ABSTRACT
Identity federation is a powerful scheme that links accounts of users maintained distinctly by different business partners. The concept of network identity is a driver for accelerating automation of Web Services on the Internet for users on their behalf while protecting privacy of their personally identifiable information. Although users of Web Services essentially delegate some or all privileges to an entity to perform actions, current identity based systems do not take into sufficient consideration delegation between entities hosting Web Services from a viewpoint of identity and privacy. This paper introduces a delegation model for federated identity management systems and proposes a delegation framework to provide solutions for access control in the context of delegation. The framework has a function of transferring user's privileges across the entities encoded in delegation assertion extending SAML (Security Assertion Markup Language). The framework enables users to manage their own privileges, and service providers to control access of entities based on delegated privileges by the users with assistance of a delegation authority that authorizes delegation of a delegating entity and an authentication authority that authenticates a user and manages user's name identifiers.
- M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. "A Calculus for Access Control in Distributed Systems"". ACM Transactions on Programming Languages and Systems 15(4):706--734,1993. Google ScholarDigital Library
- M. Ahsant, J. Basney, and O. Mulmo." "Grid Delegation Protocol".In Proceedings of the Workshop on Grid Security Practice and Experience July 2004.Google Scholar
- O. Bandmann, M. Dam, and B. Firozabadi. "Constrained Delegation".In Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P '02) pages 131--140,2002. Google ScholarDigital Library
- BEA, IBM, Microsoft, RSA Security, and VeriSign. "Web Services Federation Language (WS-Federation)". Version 1.0, July 2003.Google Scholar
- O. Canovas and A. Gomez. "Delegation in Distributed Systems: Challenges and Open Issues". In Proceedings of IEEE Internatinal Workshop on Database and Expert Systems Applications (DEXA '03)September 2003. Google ScholarDigital Library
- D. Chadwick and A. Otenko. "The PERMIS X.509 Role Based Privilege Management Infrastructure". In Proceedings of the seventh ACM Symposium on Access Control Models and Technologies (SACMAT '02) pages 135--140,2002. Google ScholarDigital Library
- X. Feng, L. Guoyuan, H. Hao, and X. Li. "Role-Based Access Control System for Web Services". In Proceedings of the fourth International Conference on Computer and Information Technology (CIT '04) pages 357--362,2004. Google ScholarDigital Library
- IBM, Microsoft, Actional, BEA, Computer Associates, Layer 7, Oblix, OpenNetwork, Ping Identity, Reactivity, and Verisign. "Web Services Trust Language (WS-Trust)", February 2005.Google Scholar
- S. Na and S. Cheon. "Role Delegation in Role-Based Access Control". In Proceedings of the fifth ACM Workshop on Role-Based Access Control pages 39--44, 2000. Google ScholarDigital Library
- G. Navarro, B. Fironzabadi, E. Rissanen, and J. Borrell. "Constrained Delegation in XML-based Access Control and Digital Rights Management Standards". In Proceedings of Communication, Network, and Information Security (CNIS '03)2003.Google Scholar
- OASIS. "Web Services Security: SOAP Message Security 1.0". OASIS Standard, March 2004.Google Scholar
- OASIS. "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)V2.0". OASIS Standard, March 2005.Google Scholar
- OECD. "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data", 2004.http://www.oecd.org/document/18/0,2340, en_2649 201185_1815186_1_1_1_1,00.htmlGoogle Scholar
- OPA. "Guidelines for Online Privacy Policies". http://www.privacyalliance.org/resources/ppguidelines.shtmlGoogle Scholar
- Liberty Alliance Project. "Liberty ID-FF Protocols and Schema Specification".Version 1.2, November 2003.http://www.projectliberty.org/specsGoogle Scholar
- R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. "Role-Based Access Control Models". IEEE Computer 29(2):38--47,February 1996. Google ScholarDigital Library
- D. Shin, G. Ahn, and P. Shenoy. "Ensuring Information Assurance in Federated Identity Management". In Proceedings of IEEE Internatinal Performance Computing and Communications Conference (IPCCC '04)April 2004.Google Scholar
- The Globus Security Team. "Globus Toolkit Version 4 Grid Security Infrastructure:A Standards Perspective". Version 2, December 2004.Google Scholar
- W3C. "Web Services Description Language (WSDL) 1.1". W3C Note, March 2001. http://www.w3.org/TR/wsdlGoogle Scholar
- W3C. "The Platform for Privacy Preferences 1.0 (P3P1.0)Specification". W3C Recommendation, April 2002.http://www.w3.org/TR/P3P/Google Scholar
- W3C. "SOAP Version 1.2 Part 0:Primer". W3C Recommendation, June 2003. http://www.w3.org/TR/soap12-part0/Google Scholar
- J. Wang, D. Vecchio, and M. Humphrey. "Extending the Security Assertion Markup Language to Support Delegation for Web Services and Grid Services". IEEE International Conference on Web Services (ICWS'05)July 2005. Google ScholarDigital Library
- V. Welch, I. Faster, C. Kesselman, O. Mulmo, L. Pearlman, S. Tuecke, J. Gawor, S. Meder, and F. Siebenlist. "X.509 Proxy Certificates for Dynamic Delegation". 3rd Annual PKI R&D Workshop 2004.Google Scholar
- L. Zhang, G. Ahn, and B. Chu. "A Rule-Based Framework for Role-Based Delegation". In Proceedings of the sixth ACM Symposium on Access Control Models and Technologies pages 153--162, May 2001. Google ScholarDigital Library
Index Terms
- A delegation framework for federated identity management
Recommendations
A rule-based framework for role-based delegation and revocation
Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most ...
A rule-based framework for role based delegation
SACMAT '01: Proceedings of the sixth ACM symposium on Access control models and technologiesIn current role-based systems, security officers handle assignments of users to roles. However, fully depending on this functionality may increase management efforts in a distributed environment because of the continuous involvement from security ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Comments