Skip to main content
SpringerLink
Log in

Definition of an advanced identity management infrastructure

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

In recent years, organizations are starting to demand a finer user access control in order to offer added-value services, while end users desire more control over their private information. Several approaches have been proved to be efficient in protecting basic scenarios. However, in scenarios requiring advanced features, such as advanced authorization capabilities, level of assurance facilities or effective privacy management, certain issues still need to be addressed. In this work, we propose an identity management infrastructure, based on the SAML, XACML and XKMS standards, which extends current approaches in order to achieve the required features. We include a performance analysis to show the feasibility of this architecture.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20

Similar content being viewed by others

References

  1. Adams, C., Lloyd, S.: Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations. Macmillan Technical Publishing, New York (1999)

    Google Scholar 

  2. Alcaraz Calero, J., Millán, G., Pérez, G.: Towards the homogeneous access and use of PKI solutions: design and implementation of a WS-XKMS server. J. Syst. Archit. 55(4), 289–297 (2009)

    Article  Google Scholar 

  3. Alsaleh, M., Adams, C.: Enhancing consumer privacy in the liberty alliance identity federation and web services frameworks. In: Privacy enhancing technologies: 6th international workshop, PET 2006, Cambridge, UK, June 28–30, 2006; Revised Selected Papers, p. 59. Springer New York Inc (2006)

  4. Anderson, A.: XACML profile for role based access control (RBAC) (2004)

  5. Apache: Apache tomcat (2007). http://tomcat.apache.org/

  6. Bouzida, Y., Logrippo, L, Mankovski, S.: Concrete-and abstract-based access control. Int. J. Inf. Security 10(4), 223–238 (2011)

    Google Scholar 

  7. Burr, W., Dodson, D., Polk, W.: Electronic authentication guideline. NIST Special Publication 800, 63 (2004)

    Google Scholar 

  8. Calero, J.M.A., Lpez, G., Martnez, G., Dlera, G., Krebs, S., Fiechter, S.: OpenXKMS libraries. http://xkms.sourceforge.net/

  9. Cantor, S., Hughes, J., Hodges, J., Hirsh, F., Mishra, P., Philpott, R., Maler, E.: Profiles for the OASIS Security Assertion Markup Language (SAML) V2. 0 (2005)

  10. Castro-Rojo, R., López, D.: The PAPI system: point of access to providers of information. Comput. Netw. 37(6), 703–710 (2001)

    Article  Google Scholar 

  11. Chadwick, D., Otenko, S., Xu, W.: Adding distributed trust management to shibboleth. In: NIST 4th Annual PKI, Workshop, pp. 3–14 (2005)

  12. Chadwick, D.W., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: PERMIS: a modular authorization infrastructure. Concurr. Comput. Practice Experience 20(11), 1341–1357 (2008). doi:10.1002/cpe.1313. http://www.cs.kent.ac.uk/pubs/2008/2834. Online ISSN: 1532-0634

    Google Scholar 

  13. Crampton, J., Khambhammettu, H.: Delegation in role-based access control. Int. J. Inf. Security 7(2), 123–136 (2008)

    Article  Google Scholar 

  14. Clercq, J.D.: Single sign-on architectures. In: InfraSec’02 Proceedings of the International Conference on Infrastructure Security, pp. 40–58, Springer, Bristol

  15. Dlera, G., Bernal, J., Lpez, G., Martnez, G.: UMU-XACML-Editor. http://sourceforge.net/projects/umu-xacmleditor/

  16. Dlera, G., Lpez, G., Martnez, G.: Mistral-idm. http://mistral-idm.sourceforge.net

  17. Erdos, M., Cantor, S.: Shibboleth-architecture DRAFT v05 (2002). http://shibboleth.internet2.edu/docs/draft-internet2-shibbole-th-arch-v05.pdf

  18. Foundation, A.S.: Apache HTTP server benchmarking tool. http://httpd.apache.org/docs/2.0/programs/ab.html

  19. Fragoso Rodriguez, U., Laurent Maknavicius, M., Incera Dieguez, J.: Federated identity architectures. In: Proceedings of 1st Mexican Conference on Informatics Security 2006 (MCIS 2006) (2006)

  20. Hallam-Baker, P.M., Mysore, S.H.: XML key management specification (XKMS 2.0). World wide web consortium, recommendation REC-xkms2-20050628 (2005)

  21. Hazelton, K.: EduPerson object class specification. Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir), DRAFT revision (2006)

  22. Hommel, W.: Using XACML for privacy control in SAML-based identity federations. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) Communications and Multimedia Security, Lecture Notes in Computer Science, vol. 3677, pp. 160–169. Springer (2005)

  23. Hommel, W., Munich, L.: An architecture for privacy-aware inter-domain identity management. In: Ambient Networks: 16th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, DSOM 2005, Barcelona, Spain, Oct 24–26, 2005: Proceedings, p. 48. Springer (2005)

  24. Hsieh, G., Foster, K., Emamali, G., Patrick, G., Marvel, L.: Using XACML for embedded and fine-grained access control policy. In: International Conference on Availability, Reliability and Security, 2009. ARES’09, pp. 462–468. IEEE (2009)

  25. Hughes, J., Consulting, P., Maler, E.: Security Assertion Markup Language (SAML) V2. 0 technical overview. OASIS SSTC working draft sstc-saml-tech-overview-2.0-draft-08 (2005)

  26. Juels, A., Jakobsson, M., Jagatic, T.: Cache cookies for browser authentication. In: IEEE Symposium on Security and Privacy, 2006, pp. 5–305. IEEE (2006)

  27. Kataoka, T., Nishimura, T., Shimaoka, M., Yamaji, K., Nakamura, M., Sonehara, N., Okabe, Y.: Leveraging PKI in SAML 2.0 Federation for Enhanced Discovery Service. In: SAINT, pp. 239–242. IEEE Computer Society (2009)

  28. Kesselman, C., Foster, I.: The Grid: Blueprint for a New Computing Infrastructure. Morgan Kaufmann, Los Altos, CA (2004)

    Google Scholar 

  29. Lawrence, K., Kaler, C., Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: Web Services Trust Language (WS-Trust) 1.3. OASIS Standard (2007)

  30. Liong, B.: Shibboleth attribute release policy editor. http://www.federation.org.au/twiki/bin/view/Federation/ShARPE

  31. Lockhart, H., Andersen, S., Bohren, J., Sverdlov, Y., Hondo, M., Maruyama, H., Nadalin, A., Nagaratnam, N., Boubez, T., Morrison, K., et al.: Web Services Federation Language (WS-Federation). Web services security specification (2006)

  32. López, G., Cánovas, O., Gómez, A., Jiménez, J., Marín, R.: A network access control approach based on the AAA architecture and authorization attributes. J. Netw. Comput. Appl. 30(3), 900–919 (2007)

    Google Scholar 

  33. Lopez, J., Oppliger, R., Pernul, G.: Authentication and authorization infrastructures (AAIs): a comparative survey. Comput. Security 23(7), 578–590 (2004)

    Article  Google Scholar 

  34. Maler, E., Reed, D.: The venn of identity: options and issues in federated identity management. IEEE Security Privacy 6, 16–23 (2008). http://doi.ieeecomputersociety.org/10.1109/MSP.2008.50

    Google Scholar 

  35. Meier, W.: eXist: an open source native XML database. Web, web-services, and database systems (2002)

  36. Milln, G.L., Prez, M.G., Prez, G.M., Skarmeta, A.F.G.: PKI-based trust management in inter-domain scenarios. Comput. Security 29(2), 278–290 (2009). doi:10.1016/j.cose.2009.08.004. http://www.sciencedirect.com/science/article/B6V8G-4X1SB4C-2/2/fd545f200197fbc3be20701b22eb5b72

  37. Nenadic, A., Zhang, N., Chin, J., Goble, C.: FAME: adding multi-level authentication to Shibboleth. In: Proceedings of the Second IEEE International Conference on e-Science and Grid Computing, p. 157. IEEE Computer Society (2006)

  38. OASIS: eXtensible Access Control Markup Language TC v2.0 (XACML) (2005). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf

  39. OASIS Standard: assertions and protocols for the OASIS Security Assertion Markup Language (SAML) version 2.0 (2005)

  40. Parducci, B., Lockhart, H., et al.: XACML v3. 0 administration and delegation profile version 1.0. Committee Specification 01 (2010)

  41. Parducci, B., Lockhart, H., et al.: XACML v3. 0 core specification. Committee Specification 01 (2010)

  42. Pérez, M., López, G., Skarmeta, A., Pasic, A.: Advanced policies for the administrative delegation in federated environments. In: Third International Conference on Dependability (DEPEND), 2010, pp. 76–82. IEEE (2010)

  43. Peyton, L., Doshi, C., Seguin, P.: An audit trail service to enhance privacy compliance in federated identity management. in: Proceedings of the 2007 Conference of the Center for Advanced Studies on Collaborative Research, pp. 175–187. ACM (2007)

  44. Pfitzmann, A., Hansen, M.: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management—a consolidated proposal for terminology. http://dud.inf.tu-dresden.de/Anon_Terminology.shtml V0.31 (2008)

  45. Project, O.: Opensaml 2 libraries. https://spaces.internet2.edu/display/OpenSAML/Home

  46. Recordon, D., Fitzpatrick, B.: OpenID authentication 2.0-final (2007)

  47. Recordon, D., Jones, M., Bufu, J., Daugherty, J., Sakimura, N.: Openid provider authentication policy extension 1.0. Available in http://www.openid.net (2008)

  48. Reed, D., Chasen, L., Tan, W.: OpenID identity discovery with XRI and XRDS. In: Proceedings of the 7th Symposium on Identity and Trust on the Internet, pp. 19–25. ACM (2008)

  49. Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, Reading, MA (2001)

  50. Roman, E., Patel, R., Brose, G.: Mastering Enterprise Java Beans. Wiley-India, New Delhi (2008)

    Google Scholar 

  51. Sánchez García, S., Gómez Oliva, A., Pérez Belleboni, E., Pau de la Cruz, I.: Solving identity delegation problem in the e-government environment. Int. J. Inf. Security 10(6), 351–372

  52. Schlager, C., Nowey, T., Montenegro, J.A.: A reference model for authentication and authorisation infrastructures respecting privacy and flexibility in b2c eCommerce. In: International Conference on Availability, Reliability and Security, pp. 709–716 (2006). http://doi.ieeecomputersociety.org/10.1109/ARES.2006.13

  53. Schlager, C., Pernul, G.: Authentication and authorisation infrastructures in b2c e-commerce. Lecture notes in computer science (2005)

  54. Schlager, C., Sojer, M., Muschall, B., Pernul, G.: Attribute-based authentication and authorisation infrastructures for e-commerce providers. Lecture notes in computer science. vol. 4082, p. 132 (2006)

  55. Sermersheim, J.: Lightweight directory access protocol (LDAP): the protocol. RFC 4511 (proposed standard) (2006). http://www.ietf.org/rfc/rfc4511.txt

  56. Staeuble, M., Schumacher, J.: ZK developer’s guide: developing responsive user interfaces for web applications using Ajax, XUL, and the open source ZK rich web client development framework. Packt Publishing (2008)

  57. SWITCH: Swiss Education and Research Network. http://www.switch.ch/

  58. University of Murcia, Department of Information and Communications Engineering: UMU-PKIv6. http://pki.dif.um.es/

  59. Ustaoğlu, B.: Integrating identity-based and certificate-based authenticated key exchange protocols. Int. J. Inf. Security 10(4), 201–212 (2011)

    Google Scholar 

  60. Wason, T., Alliance, L., Hodges, J., Kemp, J., Thompson, P.: Liberty id-ff architecture overview (2003)

  61. Wayman, J.: Biometrics in identity management systems. IEEE Security Privacy 6(2), 30–37 (2008)

    Article  Google Scholar 

  62. Zorn, G.: Microsoft PPP CHAP extensions, version 2. RFC 2759 (informational) (2000). http://www.ietf.org/rfc/rfc2759.txt

Download references

Author information

Authors and Affiliations

  1. Security Group, NEC Laboratories Europe, 69115 , Heidelberg, Germany

    Ginés Dólera Tormo

  2. Department of Information and Communications Engineering, University of Murcia, 30071 , Murcia, Spain

    Gabriel López Millán & Gregorio Martínez Pérez

Authors
  1. Ginés Dólera Tormo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gabriel López Millán
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gregorio Martínez Pérez
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ginés Dólera Tormo.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Dólera Tormo, G., López Millán, G. & Martínez Pérez, G. Definition of an advanced identity management infrastructure. Int. J. Inf. Secur. 12, 173–200 (2013). https://doi.org/10.1007/s10207-012-0189-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-012-0189-y

Keywords

Search

Navigation