Abstract
This paper presents the details of a Single Sign On proposal which takes advantage of previously deployed authentication mechanisms. The main goal is to establish a link between authentication methods at different levels in order to provide a seamless global SSO. Specifically, the users will be authenticated once, during the network access control phase. Next, having authenticated to get on to the network using 802.1X, that authentication will automatically fetch the necessary signed tokens so that there would be no need to repeat the login at the application layer. Therefore, the application level authentication would be bootstrapped from the network access. As we will see, this involves the generation of SAML signed tokens that will be obtained by the users using a PEAP channel able to deliver the appropriate authentication credentials. Then, users will contact a federation-level validation service and there will no need to re-authenticate the user, only a query of the related user attributes will be necessary in some cases.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
DAMe Project. http://dame.inf.um.es
Internet 2 Home Page. http://www.internet2.edu
Carmody, S.: Radius profile of SAML. Revision 2 (October 2006), http://stc.cis.brown.edu/~stc/Projects/Projects-using-Shib/eduRoam/Radius-SAML-Profile-v1.html
Anderson, A., et al.: EXtensible Access Control Markup Language (XACML) Version 1.0, OASIS Standard (February 2003)
Eve, M., Prateek, M., Rob, P.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v1.1, OASIS Standard (September 2003)
Kerver, B., Stanica, M., Rauschenbach, J., Wierenga, K.: Deliverable DJ5.3.1: Documentation on GÉANT2 Universal Single Sign-On (uSSO) Requirements, GN2 JRA5. Geant 2 (February 2007)
Kormann, D.P., Rubin, A.D.: Risks of the passport single signon protocol. Computer Networks 33, 51–58 (2000)
LAN MAN Standards Committee of the IEEE Computer Society. IEEE Draft P802.1X/D11: Standard for Port based Network Access Control (March 2001)
López, D.R., Macias, J., Molina, M., Rauschenbach, J., Solberg, A., Stanica, M.: Deliverable DJ5.2.3.1: Best Practice Guide - AAI Cookbook, 1st edn., GN2 JRA5. Geant 2 (September 2006)
López, G., Cánovas, O., Gómez, A.F., Jimenez, J.D., Marín, R.: A network access control approach based on the aaa architecture and authorzation attributes. Journal of Network and Computer Applications JNCA (to be published, 2006)
Newman, B.C., Ts’o, T.: Kerberos: An authentication service for computer networks. IEEE Communications 32, 33–38 (1994)
Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G., Josefsson, S.: Protected EAP Protocol (PEAP) Version 2, Internet Draft (October 2004)
Scavo, T., Cantor, S.: Shibboleth Architecture. Technical Overview, Working Draft 02 (June 2005)
Sánchez, M., López, G., Cánovas, O., Gómez-Skarmeta, A.F.: A proposal for extending the eduroam infrastructure with authorization mechanisms. In: 5th International Workshop on Security in Information Systems (submitted 2007)
Wierenga, K., Florio, L.: Eduroam: past, present and future. In: TERENA Networking Conference (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sánchez, M., López, G., Cánovas, Ó., Gómez-Skarmeta, A.F. (2007). Bootstrapping a Global SSO from Network Access Control Mechanisms. In: Lopez, J., Samarati, P., Ferrer, J.L. (eds) Public Key Infrastructure. EuroPKI 2007. Lecture Notes in Computer Science, vol 4582. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73408-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-73408-6_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73407-9
Online ISBN: 978-3-540-73408-6
eBook Packages: Computer ScienceComputer Science (R0)