Advertisement

A Model for Authentication Credentials Translation in Service Oriented Architecture

  • Emerson Ribeiro de Mello
  • Michelle S. Wangham
  • Joni da Silva Fraga
  • Edson T. de Camargo
  • Davi da Silva Böger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5430)

Abstract

Due to the increasing number of service providers, the grouping of these providers following the federation concept and the use of the Single Sign On (SSO) concept are helping users to gain a transparent access to resources, without worrying about their locations. However, current industry and academic production only provide SSO in cases with homogeneous underlying security technology. This paper deals with interoperability between heterogeneous security technologies. The proposed model is based on the Credential Translation Service that allows SSO authentication even heterogeneous security technologies are considered. Therefore, the proposed model provides authentication credentials translation and attribute transposition and, as a consequence, provides authorization involving different kinds of credentials and permissions in the federation environment. By making use of Web Services, this study is strongly based on concepts introduced in the SAML, WS-Trust and WS-Federation specifications.

Keywords

Web Services Security Single Sign-on 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Jøsang, A., Pope, S.: User centric identity management. In: AusCERT Asia Pacific Information Technology Security Conference 2005 (May 2005)Google Scholar
  2. 2.
    W3C: Web Services Architecture. W3C Working Group (February 2004), http://www.w3.org/TR/2004/NOTE-ws-arch-20040211
  3. 3.
    Vogels, W.: Web services are not distributed objects. Internet Computing 7(6), 59–66 (2003)CrossRefGoogle Scholar
  4. 4.
    Bartel, M., Boyer, J., Fox, B.: XML-Signature Syntax and Processing. W3C (February 2002), http://www.w3.org/TR/xmldsig-core
  5. 5.
    Imamura, T., Dillaway, B., Simon, E.: XML Encryption Syntax and Processing. W3C (December 2002), http://www.w3.org/TR/xmlenc-core
  6. 6.
    OASIS: eXtensible Access Control Markup Language (XACML) version 2.0. Organization for the Advancement of Structured Information Standards (February 2005)Google Scholar
  7. 7.
    OASIS: Security Assertion Markup Language (SAML) 2.0 Technical Overview. Organization for the Advancement of Structured Information Standards (June 2005)Google Scholar
  8. 8.
    OASIS: Web Services Security: SOAP Message Security 1.0. OASIS. (March 2004), http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
  9. 9.
    WS-Policy: Web Services Policy 1.5 (March 2007)Google Scholar
  10. 10.
    WS-SecurityPolicy: Web Services Security Policy Language (July 2005)Google Scholar
  11. 11.
    WS-PolicyAttachment: Web Services Policy Attachment (March 2006)Google Scholar
  12. 12.
    WS-Trust: Web Services Trust Language (WS-Trust) (February 2005), http://msdn.microsoft.com/library/en-us/dnglobspec/html/WS-Trust.asp
  13. 13.
    Yavatkar, R., Pendarakis, D., Guerin, R.: A Framework for Policy-based Admission Control. IETF RFC 2753 (January 2000)Google Scholar
  14. 14.
    WS-Federation: Web Services Federation Language (July 2003), http://msdn.microsoft.com/ws/2003/07/ws-federation
  15. 15.
  16. 16.
    Liberty: Introduction to the Liberty Alliance Identity Architecture. Liberty Alliance (March 2003)Google Scholar
  17. 17.
    Internet2, EduCause: eduperson, http://www.educause.edu/eduperson
  18. 18.
    Wahl, M.: A Summary of the X.500(96) User Schema for use with LDAPv3. IETF RFC 2256 (December 1997)Google Scholar
  19. 19.
    Smith, M.: Definition of the inetOrgPerson LDAP Object Class. IETF RFC 2798 (April 2000)Google Scholar
  20. 20.
    InComm: Incomm federation: Common identity attributes, http://www.incommonfederation.org/docs/policies/federatedattributes.pdf
  21. 21.
    OASIS: Authentication Context for the OASIS Security Assertion Markup Language (SAML) v2.0. Organization for the Advancement of Structured Information Standards (March 2005)Google Scholar
  22. 22.
    Morcos, A.: A Java implementation of Simple Distributed Security Infrastructure. Master’s thesis, MIT (May 1998)Google Scholar
  23. 23.
    OASIS: Web Services Security: SAML Token Profile. Organization for the Advancement of Structured Information Standards (December 2004)Google Scholar
  24. 24.
    Vecchio, D.D., Basney, J., Nagaratnam, N.: Credex: User-centric credential management for grid and web services. In: International Conference on Web Services, Orlando, Florida - EUA, pp. 149–156 (2005)Google Scholar
  25. 25.
    Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using xacml for access control in distributed systems. In: ACM Workshop on XML Security (October 2003)Google Scholar
  26. 26.
    Spence, D., Geddes, N., Jensen, J., Richards, A., Viljoen, M., Martin, A., Dovey, M., Norman, M., Tang, K., Trefethen, A., Wallom, D., Allan, R., Meredith, D.: Shibgrid: Shibboleth access for the uk national grid service. In: Proceedings of the Second IEEE International Conference on e-Science and Grid Computing (e-Science 2006), p. 75. IEEE Computer Society, Los Alamitos (2006)CrossRefGoogle Scholar
  27. 27.
    Jones, M., Pickles, S.: Shebangs final report. Technical report, University of Manchester (2007)Google Scholar
  28. 28.
    Basney, J., Humphrey, M., Von Welch: The myproxy online credential repository: Research articles. Softw. Pract. Exper. 35(9), 801–816 (2005)CrossRefGoogle Scholar
  29. 29.
    Winslett, M., Yu, T., Seamons, K.E., Hess, A., Jacobson, J., Jarvis, R., Smith, B., Yu, L.: Negotiating trust on the web. IEEE Internet Computing 06(6), 30–37 (2002)CrossRefGoogle Scholar
  30. 30.
    Canovas, O., Lopez, G., Gomez-Skarmeta, A.F.: A credential conversion service for SAML-based scenarios. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 297–305. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  31. 31.
    Lopez, G., Canovas, O., Gomez-Skarmeta, A.F., Otenko, S., Chadwick, D.: A heterogeneous network access service based on PERMIS and SAML. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 55–72. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Emerson Ribeiro de Mello
    • 1
    • 2
  • Michelle S. Wangham
    • 3
  • Joni da Silva Fraga
    • 1
  • Edson T. de Camargo
    • 1
  • Davi da Silva Böger
    • 1
  1. 1.Department of Automation and SystemsFederal University of Santa CatarinaFlorianópolisBrazil
  2. 2.Federal Institute of Santa CatarinaSão JoséBrazil
  3. 3.Embedded and Distributed Systems Group UnivaliSão JoséBrazil

Personalised recommendations