once authenticated with an LOA of X, only attributes from IdPs whose LOA dominate X may be aggregated, thus maintaining a baseline standard of assurance.

6 Usage Scenario – Accessing Restricted Content on Rainforest.com John Rainforest.com (SP) Un/pw login screen Two-factor authentication Linking Service 1: Login Request 2: Redir: IdP1 3: Ret: {attributes}, Ref1 4: Ref: LS... IdP3IdPn... 5: Ref: IdP2 6: Ret: {attributes} 5: Ref: IdP3 – IdPn 6: Ret: {attributes} 2.5: login interaction 7: Ret: {aggregated attributes}

7 Further Details Implementation details are discussed in the paper, but are not discussed here due to scope and brevity.

8 Reference [1] Chadwick, D. W., & Inman, G. (2009). Attribute aggregation in federated identity management. Computer, 42(5), 33-40.

Download ppt "Overview of “Attribute Aggregation In Federated Identity Management”[1] Presented by Daniel Waymel June 2013 at UT Dallas."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
NZ igovt/RealMe proposed consent service: overview Kantara eGov Working Group April 8 th 2013 CROWN COPYRIGHT © This work is licensed under the Creative.

NZ igovt/RealMe proposed consent service: overview Kantara eGov Working Group April 8 th 2013 CROWN COPYRIGHT © This work is licensed under the Creative.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Www.mobilevce.com © 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.

© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
© 2010, University of KentPrimeLife Vienna, 10 Sept 20101 CardSpace in the Cloud David Chadwick, George Inman University of Kent.

© 2010, University of KentPrimeLife Vienna, 10 Sept CardSpace in the Cloud David Chadwick, George Inman University of Kent.
A Survey of Risk: Federated ID Management in Cloud and Grid Computing Presentation by Andy Wood (P11250192)

A Survey of Risk: Federated ID Management in Cloud and Grid Computing Presentation by Andy Wood (P )
Www.eduserv.org.uk/openathens Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.

Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google