Abstract
Security Assertion Markup Language (SAML, in short) is one of the most widely used technologies to enable Identity Federation among organisations from different trust domains. Despite its several advantages, one of the key disadvantages of SAML is the mechanism by which an identity federation is established. This mechanism lacks flexibility to create a federation in a dynamic fashion to enable service provisioning (or de-provisioning) in real time. Several different mechanisms to rectify this problem have been proposed. However, most of them require a more elaborate change at the core of the SAML. In this paper we present a simple approach based on an already drafted SAML Profile which requires no change of the SAML, rather it depends on the implementation of SAML. It will allow users to create federations using SAML between two prior unknown organisations in a dynamic fashion. Implicit in each identity federation is the issue of trust. Therefore, we also analyse in detail the trust issues of dynamic federations. Finally, we discuss our implemented proof of concept to elaborate the practicality of our approach.
Chapter PDF
Similar content being viewed by others
Keywords
References
Authentication processing filters in simplesamlphp, http://simplesamlphp.org/docs/stable/simplesamlphp-authproc
Microsoft Windows CardSpace, http://www.microsoft.com/windows/products/winfamily/cardspace/default.mspx
Shibboleth, http://shibboleth.internet2.edu/
SimpleSAMLphp, http://simplesamlphp.org/
Liberty Alliance Whitepaper: Benefits of Federated Identity to Government (March 2004), http://projectliberty.org/liberty/content/download/388/2723/file/Liberty_Government_Business_Benefits.pdf
OpenID Authentication 2.0 - Final (December 5, 2007), http://openid.net/specs/openid-authentication-2_0.html
Arias Cabarcos, P., Almenárez Mendoza, F., MarÃn-López, A., DÃaz-Sánchez, D.: Enabling SAML for Dynamic Identity Federation Management. In: Wozniak, J., Konorski, J., Katulski, R., Pach, A.R. (eds.) WMNC 2009. IFIP AICT, vol. 308, pp. 173–184. Springer, Heidelberg (2009)
Bargh, M.S., Hulsebosch, B., Zandbelt, H.: Scalability of trust and metadata exchange across federations (December 2010), https://tnc2011.terena.org/getfile/693
Chadwick, D.W.: Federated Identity Management. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007/2008/2009. LNCS, vol. 5705, pp. 96–120. Springer, Heidelberg (2009)
Chadwick, D.W., Inman, G.L., Siu, K.W.S., Ferdous, M.S.: Leveraging social networks to gain access to organisational resources. In: Proceedings of the 7th ACM Workshop on Digital Identity Management, DIM 2011, pp. 43–52. ACM, New York (2011)
Ferdous, M.S., Poet, R.: A comparative analysis of Identity Management Systems. In: 2012 International Conference on High Performance Computing and Simulation (HPCS), pp. 454–461 (July 2012)
Harding, P., Johansson, L., Klingenstein, N.: Dynamic security assertion markup language: Simplifying single sign-on. IEEE Security Privacy 6(2), 83–85 (2008)
Baseline, I.-T.: capabilities for enhanced global identity management and interoperability (September 2009), http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=X.1250
Jøsang, A., Al, M., Suriadi, Z.S.: Usability and privacy in identity management architectures. In: ACSW 2007: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, pp. 143–152 (2007)
Jøsang, A., Fabre, J., Hay, B., Dalziel, J., Pope, S.: Trust requirements in identity management. In: Proceedings of the 2005 Australasian Workshop on Grid Computing and e-Research, ACSW Frontiers 2005, pp. 99–108. Australian Computer Society, Inc., Darlinghurst (2005)
NIST. Electronic authentication guideline: Information security (April 2006), http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Ferdous, M.S., Jabed, M., Chowdhury, M., Moniruzzaman, M., Chowdhury, F.: Identity federations: A new perspective for bangladesh. In: 2012 International Conference on Informatics, Electronics Vision (ICIEV), pp. 219–224 (May 2012)
Andreas Solberg. Dynamic SAML (February 18, 2010), https://rnd.feide.no/2010/02/18/dynamic_saml/
OASIS Standard. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. (March 15, 2005), http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
OASIS Standard. A profile for distributed SAML metadata management (October 22, 2007), https://spaces.internet2.edu/display/dsaml/A+profile+for+distributed+SAML+metadata+management
OASIS Standard. SAML V2.0 Metadata Interoperability Profile, Working Draft 01 (August 1, 2008), https://spaces.internet2.edu/download/attachments/11275/draft-sstc-metadata-iop-01.pdf?version=2&modificationDate=1217876016355
OASIS Standard. Web Services Federation Language (WSFederation) Version 1.2 (May 22, 2009), http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.pdf
Future of Identity in the Information Society WP3. Study on Mobile Identity Management (May 2005), http://www.fidis.net/fileadmin/fidis/deliverables/fidis-wp3-del3.3.study_on_mobile_identity_management.pdf
Xiang, Y., Kennedy, J., Egger, M., Richter, H.: Network and trust model for dynamic federation. In: Proceedings of the Fourth International Conference on Advanced Engineering Computing and Applications in Sciences, pp. 1–6 (2010)
Zuo, Y., Luo, X., Zeng, F.: Towards a Dynamic Federation Framework Based on SAML and Automated Trust Negotiation. In: Wang, F.L., Gong, Z., Luo, X., Lei, J. (eds.) Web Information Systems and Mining. LNCS, vol. 6318, pp. 254–262. Springer, Heidelberg (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ferdous, M.S., Poet, R. (2013). Dynamic Identity Federation Using Security Assertion Markup Language (SAML). In: Fischer-Hübner, S., de Leeuw, E., Mitchell, C. (eds) Policies and Research in Identity Management. IDMAN 2013. IFIP Advances in Information and Communication Technology, vol 396. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37282-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-37282-7_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37281-0
Online ISBN: 978-3-642-37282-7
eBook Packages: Computer ScienceComputer Science (R0)