Skip to main content
SpringerLink
Log in
Book cover

European Public Key Infrastructure Workshop

EuroPKI 2005: Public Key Infrastructure pp 55–72Cite as

A Heterogeneous Network Access Service Based on PERMIS and SAML

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3545))

Abstract

The expansion of inter-organizational scenarios based on different authorization schemes involves the development of integration solutions allowing different authorization domains to share, in some way, protected resources. This paper analyzes different emerging technologies. On the one hand, we have two XML-based standards, the SAML standard, which is being widely accepted as a language to express and exchange authorization data, and the XACML standard, which constitutes a promising framework for access control policies. On the other hand, PERMIS is a trust management system for X.509 attribute certificates and includes a powerful authorization decision engine governed by the PERMIS XML policy. This paper presents a sample scenario where domains using these technologies can be integrated allowing, for example, the use of attribute certificates in a SAML environment and the utilization of the PERMIS authorization engine to decide about the disclosure or concealment of attributes. In order to design this scenario we have based our work on a Credential Conversion Service (CCS) which is able to convert ACs into SAML attributes, and a User Attribute Manager (UAM) which controls the disclosure of credentials. These modules are governed by policies defining the conversion process (the Conversion Policy) and the disclosure of attributes (the Disclosure Policy).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Globus Toolkit (February 2005), http://www.globus.org

  2. Anderson, H., Josefson, S., Zorn, G., Simon, D., Palekar, A.: Protected EAP Protocol (PEAP). IETF Draft (2004)

    Google Scholar 

  3. Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-P3P privacy policies and privacy authorization. In: WPES 2002: Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, pp. 103–109. ACM Press, New York (2002)

    Chapter  Google Scholar 

  4. Cantor, S.: Shibboleth Architecture. Protocols and Profiles (February 2005), http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-arch-protocols-06.pdf

  5. Chadwick, D.W., Otenko, S., Welch, V.: Using SAML to link the GLOBUS toolkit to the PERMIS authorisation infrastructure. In: Proceedings of Eighth Annual IFIP TC-6 TC-11 Conference on Communications and Multimedia Security (2004)

    Google Scholar 

  6. Chadwick, D.W., Otenko, A., Ball, E.: Role-based access control with x.509 attribute certificates. IEEE Internet Computing 7(2), 62–69 (2003)

    Article  Google Scholar 

  7. Cánovas, O., López, G., Gómez, A.F.: A Credential Conversion Service for SAML-based scenarios. In: Proceedings of 1st European PKI Workshop, pp. 297–305 (June 2004)

    Google Scholar 

  8. de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., Spence, D.: Generic AAA Architecture. Internet Engineering Task Force (August 2000), Request for Comments (RFC) 2903

    Google Scholar 

  9. Godik, S., Moses, T.: OASIS eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS Standard (February 2005)

    Google Scholar 

  10. The Open Group. Authorization (AZN) API (January 2000)

    Google Scholar 

  11. Bertino, E., Joshi, J.B.D., Bhatti, R., Ghafoor, A.: Access-Control Language for Multidomain Environments. IEEE Internet Computing 8(6), 40–50 (2004)

    Article  Google Scholar 

  12. López, G., Cánovas, O., Gómez, A.F., Marín, R.: A Network Access Control Approach based on the AAA Architecture and Authorization Attributes. In: Proceedings of International Workshop on Systems and Security Networks (SSN 2005) (April 2005) (to be published)

    Google Scholar 

  13. Maler, E., Mishra, P., Philpott, R.: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1, OASIS Standard (September 2003)

    Google Scholar 

  14. LAN MAN Standards Committee of the IEEE Computer Society. IEEE Draft P802.1X/D11: Standard for Port based Network Access Control. IEEE (March 2001)

    Google Scholar 

  15. Seamons, K., Winslett, M., Yu, T.: Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation. In: Proceedings of Network and Distributed System Security Symposium (April 2001)

    Google Scholar 

  16. SIPS. Seamlessly Integrating PERMIS and Shibboleth (February 2005), http://www.jisc.ac.uk

  17. Welch, V., Ananthakrishnan, R., Siebenlist, F., Chadwick, D., Meder, S., Pearlman, L.: Use of SAML for OGSA Authorization, GGF Draft (OGSA-Authz WG) (February 2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Murcia, Spain

    Gabriel López, Óscar Cánovas & Antonio F. Gómez-Skarmeta

  2. University of Kent, United Kingdom

    Sassa Otenko & David W. Chadwick

Authors
  1. Gabriel López
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Óscar Cánovas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Antonio F. Gómez-Skarmeta
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sassa Otenko
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. David W. Chadwick
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computing Laboratory, University of Kent, UK

    David Chadwick

  2. The Computing Laboratory, University of Kent, CT2 7NF, Canterbury, UK

    Gansen Zhao

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

López, G., Cánovas, Ó., Gómez-Skarmeta, A.F., Otenko, S., Chadwick, D.W. (2005). A Heterogeneous Network Access Service Based on PERMIS and SAML. In: Chadwick, D., Zhao, G. (eds) Public Key Infrastructure. EuroPKI 2005. Lecture Notes in Computer Science, vol 3545. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11533733_4

Download citation

  • DOI: https://doi.org/10.1007/11533733_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-28062-0

  • Online ISBN: 978-3-540-31585-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation