Exploiting Proxy-Based Federated Identity Management in Wireless Roaming Access

  • Diana Berbecaru
  • Antonio Lioy
  • Marco Domenico Aime
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6863)


Federated Identity Management technologies are exploited for user authentication in a number of network services but their usage may conflict with security restrictions imposed in a specific domain. We considered a specific case (roaming wireless access for guests) and extended the Stork SAML-based identity federation to cope with this problem by adding dynamic data, called meta-attributes, to be used for authorization even before the user authentication is completed. This concept may be easily extended to other data needed for trust verification and complex authorization decisions in a federated environment.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Maler, E., Reed, D.: The Venn of Identity: Options and Issues in Federated Identity Management. IEEE Security & Privacy, 16–23 ( March/April 2008)Google Scholar
  2. 2.
    Makoto, H.: Federation proxy for cross domain identity federation. In: Proc. of ACM DIM 2009, pp. 53–62 (2009)Google Scholar
  3. 3.
    Bonatti, P., Samarati, P.: Regulating service access and information release on the web. In: ACM CCS 2000, pp. 130–145 (November 2000)Google Scholar
  4. 4.
    Yuan, E., Tong, J.: Attribute Based Access Control (ABAC) for Web Services. In: Proc. of ICWS 2005, pp. 561–569 (July 2005)Google Scholar
  5. 5.
    Cantor, S. (ed.): Shibboleth architecture - Protocols and Profiles (September 2005), http://shibboleth.internet2.edu
  6. 6.
    Secure Identity Across Borders Linked (STORK) project - Towards pan-European recognition of electronic IDs (eIDs) (2008-2011), http://www.eid-stork.eu
  7. 7.
    Berbecaru, D., Jorquera, E., Alcalde-Moraño, J., Portela, R., Bauer, W., Zwattendorfer, B., Eichholz, J., Schneider, T.: Software architecture design. STORK Deliverable D5.8.2a (October 2010), https://www.eid-stork.eu/
  8. 8.
    OASIS: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard (March 2005)Google Scholar
  9. 9.
    Alcalde-Moraño, J., Hernández-Ardieta, J.L., Johnston, A., Martinez, D., Zwattendorfer, B., Stern, M., Heppe, J.: Interface specification. STORK Deliverable D5.8.2b (October 2010), https://www.eid-stork.eu/
  10. 10.
    OASIS: Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard (March 2005)Google Scholar
  11. 11.
    Stone-Gross, B., Sigal, D., Cohn, R., Morse, J., Almeroth, K., Kruegel, C.: VeriKey: A dynamic certificate verification system for public key exchanges. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 44–63. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    OASIS: Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard (March 2005)Google Scholar
  13. 13.
    OASIS: Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard (March 2005)Google Scholar
  14. 14.
    OASIS: SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0. OASIS Committee Specification (August 2010)Google Scholar
  15. 15.
    Gajek, S., Liao, L., Schwenk, J.: Stronger TLS bindings for SAML assertions and SAML artifacts. In: Proc. of ACM SWS 2008, pp. 11–19 (October 2008)Google Scholar
  16. 16.
    Trusted Computing Group, https://www.trustedcomputinggroup.org
  17. 17.
    Manulis, M., Leroy, D., Koeune, F., Bonaventure, O., Quisquater, J.-J.: Authenticated Wireless Roaming via Tunnels: Making Mobile Guests Feel at Home. In: Proc. of ASIACCS 2009, pp. 92–103 (2009)Google Scholar
  18. 18.
  19. 19.
    Linden, M., Viitanen, V.: Roaming Network Access Using Shibboleth. In: TERENA Networking Conference 2004, pp. 1–1 (2004)Google Scholar
  20. 20.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Diana Berbecaru
    • 1
  • Antonio Lioy
    • 1
  • Marco Domenico Aime
    • 1
  1. 1.Dip. di Automatica e InformaticaPolitecnico di TorinoTorinoItaly

Personalised recommendations