Maryline Laurent is Professor in computer networking at Telecom SudParis and Head of the R3S (Network, Systems, Services, Security) research team, SAMOVAR, in Paris, France. She is cofounder of the Institut Mines-T‚l‚com Chair Values and Policies of Personal Information
In the past four decades, information technology has altered chains of value production, distribution, and information access at a significant rate. These changes, although they have shaken up numerous economic models, have so far not radically challenged the bases of our society.This book addresses our current progress and viewpoints on digital identity management in different fields (social networks, cloud computing, Internet of Things (IoT), with input from experts in computer science, law, economics and sociology. Within this multidisciplinary and scientific context, having crossed analysis on the digital ID issue, it describes the different technical and legal approaches to protect digital identities with a focus on authentication systems, identity federation techniques and privacy preservation solutions. The limitations of these solutions and research issues in this field are also discussed to further understand the changes that are taking place. - Offers a state of the discussions and work places on the management of digital identities in various contexts, such as social networking, cloud computing and the Internet of Things- Describes the advanced technical and legal measures to protect digital identities- Contains a strong emphasis of authentication techniques, identity federation tools and technical protection of privacy
The Management of Identity by the Federation
Augustin De Miscault
Abstract
A user’s identity can be defined as a set of personal attributes. For example, a forename, surname and date of birth are personal attributes. These attributes can be used to define an identity.
Keywords
Ad hoc architecture
Chief information security officer (CISO)
Extensible markup language (XML)
Hypertext transfer protocol (HTTP)
OAuth 2.0
SAML 2.0
Security assertion markup language (SAML)
Simple object access protocol (SOAP)
Websingle sign-on (WebSSO)
2.1 The fundamentals of the identity federation
2.1.1 Identity: a set of personal attributes
A user’s identity can be defined as a set of personal attributes. For example, a forename, surname and date of birth are personal attributes. These attributes can be used to define an identity.
Each application defines its users’ identities according to its needs (see Figure 2.1).
For example, an email application defines an identity via a login, password, a surname and a forename. An e-commerce application can define an identity via an email address, a password, a surname, a forename, an address and a date of birth.
The user possesses an identity on each application. For example, in Figure 2.1, Anne Vanden has an identity on the email application (avanden; *avanden$; Vanden; Anne) and an identity on the e-commerce application (avanden@mail.com; %ava82; Vanden; Anne; 7 Beach Road; 31/03/1982).
From a technical perspective, a user account on an application can be considered equivalent. A user, then, possesses as many identities as they have accounts.
The user’s identifier is an identity attribute. The identifier has to be unique. The identifier allows the application to find one user out of all of the application’s users. For example the login (avanden) is the identifier for Anne Vanden on the email application, and the email address (avanden@mail.com) is the identifier for Anne Vanden on the e-commerce application.
2.1.2 Identity federation: propagating identity
Identity federation allows a set of applications to refer to a single user, while the user is known by different identities on each application.
By extension, associated with the subject of identity federation, are mechanisms which can be used to propagate the use of an identity from one application to another on the Internet (see Figure 2.2).
2.1.3 The concepts of identity federation
All of the standards for identity federation are based on an identity provider (IdP) and the service providers (SP) (see Figure 2.3).
The IdP authenticates the user and propagates their identity.
Facebook and monservicepublic.fr are examples of IdPs.
The SP protects the application. The SP delegates the user’s authentication to the IdP. The SP requests the user’s identifier and attributes from the IdP. The SP is linked to one or several IdPs. Foursquare is an example of a SP linked to Facebook. Online tax services, Chèque Emploi Service Universel (CESU) and Prestation d’Accueil du Jeune Enfant (PAJE) are examples of SPs linked with monservicepublic.fr.
The IdP and SPs exchange an identity token. The identity token contains the user’s identifier and the user’s attributes.
Each identity federation standard defines the format of the token and the request-response protocol in order to obtain and consume the identity token. Figure 2.4 shows an example of an identity federation mechanisms with the following steps:
1) The user seeks to access an application.
2) The SP intercepts the request. The user is not yet authenticated on the SP. The SP requests that the IdP authenticate the user and propagate the user’s identity.
3) The user is not yet authenticated on the IdP, which requests that the user authenticates.
4) The user authenticates.
5) The IdP validates the authentication and transmits the identity token containing the user’s identifier and attributes to the SP.
6) The SP validates the identity token and extracts the identifier and attributes. The user accesses the application.
2.1.4 Trust: a prerequisite for identity federation
Identity federation is based on a relationship of trust between the IdP, the SPs and the user:
– the SPs trust the IdP in his ability to authenticate the user and propagate reliable and up-to-date identity attributes. For example, if the IdP transmits the user’s address and telephone number, the SPs expect this information to be accurate and up-to-date;
– the IdP trusts the SPs with regard to what they decide to do with the user’s identity. For example, the IdP ensures that the SPs do not send personal information to third parties without the user’s consent;
– the user trusts the IdP’s ability to protect their identity and privacy. These relationships of trust are conceptualized by the circle of trust (see Figure 2.5);
– the circle of trust is centred on an IdP. The IdP propagates the user’s identity to the SPs;
– the circle of trust may have a governance structure. The IdP and the SPs within a circle of trust are committed to complying with a set of rules and procedures which dictate the way in which exchanges must be carried out;
– the circle of trust can help to contractualize trust.
2.1.5 Stakeholders in identity federation
Identity federation involves several stakeholders:
2.2 The technical limitations of solutions before identity federation
Identity federation enables several technical limitations to be overcome. Namely:
– using WebSingle Sign-On (WebSSO) and propagating the identity beyond a Domain Name Service (DNS) domain;
– propagating the user’s identity during the use of web services.
2.2.1 Using WebSSO beyond a DNS domain
2.2.1.1 The advantages of WebSSO: ergonomics, security and administration
If a user seeks to access several applications, typically, each application requires authentication.
This set-up has several drawbacks (see Figure 2.6):
– the user must be authenticated on each of the applications;
– the user has a password for each application;
– the application manager has to manage the users’ login/passwords. They must, for example, define a password policy, manage the resetting of passwords in case of loss, and ensure that the password is protected;
– the CISO cannot centralize access management. The application managers are the only ones in charge of access management.
WebSSO is set up within companies to remedy these drawbacks (see Figure 2.7).
The steps of WebSSO are as follows (see Figure 2.7):
1) The user seeks to access an application. A WebSSO agent, in front of Web application, intercepts the request.
2) The WebSSO agent redirects the user toward the authentication server.
3) The user authenticates on the authentication server which places a session cookie4 on the user’s browser. The cookie contains the user’s identifier (if the user already has a valid session cookie for the authentication server, then this step is skipped).
4) The authentication server redirects the user to the application. The WebSSO agent, in front of Web application, intercepts the request, verifies the cookie’s validity (signature and expiration date) and retrieves the user’s connection...
| Erscheint lt. Verlag | 2.4.2015 |
|---|---|
| Sprache | englisch |
| Themenwelt | Mathematik / Informatik ► Informatik ► Datenbanken |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Mathematik / Informatik ► Informatik ► Web / Internet | |
| ISBN-10 | 0-08-100591-1 / 0081005911 |
| ISBN-13 | 978-0-08-100591-0 / 9780081005910 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 6,5 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 5,0 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
