We describe how in today's federated identity management (FIM) systems, such as CardSpace and Shibboleth, service providers (SPs) rely on identity providers (IdPs) to authenticate the users and provide their identity attributes. The SPs then use these attributes for granting or denying users access to their resources. Unfortunately most FIM systems have one significant limitation, which is that the user can only use one IdP within a single SP session, when in many scenarios the user needs to provide attributes from multiple IdPs. We describe how this can be achieved through the introduction of a new service called a linking service. The conceptual model of the linking service is described as well as the mapping of its messages onto today's standard protocols (SAML, Liberty Alliance and WS-*).
We describe a federated identity management service that allows users to access organisational resources using their existing login accounts at social networking and other sites, without compromising the security of the organisation's resources. We utilise and extend the Level of Assurance (LoA) concept to ensure the organisation's site remains secure. Users are empowered to link together their various accounts, including their organizational one with an external one, so that the strongest registration procedure of one linked account can be leveraged by the other sites' login processes that have less stringent registration procedures. Coupled with attribute release from their organizational account, this allows users to escalate their privileges due to either an increased LoA, or additional attributes, or both. The conceptual and architectural designs are described, followed by the implementation details, the user trials we carried out, and a discussion of the current limitations of the system.
This paper describes a conceptual model for attribute aggregation that allows a service provider (SP) to authorise a user's access request based on attributes asserted by multiple identity providers (IdPs), when the user is known by different identities at each of the IdPs. The user only needs to authenticate to one of the IdPs and the SP is given an overall level of assurance (LoA) about the authenticity of the user and his/her attributes. The model employs a new component called a Linking Service (LS), which is a trusted third party under the control of the user, whose purpose is to link together the different IdP accounts that hold a user's attributes, along with their respective LoAs. There are several possible interaction models for communications between the IdPs, the SP, LSs and the user, and each are described. The model is underpinned with a fully specified trust model, which also describes the implications when participants do not fully trust each other as required. Finally, the paper describes how the model has been implemented by mapping onto existing standard protocols based on SAMLv2.
The version in the Kent Academic Repository may differ from the final published version. Users are advised to check http://kar.kent.ac.uk for the status of the paper. Users should always cite the published version of record.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.