Abstract
This paper presents a generic proposal for improving existing IdM systems, by enabling service providers to determine whether the SSO credentials presented by a user satisfy some minimum requirements. For example, a service provider may require the users to have been authenticated using a method labelled with a particular level of assurance or a credential issued by a specific identity provider. Thus, a user initially authenticated by a username and password might not access a service that requires a stronger mechanism, such as public key certificates. Similarly, the access to some critical service may be restricted to users belonging to a specific organization. The main contribution of this paper is a generic infrastructure that defines the mechanisms to enforce access control policies based on levels of assurance and multiple identities, and it also provides the means to find and redirect the users to the appropriate authentication service when reauthentication is required.
This work has been partially funded by SWIFT (FP7 project, Grant Number 215832). Thanks also to the Funding Program for Research Groups of Excellence with code 04552/GERM/06 granted by the Fundación Séneca.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
DAMe Project web site, http://dame.inf.um.es
The Haka federation web site, http://www.csc.fi/suomi/funet/middleware/english/index.phtml
Higgins project web site, http://www.eclipse.org/higgins
The InCommon federation web site, http://www.incommonfederation.org/
The SWITCH federation web site, http://www.switch.ch/aai
Chin, J., Goble, C., Nenadic, A., Zhang, N.: FAME: Adding multi-level authentication to Shibboleth. In: Proceedings of IEEE Conference of E-Science and Grid Computing, Amsterdam Holland (2006)
Alterman, P., Nazario, N., Louden, C.: White paper: e-Authentication partnership policy on levels of assurance of identity for authentication of electronic identity credentials
Bolten, J.B.: E-Authentication Guidance for Federal Agencies (December 2003)
Cantor, S., Kemp, J., Philpott, R., Eve, M.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v2.0, OASIS Standard (March 2005)
Cantor, S., Moreh, J., Philpott, R., Maler, E.: Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0, OASIS Standard (March 2005)
Anderson, A., et al.: EXtensible Access Control Markup Language (XACML) V 1.0, OASIS Standard (February 2003)
López, D.R., et al.: Deliverable DJ5.2.2,2: GÉANT2 Authorisation and Authentication Infrastructure (AAI) Architecture - second edition, GN2 JRA5. GÉANT2 (April 2007)
Wierenga, K., et al.: Deliverable DJ5.1.4: Inter-NREN Roaming Architecture. Description and Development Items, GN2 JRA5. GÉANT 2 (September 2006)
Kemp, J., Cantor, S., Mishra, P., Philpott, R., Maller, E.: Authentication Context for the OASIS Security Assertion Markup Language (SAML) v2.0, OASIS Standard (March 2005)
López, D.R., Macias, J., Molina, M., Rauschenbach, J., Solberg, A., Stanica, M.: Deliverable DJ5.2.3,2: Best Practice Guide - AAI Cookbook - Second Edition, GN2 JRA5. GÉANT 2 (2007)
López, G., Cánovas, O., Gómez, A.F.: Use of xacml policies for a network access control service. In: Proceedings 4th International Workshop for Applied PKI, IWAP 2005, pp. 111–122. IOS Press, Amsterdam (2005)
Microsoft Corporation. A Technical Reference for InfoCard v1.0 in Windows (August 2005)
Office of the e-Envoy, UK online. e-Government Strategy Framework Policy and Guidelines. Version 2.0 (September 2002)
Sánchez, M., López, G., Cánovas, O., Gómez-Skarmeta, A.F.: Bootstrapping a global SSO from network access control mechanisms. In: Fourth European PKI Workshop (June 2007)
Scavo, T., Cantor, S.: Shibboleth Architecture. Technical Overview, Working Draft 02 (June 2005)
Polk, W.T., Burr, W.E., Dodson, D.F.: Electronic Authentication Guideline. Recommendations of the National Institute of Standards and Technology (April 2006)
Zhang, N.: E-Infrastructure Security: An Investigation of Authentication Levels of Assurance (LoAs), Open Grid Forum (2007)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sánchez, M., Cánovas, Ó., López, G., Gómez-Skarmeta, A.F. (2008). Levels of Assurance and Reauthentication in Federated Environments. In: Mjølsnes, S.F., Mauw, S., Katsikas, S.K. (eds) Public Key Infrastructure. EuroPKI 2008. Lecture Notes in Computer Science, vol 5057. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69485-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-69485-4_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69484-7
Online ISBN: 978-3-540-69485-4
eBook Packages: Computer ScienceComputer Science (R0)