Abstract
One of the challenges for Single Sign-On (SSO) is the multiprotocol federation in identity management. Even though projects such as Shibboleth provide good identity management framework, they usually support single protocol such as Security Assertion Markup Language (SAML). With the movement of increasing service collaboration in the cloud, identity federation needs to be extended to cover multiple identity protocol standards. In this paper, we propose an online distributed multi-protocol identity management framework Sh-IDaaS (Shibboleth-based Identity-as-a-Service) which could discover multiple user identity services in the Shibboleth environment. The framework enables federation of various identity services by binding different identity providers to a special discovery service, even if they support different identity protocols. Based on the Shibboleth framework, we describe the detailed design and implementation of our pluggable Sh-IDaaS architecture. Analysis of interoperability and performance of our Sh-IDaaS framework prototype is also provided to justify its feasibility and practicability.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
OpenSSO. https://opensso.dev.java.net/
The Shibboleth Project 2007. http://shibboleth.net/
OASIS Security Assertion Markup Language (SAML) V2.0, April 2005. http://www.oasis-open.org/
The Liberty Alliance Project. http://www.projectliberty.org/
Nanda, A.: Identity selector interoperability profile V1.0. Microsoft Corporation (2007)
OpenID Specifications, OpenID Foundation (2007). http://openid.net/developers/specs/
Blaze, M., Kannan, S., Lee, I., Sokolsky, O., Keromytis, A., Lee, W.: Dynamic trust management. IEEE Comput. 42(2), 44–52 (2009)
Cantor, S. (ed.): Shibboleth Architecture. Protocols and Profiles, 10 September (2005). https://wiki.shibboleth.net/confluence/download/attachments/2162702/internet2-mace-shibboleth-archprotocols-200509.pdf
Grimm, C., Groeper, R.: Trust issues in Shibboleth-enabled federated grid authentication and authorization infrastructures supporting multiple grid middleware. In: Proceedings of the 3rd IEEE International Conference on e-Science and Grid Computing, pp. 569–576 (2007)
Ragouzis, N., et al.: Security Assertion Markup Language (SAML) V2.0 Technical Overview. OASIS Committee Draft, Document ID sstc-saml-tech-overview-2.0-cd-02, March (2008). http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
Lewis, K.D., Lewis, J.E.: Web single sign-on authentication using SAML. Int. J. Comput. Sci., 2 (2009)
Reed, D., Chasen, L., Tan, W.: OpenID identity discovery with XRI and XRDS. In: Proceedings of the 7th Symposium on Identity and Trust on the Internet, pp. 19–25 (2008)
Recordon, D., Reed, D.: OpenID 2.0: a platform for user centric identity management. In: Proceedings of the 2nd ACM Workshop on Digital Identity Management, pp. 11–16 (2006)
Rieger, S.: User-centric identity management in heterogeneous federations. In: Proceedings of the 4th International Conference on Internet and Web Applications and Services, pp. 527–532 (2009)
Barton, T., et al.: Identity federation and attribute-based authorization through the globus toolkit, Shibboleth, GridShib, and MyProxy. In: Proceedings of the 5th Annual PKI R&D Workshop (2006)
Widdowson, R., Cantor, S. (ed.): Identity Provider Discovery Service Protocol and Profile. 27 March (2008). http://www.oasis-open.org/committees/download.php/28049/ sstc-saml-idpdiscovery-cs-01.pdf
RFC 2109: HTTP State Management Mechanism, http://www.ietf.org/rfc/rfc2109.txt
Hodges, J.: Technical Comparison: OpenID and SAML, Draft 6. 17 January (2008). http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html
Kim, S.H., Jin, S.H., Lim, H.J.: A concept of interoperable authentication framework for dynamic relationship in identity management. In: Proceedings of the 12th International Conference on Advanced Communication Technology, pp. 1635–1639 (2010)
Nenadic, A., Zhan, N., Chin, J., Goble, C.: FAME: adding multilevel authentication to shibboleth. In: Proceedings of IEEE Conference on e-Science and Grid Computing, p. 157 (2006)
Hiroyuki, S., Takeshi, N.: Federated authentication in a hierarchy of IdPs by using shibboleth. In: Proceedings of the 11th IEEE/IPSJ International Symposium on Applications and the Internet, pp. 327–332 (2011)
Almenárez, F., Arias, P., Marín, A., Díaz, D.: Towards dynamic trust establishment for identity federation. In: Proceedings of the Euro American Conference on Telematics and Information Systems: New Opportunities to increase Digital Citizenship, Article No. 25 (2009)
Madsen, P.: Proxy Assurance Between OpenID & SAML (2009). http://kantarainitiative.org/confluence/download/attachments/3408008/ntt-madsen-rsa/concordia.pdf
Hatakeyama, M., Shima, S.: Privilege federation between different user profiles for service federation. In: Proceedings of the 4th ACM Workshop on Digital Identity Management, pp. 41–50 (2008)
Hatakeyama, M.: Federation proxy for cross domain identity federation. In: Proceedings of the 5th ACM Workshop on Digital Identity Management, pp. 53–62 (2009)
Takaaki, K., Hiroaki, S., Noritoshi, D., Ken, M.: Design and implementation of web forward proxy with shibboleth authentication. In: Proceedings of the 11th IEEE/IPSJ International Symposium on Applications and the Internet, pp. 321–326 (2011)
OAuth. http://oauth.net/
Higgins. http://wiki.eclipse.org/Higgins_2.0/
OpenID Authentication 2.0 Final, 5 December (2007). http://openid.net/specs/openid-authentication2_0.html
SWITCH AAI ArpViewer, http://www.switch.ch/aai/support/tools/arpviewer.html
OpenID.Net, http://openid.net/developers/libraries/
SimpleSAMLphp. http://SimpleSAMLphp.org/
Drupal. http://drupal.org/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Li, M., Chi, CH., Ding, C., Wong, R., She, Z. (2018). A Multi-protocol Authentication Shibboleth Framework and Implementation for Identity Federation. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-01704-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01703-3
Online ISBN: 978-3-030-01704-0
eBook Packages: Computer ScienceComputer Science (R0)