Abstract
Single Sign-On (SSO) allows users to authenticate once and gain access to different web services. Thus, users do not need to provide their credential information again. Three main entities are involved in the SSO: the user, Identity Provider (IdP), and Service Provider (SP) or Relying Party (RP). These entities are linked through different relationships under various IdP-SP association models, mainly decentralized, explicit, federated, and bridge. Utilizing SSO under these models or their overlapping in a specific context raises various privacy risks for all entities involved. This paper identifies a set of privacy requirements and outlines the privacy risks for the involved entities in simple SSO scenario and topologies. With regard to topology, it is vital to consider a combination of different association models with respect to privacy requirements. To address the common privacy risks with a focus on user identities, attributes, and changing behavior, the present study proposes a fuzzification system to infer the user’s privacy risk during both the authentication and access processes under semi-honest and malicious models. Analyzing privacy risks is crucial in ensuring the web cloud environment’s security as it helps reduce the likelihood of attacks and identify potential vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alaca, F., Oorschot, P.C.V.: Comparative analysis and framework evaluating web single sign-on systems. ACM Comput. Surv. (CSUR) 53(5), 1–34 (2020)
Anthonysamy, P., Rashid, A., Chitchyan, R.: Privacy requirements: present & future. In: 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Society Track (ICSE-SEIS), pp. 13–22. IEEE (2017)
Arias-Cabarcos, P., Almenárez-Mendoza, F., Marín-López, A., Díaz-Sánchez, D., Sánchez-Guerrero, R.: A metric-based approach to assess risk for “on cloud’’ federated identity management. J. Netw. Syst. Manag. 20, 513–533 (2012)
Atlam, H.F., Azad, M.A., Alassafi, M.O., Alshdadi, A.A., Alenezi, A.: Risk-based access control model: a systematic literature review. Future Internet 12(6), 103 (2020)
Azimi, S.R., Nikraz, H., Yazdani-Chamzini, A.: Landslide risk assessment by using a new combination model based on a fuzzy inference system method. KSCE J. Civ. Eng. 22, 4263–4271 (2018)
Boehm, B.W.: Software risk management: principles and practices. IEEE Softw. 8(1), 32–41 (1991)
Brown, A.J.: “Should I stay or should I leave?”: exploring (dis) continued Facebook use after the Cambridge analytica scandal. Soc. Media+ Soc. 6(1), 2056305120913884 (2020)
Grüner, A., Mühle, A., Gayvoronskaya, T., Meinel, C.: A comparative analysis of trust requirements in decentralized identity management. In: Barolli, L., Takizawa, M., Xhafa, F., Enokido, T. (eds.) AINA 2019. AISC, vol. 926, pp. 200–213. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-15032-7_18
Hazay, C., Lindell, Y.: A note on the relation between the definitions of security for semi-honest and malicious adversaries. Cryptology ePrint Archive (2010)
Kumar, R., Bhatia, M.: A systematic review of the security in cloud computing: data integrity, confidentiality and availability. In: 2020 IEEE International Conference on Computing, Power and Communication Technologies (GUCON), pp. 334–337. IEEE (2020)
Acknowledgments
We acknowledge the support of the Natural Sciences and Engineering Research Council of Canada (NSERC [funding reference number 03181]).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Al-Saidi, R., Kobti, Z. (2023). A Privacy Risk Analysis of Identity Federation Topologies in Single Sign-On (SSO) Web Domain. In: Mehmood, R., et al. Distributed Computing and Artificial Intelligence, Special Sessions I, 20th International Conference. DCAI 2023. Lecture Notes in Networks and Systems, vol 741. Springer, Cham. https://doi.org/10.1007/978-3-031-38318-2_37
Download citation
DOI: https://doi.org/10.1007/978-3-031-38318-2_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38317-5
Online ISBN: 978-3-031-38318-2
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)