A Taxonomy of Single Sign-On Systems

  • Andreas Pashalidis
  • Chris J. Mitchell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2727)

Abstract

At present, network users have to manage one set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once and are logged into the services they subsequently use without further manual interaction. Several architectures for SSO have been developed, each with different properties and underlying infrastructures. This paper presents a taxonomy of these approaches and puts some of the SSO schemes, services and products into that context. This enables decisions about the design and selection of future approaches to SSO to be made within a more structured context; it also reveals some important differences in the security properties that can be provided by various approaches.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Adam Back, Ulf Möller, and Anton Stiglic. Traffic analysis attacks and trade-offs in anonymity providing systems. In I. S. Moskowitz, editor, Information Hiding, 4th International Workshop, IHW 2001, volume 2137 of Lecture Notes in Computer Science, pages 245–257. Springer Verlag, Berlin, 2001.Google Scholar
  2. 2.
    Oliver Berthold and Marit Köhntopp. Identity management based on P3P. In H. Federrath, editor, Designing Privacy Enhancing Technologies, International Workshop on Design Issues in Anonymity and Unobservability, July 2000, number 2009 in Lecture Notes in Computer Science, pages 141–160. Springer-Verlag, Berlin, 2001.Google Scholar
  3. 3.
    Jan Camenisch and Els Van Herreweghen. Design and implementation of the idemix anonymous credential system. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 21–30. ACM Press, New York, 2002.CrossRefGoogle Scholar
  4. 4.
    David L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):84–90, 1981.CrossRefGoogle Scholar
  5. 5.
    Sebastian Clauß and Marit Köhntopp. Identity management and its support of multilateral security. Computer Networks, 37:205–219, 2001.CrossRefGoogle Scholar
  6. 6.
    Jan De Clercq. Single sign-on architectures. In George I. Davida, Yair Frankel, and Owen Rees, editors, Infrastructure Security, International Conference, InfraSec 2002 Bristol, UK, October 1–3, 2002, Proceedings, volume 2437 of Lecture Notes in Computer Science, pages 40–58. Springer Verlag, 2002.Google Scholar
  7. 7.
    David M. Goldschlag, Michael G. Reed, and Paul F. Syverson. Onion routing for anonymous and private internet connections. Communications of the ACM, 42(2):84–88, January 1999.CrossRefGoogle Scholar
  8. 8.
    Internet Engineering Task Force. RFC 1510: The Kerberos Network Authentication Service (V5), September 1993.Google Scholar
  9. 9.
    Uwe Jendricke and Daniela Gerd tom Markotten. Usability meets security — the Identity-Manager as your personal security assistant for the internet. In Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC 2000), pages 344–355. IEEE Computer Society, 2000.Google Scholar
  10. 10.
    Liberty Alliance. The Liberty Alliance News Letter, volume 1, issue 1 edition, November 2002.Google Scholar
  11. 11.
    Liberty Alliance. Identity Systems and Liberty Specification version 1.1 Interoperability, January 2003.Google Scholar
  12. 12.
    Liberty Alliance. Liberty Architecture Glossary v.1.1, January 2003.Google Scholar
  13. 13.
    Liberty Alliance. Liberty Authentication Context Specification v.1.1, January 2003.Google Scholar
  14. 14.
    Liberty Alliance. Liberty Bindings and Profiles Specification v.1.1, January 2003.Google Scholar
  15. 15.
    Liberty Alliance. Liberty Protocols and Schemas Specification v.1.1, January 2003.Google Scholar
  16. 16.
    A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton, 1997.MATHGoogle Scholar
  17. 17.
    Microsoft. Microsoft.NET Passport Review Guide, November 2002.Google Scholar
  18. 18.
    Andreas Pashalidis and Chris J. Mitchell. Single sign-on using trusted platforms. Technical Report RHUL-MA-2003-3, Mathematics Department, Royal Holloway, University of London, March 2003.Google Scholar
  19. 19.
    Andreas Pfitzmann and Marit Köhntopp. Anonymity, unobservability, and pseudonymity — a proposal for terminology. In H. Federrath, editor, Designing Privacy Enhancing Technologies, International Workshop on Design Issues in Anonymity and Unobservability, July 2000, number 2009 in Lecture Notes in Computer Science, pages 141–160. Springer-Verlag, Berlin, 2001.Google Scholar
  20. 20.
    Birgit Pfitzmann. Privacy in enterprise identity federation — Policies for Liberty single signon. In Proceedings: 3rd Workshop on Privacy Enhancing Technologies (PET 2003), Dresden, March 2003, Lecture Notes in Computer Science. Springer-Verlag, Berlin, to appear.Google Scholar
  21. 21.
    Eric Rescorla. SSL and TLS. Addison-Wesley, Reading, Massachusetts, 2001.Google Scholar
  22. 22.
    J. G. Steiner, B. Clifford Neuman, and J.I. Schiller. Kerberos: An authentication service for open network systems. In Proceedings of the Winter 1988 Usenix Conference, pages 191–201, February 1988.Google Scholar
  23. 23.
    World Wide Web Consortium. The Platform for Privacy Preferences 1.0 (P3P 1.0) Specification, April 2002.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Andreas Pashalidis
    • 1
  • Chris J. Mitchell
    • 1
  1. 1.Royal HollowayUniversity of LondonEgham, SurreyUK

Personalised recommendations