Federated Identity Management Systems Research Articles

A Unified Federated Framework for Internet-of-Things Security Challenges


 The protection of sensitive information is among the top priorities of organizations that are involved in manufacturing. Because of this, businesses are afraid of sharing their data with other parties so that they may construct predictive and prognostic models. In such a situation, it is difficult to construct complete models to forecast the breakdown of assets since data from a single firm would not provide the needed range of operating regimes and failure types. Recently, the Internet of Things (IoT) has gotten a lot of interest because of the vast variety of applications it has in numerous fields that communicate across multiple levels of the Internet infrastructure. The Internet of Things is composed of three layers: the physical layer, the network layer, and the application layer. This paper discusses security threats and responses for each layer of the IoT. The research examines different current state-of-the-art IoT security frameworks and suggests a unified IoT network security framework name "A Unified Federated Security Framework." The fuzzy cognitive maps used in the proposed framework are used to represent and evaluate trust connections between entities in federated identity management systems. For Internet of Things networks, the unified federated security architecture suggested in this paper offers comprehensive security characteristics. It also allows for the accurate categorization of all assaults and the capture of the different dangers, which allows for the development and implementation of improved defenses.

A Survey on Federated Identity Management Systems Limitation and Solutions

An efficient identity management system has become one of the fundamental requirements for ensuring safe, secure, and transparent use of identifiable information and attributes. Federated Identity Management (FIdM) allows users to distribute their identity information across security domains which increases the portability of their digital identities, and it is considered a promising approach to facilitate secure resource sharing among collaborating participants in heterogeneous IT environments. However, it also raises new architectural challenges and significant security and privacy issues that need to be mitigated. In this paper, we provide a comparison between FIdM architectures, presented the limitations and risks in FIdM system, and discuss the results and proposed solutions.

Can We Create a Cross-Domain Federated Identity for the Industrial Internet of Things without Google?

Providing a cross-domain federated identity is essential for next-generation Internet services because information about user identity should be seamlessly exchanged across different domains for authentication and authorization. Federated identity can enable users to use various services through a single account. However, conventional federated identity management systems necessarily require a trustworthy identity provider who stores user identity information and presents it to other service providers. Unfortunately, this requirement may not be acceptable in Industrial Internet of Things (IIoT) applications, which often require interacting and authenticating with users and devices across different domains. Who will take full responsibility for managing and issuing all digital identities for IIoT devices? Can we really trust one superpower organization to manage all the identities and credentials of IIoT devices? In this article, we provide an overview of centralized and decentralized identity management methods and examine the feasibility of those methods for IIoT applications. To overcome the inherent limitations of existing approaches, we are specifically interested in designing decentralized cross-domain federated identity management using blockchain. Our Copernican idea brings new and important perspectives in establishing universal cosmopolitan cross-domain federated identity management in a secure and fair manner.

FCMDT: A novel fuzzy cognitive maps dynamic trust model for cloud federated identity management

Efficient identity management system has become one of the fundamental requirements for ensuring safe, secure and transparent use of cloud services. In such a borderless environment, entities belonging to different network domains need to cooperate dynamically with each other by exchanging and sharing a significant amount of personal information in a scalable, effective and seamless manner. The traditional approach to address this challenge has been identity federation, aiming to simplify the user experience by aggregating distributed rights and permissions. However, the current federated identity management solutions are missing mechanisms to achieve agile and dynamic trust management, which remains one of the biggest obstacles to their wide adoption in cloud computing. In this paper, we aim to address this issue by introducing a novel dynamic trust model for Federated Identity Management. The proposed model relies on fuzzy cognitive maps for modeling and evaluating trust relationships between the involved entities in federated identity management systems. This trust mechanism facilitates the creation of trust relationships between prior unknown entities in a secure and dynamic way and makes Federated Identity Management systems more scalable and flexible to deploy and maintain in cloud computing environments. In addition, we propose a set of trust features for Federated Identity Management, which serves as a basis for modeling and quantifying the trust level of unknown entities. The effectiveness of the proposed trust model is proven through performance analysis and experimental results.

Fusing Identity Management, HL7 and Blockchain into a Global Healthcare Record Sharing Architecture

Healthcare record sharing among various medical roles is a critical and challenging research problem especially in today’s everchanging global IT solutions. The emergence of blockchain as a new enabling technology brought radical changes to numerous business applications, including healthcare. Blockchain is a trusted distributed ledger that forms a decentral-ized infrastructure. There have been several proposals regarding the sharing of critical healthcare records over blockchain infras-tructure without requiring prior knowledge/trust of the parties involved (patients, service providers, and insurance companies). Another yet important issue is to securely share medical records across various countries for travelling patients to ensure an integrated and ubiquitous healthcare service. In this paper, we present a globally integrated healthcare record sharing architec-ture based on blockchain and HL7 client. Healthcare records are stored at the hosting country and are not stored on the blockchain. This architecture avails medical records of travelling patients temporarily and after performing necessary authentication. The actual authorisation process is performed on a federated identity management system, such as, the Shibboleth. Though there are similarities with identity management systems, our system is unique as it involves the patient in the permission process and discloses to them the identities of entities accessed their health records. Our solution also improves performance and guarantees privacy and security through the use of blockchain and identity management system.

Advances and enhancements in the FabrIc for Frontier Experiments project at Fermilab

The FabrIc for Frontier Experiments (FIFE) project within the Fermilab Scientific Computing Division is charged with integrating offline computing components into a common computing stack for the non-LHC Fermilab experiments, supporting experiment offline computing, and consulting on new, novel workflows. We will discuss the general FIFE onboarding strategy, the upgrades and enhancements in the FIFE toolset, and plans for the coming year. These enhancements include: expansion of opportunistic computing resources (including GPU and high-performance computing resources) available to experiments; assistance with commissioning computing resources at European sites for individual experiments; StashCache repositories for experiments; enhanced job monitoring tools; and a custom workflow management service. Additionally we have completed the first phase of a Federated Identity Management system to make it easier for FIFE users to access Fermilab computing resources.

DCache, towards Federated Identities & Anonymized Delegation

For over a decade, dCache has relied on the authentication and authorization infrastructure (AAI) offered by VOMS, Kerberos, Xrootd etc. Although the established infrastructure has worked well and provided sufficient security, the implementation of procedures and the underlying software is often seen as a burden, especially by smaller communities trying to adopt existing HEP software stacks [1]. Moreover, scientists are increasingly dependent on service portals for data access [2]. In this paper, we describe how federated identity management systems can facilitate the transition from traditional AAI infrastructure to novel solutions like OpenID Connect. We investigate the advantages offered by OpenID Connect in regards to ‘delegation of authentication’ and ‘credential delegation for offline access’. Additionally, we demonstrate how macaroons can provide a more fine-granular authorization mechanism that supports anonymized delegation.

Towards Scalability for Federated Identity Systems for Cloud-Based Environments

As multi-tenant authorization and federated identity management systems for cloud computing matures, the provisioning of services using this paradigm allows maximum efficiency on business that requires access control. However, regarding scalability support, mainly horizontal, some characteristics of those approaches based on central authentication protocols are problematic. The objective of this work is to address these issues by providing an adapted sticky-session mechanism for a Shibboleth architecture using JASIG CAS. This alternative, compared with the recommended distributed memory approach, shown improved efficiency and less overall infrastructure complexity, as well as demanding less 58% of computational resources and improving throughput (requests per second) by 11%.

Secure Inter-Cloud Federated Identity Management using IID

The proposed system support single sign on in inter-cloud environment where user can manage in different cloud environments and provide single set of credential to access different Saas cloud application provided by different cloud service provider without re-authentication. Single sign on defines the ability to authenticate only once in a distributed network and to access several protected services and resources without re-authentication. To achieve this feature the system support federated identity management system. The federated identity management system crosses organizational boundaries. To manage identities of user in this case, a cooperative contract need to be set up between multiple identity providers, using a centralized approach. The proposed system uses third party auditor or third cloud to synchronize the identities of user among different clouds. As the user data are transferred or exchanged between different clouds environment the chances of stealing the data is increased. To avoid this the system is secure from some attacks like identity theft, denial of service etc. and also secure channel is maintained to transfer/exchange information between

Achieving interoperability between federated identity management systems: A case of study

User authentication schemes have been a key research topic in the field of data security for decades. Such schemes are evaluated according to at least two parameters: security and usability. Since a number of secure and usable authentication schemes are available, each institution can select the scheme that is considered to be most appropriate for its security policy. Such a per-site system selection has the following feature: each site has to authorize each user that tries to access its resources. In a world in which users mobility is growing, the feature we have just described forces a huge overhead; both from the site's viewpoint and the users' viewpoint, since each user needs to store different credentials for each site she accesses to.Federated authentication allows users to use their home authentication credentials for gaining access to other institutions services while moving among different institutions. Different federated authentication systems have been designed and implemented. Despite simplified users mobility, one key problem in this area is that, often, different authentication systems do not cooperate or provide a limited interoperability. In this paper we discuss the problem of achieving full interoperability among Federated Identity Management Systems and present, as proof-of-concept, a solution to allow full communication between two federated authentication systems, Shibboleth a de facto standard in this context, and PAPI (Point of Access to Providers of Information). Such a solution leverages an intermediate bridge which joins both federations and features protocols translation during cross-federation Authentication/Authorization (AA) sessions.

Users' willingness to pay for web identity management systems

Electronic services such as virtual communities or electronic commerce demand user authentication. Several more or less successful federated identity management systems have emerged to support authentication across diverse service domains in recent years. In this paper, we explore the determinants for success and failure of such systems with a focus on Germany representing one of the largest markets in Europe. To achieve this goal, we analyze the preferences and willingness to pay of prospective users by conducting a choice-based conjoint analysis. Our results indicate that users prefer simple systems where an intermediary takes care of their data. An additional market analyses confirms these findings and contradicts the assumptions of many researchers, especially in the fields of engineering and computer science, supporting systems with higher and higher levels of privacy and security.

Economic tussles in federated identity management

Federated identity management (FIM) enables a user to authenticate once and access privileged information across disparate domains. FIM’s proponents, who see the technology as providing security and ease of use, include governments and leaders in the IT industry. Indeed, a cornerstone of the current U.S. government’s efforts to secure cyberspace is its “National Strategy for Trusted Identities in Cyberspace” (U.S. Department of Commerce, 2011). Yet adoption of federated identity management systems has been slow.From disputes over liability assignment for authentication failures to concerns over privacy, there have been many explanations for the slow uptake of federated identity management systems. We believe the problem is embedded in stakeholder incentives. We present an economic perspective of stakeholder incentives that sheds light on why some applications have embraced FIM while others have struggled. To do so, we begin by briefly analyzing seven use cases of successful and unsuccessful FIM deployments. From this we identify four critical tussles that may arise between stakeholders when engineering a FIM system. We show how the successful deployments have resolved the tussles, whereas the unsuccessful deployments have not. We conclude by drawing insights on the prospects of future FIM deployments.

Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics

Cloud computing is introducing many huge changes to people’s lifestyle and working pattern recently for its multitudinous benefits. However, the security of cloud computing is always the focus of numerous potential cloud customers, and a big barrier for its widespread applications.Companies have increasingly turned to application service providers (ASPs) or Software as a Service (SaaS) vendors to offer specialized web-based services that will cut costs and provide specific and focused applications to users. The complexity of designing, installing, configuring, deploying, and supporting the system with internal resources can be eliminated with this type of methodology, providing great benefit to organizations. However, these models can present an authentication problem for corporations with a large number of external service providers. This paper describes the implementation of Security Assertion Markup Language (SAML) and its capabilities to provide secure single sign-on (SSO) solutions for externally hosted applications, including security measures for federated identity management systems using multifactor authentication ,which also includes Biometric identification.

User-centric identity management using trusted modules

Many service providers want to control access to their services and offer personalized services. This implies that the service provider requests (and stores) personal attributes. However, many service providers are not sure about the correctness of attributes that are disclosed by the user during registration. Federated identity management systems aim at increasing the user-friendliness of authentication procedures, while at the same time ensuring strong authentication to service providers. This paper presents a new flexible approach for user-centric identity management, using trusted modules. Our approach combines several privacy features available in current federated identity management systems and offers extra functionality. For instance, attribute aggregation is supported and the problem of user impersonization by identity providers is tackled.

Federated Identity Management systems in e-government: the case of Italy

Federated Identity Management (FIdM) systems are at the heart of any online service in a public, private or hybrid autonomous cooperating system. This paper reviews and compares several existing approaches for building FIdM systems in the specific sector of e-government by showing Identity Management (IdM) schemes employed by several countries representatives of different realities by size, geographical location and Public Administration (PA) traditions. The paper analyses then the case of Italy by introducing the ongoing effort for defining and developing a nationwide e-government Enterprise Architecture to guarantee a flexible approach for integrated application services, respecting local and central administrations’ autonomy. The paper finally focuses on the FIdM aspects employed within the Italian Enterprise Architecture.

Authentication Trust Metric and Assessment for Federated Identity Management Systems

Authentication Trust Metric and Assessment for Federated Identity Management Systems

2-clickAuth

Internet users often have usernames and passwords at multiple web sites. To simplify things, many sites support federated identity management, which enables users to have a single account allowing them to log on to different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, all of the user’s accounts become compromised. Therefore a more secure authentication method is desirable. This paper implements 2-clickAuth, a multimedia-based challenge-response solution which uses a web camera and a camera phone for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is more secure than passwords while easy to use and distribute. 2-clickAuth is a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. This paper implements an identity provider in the OpenID federated identity management system that uses 2-clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge, and MySpace.

Identity crisis: user perspectives on multiplicity and control in federated identity management

Federated identity management systems synthesise complex and fragmented user information into a single entity. Literature from the provider's perspective notes this integration extends many benefits to the end user and the privileges provided by digital identity authentication schemes have been well documented from this perspective. Less explored are the perceptions of federation from the user's perspective. This study reports an empirical user study that examines the relationship between identity and technology using contextual interviews, focus groups and cultural probes. It emerges that while current federated systems satisfy user needs by allowing the construction of multiple digital data sets that are moored to a central identifier, they fail to provide the user with control over the capability to act in the ‘hatch’, ‘match’ and ‘dispatch’ phases of the digital identity lifecycle. Ultimately, this reduces the user's trust in providers and results in reluctance to disclose personal details.

Attribute Aggregation in Federated Identity Management

Most federated identity management systems are limited by users' ability to choose only one identity provider per service session. A proposed linking service lets users securely link their various identity provider (IdP) accounts, enabling the system to aggregate attributes from multiple authoritative sources automatically without requiring users to authenticate separately to each IdP.

Trust Negotiation in Identity Management

Most organizations require the verification of personal information before providing services, and the privacy of such information is of growing concern. The authors show how federated identity management systems can better protect users' information when integrated with trust negotiation. In today's increasingly competitive business environment, more and more leading organizations are building Web-based infrastructures to gain the strategic advantages of collaborative networking. However, to facilitate collaboration and fully exploit such infrastructures, organizations must identify each user in the collaborative network as well as the resources each user is authorized to access. User identification and access control must be carried out so as to maximize user convenience and privacy without increasing organizations1 operational costs. A federation can serve as the basic context for determining suitable solutions to this issue. A federation is a set of organizations that establish trust relationships with respect to the identity information-the federated identity information-that is considered valid. A federated identity management system (idM) provides a group of organizations that collaborate with mechanisms for managing and gaining access to user identity information and other resources across organizational boundaries