Beruflich Dokumente
Kultur Dokumente
AbstractFederated identity management yields many advantages such as enhanced usability and improved quality of identity
information. Web-based services are already successfully and
widely federated using the Security Assertion Markup Language
(SAML). In terms of usability and quality of identity information
non web-based services benet from being federated in a similar
way web-based services do. However, up to this point no versatile
approach that can be easily integrated has emerged to federate
them. In this paper, we present FACIUS, an architecture that
enables the integration of non web-based services into SAMLbased federations. FACIUS aims at minimizing the integration
effort in terms of both usability and necessary adjustments to
existing service deployments. Furthermore, to prove the practicability of the proposed architecture, we present an implementation
to federate SSH services.
Keywords-Federated identity management; SAML; Shibboleth;
non web-based services
I. I NTRODUCTION
The days pass by when the IT center of a company, or
rather an organization is able to provide any kind of IT service
required by their employees. Instead, those organizations join
service federations to get access to IT services provided by
third parties. Such outsourcing of IT services has been around
for a long time and has been inspired further by innovations
like grid and cloud computing. However, todays users demand
easy access to the services provided by other organizations,
i.e., access by the use of known and already existing accounts
administered by their own organization. In order to use these
accounts to access services provided by third parties, the
integration of the services into IT federations is required.
On the Internet, web-based services emerge that are using
authentication services provided by third parties, such as
Google or Facebook authentication. Furthermore, computing
centers and libraries of the academia deployed federations
for accessing web-based services using the Security Assertion
Markup Language (SAML)1 . Those institutions establish their
federations, or rather so called authentication and authorization
infrastructures (AAIs) by the use of Shibboleth2 or simpleSAMLphp3 (both are implementations of the SAML standard).
In general, federated access based on SAML-implementations
1 http://saml.xml.org/saml-specications
2 http://shibboleth.internet2.edu/.
3 http://simplesamlphp.org/.
557
II. R EQUIREMENTS
In order to derive the requirements that an approach to
federate non web-based services should fulll, we take SSH
services as a reference. In the following, the most important
requirements to federate an SSH service are presented and
generalized. We present demands of the users, the service
providers and the identity providers that can be used to
measure the feasibility of approaches, which federate non webbased services. Despite being deduced from the SSH use case,
the presented requirements are not specic for SSH and apply
for other services as well.
First of all, certain user requirements exist. Aside from
easier access to the service due to the federated nature of it,
the users expect to use the service in the familiar way (i.e., the
way they would use it if it was not federated). The following
requirements from the users perspective can be derived:
A transparent integration of the service into the federation is expected by users. That is, in case of an SSH
service, the users want to use their familiar SSH clients
without patching or upgrading them.
The users expect to be able to use the credentials of the
home organization to access the service. In this case, the
authentication of the user needs to be performed by an
identity provider instead of the service provider. We refer
to this as remote authentication in the remainder of this
paper.
Moreover, service-specic authentication methods should
still be usable. For instance, in case of SSH, public
key based authentication should be supported to preserve
the usability of the service. As in this case the service
provider authenticates the user, we refer to this as local
authentication in the remainder of this paper.
Furthermore, certain service provider requirements need
to be taken into account. The key requirements of service
providers are summarized in the following:
A major aspect for service providers is the deployability
of the approach. That is, the initial effort to federate a
service should be kept as low as possible. For instance,
the necessary implementation effort to apply the approach
to new services should be minimized.
Once deployed, the maintainability of the approach is
of importance to the service provider. For instance, this
558
IV. P RELIMINARIES
The SAML standard differentiates between the user, the
identity provider (IdP) and the service provider (SP). One of
the objectives of SAML is the cross-organizational exchange
of identity information. In short, the user is authenticated by
the IdP that in order to enable the SP to make an authorization decision issues assertions. Assertions are signed (and
optionally encrypted) user attributes that can be used by the SP
to decide whether to grant or deny service access. Furthermore,
the SAML standard differentiates between different use cases
(SAML proles). In the following, we briey explain the
proles, on which FACIUS is based on.
The WebSSO [10] prole is adapted to web-based services.
When accessing a service, the browser of the user is redirected
to a login page of the IdP carrying a SAML request signed
by the SP. Once logged in, the user gets redirected back to
the SP carrying the assertions issued by the IdP. Based on the
contained user attributes, the SP then grants or denies access.
The Enhanced Client or Proxy (ECP) [10] prole addresses clients that do not support browser specic procedures
such as redirects. The necessary steps to exchange identity
information have to be implemented manually, that is, to
retrieve the SAML request, to forward it to the IdP, to retrieve
the assertions and to forward them back to the SP. If the users
client itself implements the ECP logic, the client is called
enhanced client. If the ECP logic is implemented externally,
the component implementing the logic is called enhanced
proxy.
The AssertionQuery [10] prole allows SPs to request assertions about a user without involving him. The SP performs
the request by passing a persistentID to the users IdP. A
persistentID constitutes a unique identier for a combination
of a user, an SP and an IdP that has been established during
a previous WebSSO or ECP login of a user.
V. O UR APPROACH : FACIUS
A. Overview
An overview of FACIUS is given in Figure 1. In accordance
to the SAML standard, we distinguish between the user, the
service provider (SP) and the identity provider (IdP). For the
sake of modularity and security we furthermore differentiate
between nodes the user can get access to (Login-Nodes) and
the actual SAML service provider (SAML-SP). The SAMLSP encapsulates all SAML-specic logic of FACIUS and, to
enhance security, keeps the private key that is used to prove
the SPs authenticity to the IdP unreachable for a potentially
malicious user.
In some cases, it might be favorable to authenticate the
user against the SP instead of the IdP. For instance, consider
public key based authentication via SSH keys deployed at a
server (i.e., the SP). FACIUS distinguishes between two ways
4 http://project-moonshot.org/.
5 http://www.openssh.org/.
559
User
Browser
Service Provider
Login &
Registr.
RegistrationWebapp
Provisioning
Identity
Provider
SAML-SP
AssertionQuery-Stub
ECP-Stub
Login-Node
ServiceClient
RemoteLocalAuthn.
Service
Access
Point (AP)
Access
Control
Module
(AM)
Existing components
Generic components
Registration process
Login process
Fig. 1.
B. Provisioning workow
Partially service-specific
components
Architecture overview
C. Stubs
In order to integrate a service provider into a SAML federation, some SAML-specic logic is necessary. To enhance
modularity and reusability, FACIUS encapsulates this logic
into the SAML-SP. The SAML-SP provides an interface that
is usable by the AM to authenticate a user against an IdP by
a provided password and to retrieve federated user attributes.
This interface is provided by the components ECP-Stub and
AssertionQuery-Stub. In order to keep the interface simple,
secure, and maintainable, we implemented the ECP-Stub and
the AssertionQuery-Stub as web applications. Thus, both
components are based on well understood technologies (e.g.,
Apache6 ) and protocols (i.e., SSL/TLS [11] and HTTP [12]),
which can be leveraged both for simplicity and security.
The ECP-Stub web application takes a user name and a
password as parameters and implements the ECP logic of an
enhanced proxy (cf. Section IV). It requests another resource
r which is protected by the Apache plugin mod shib (which is
6 http://httpd.apache.org/.
560
ServiceClient
IdP
1
3
4
ServiceClient
3 2
Login-Node
5
SAML-SP
4
1
IdP
Login-Node
5 6
SAML-SP
SP
SP
ServiceClient
IdP
4
5
Login-Node
6 3
SAML-SP
SP
Fig. 2.
Login scenarios
561
562
Authentication
Remote Authentication
Local
Methods /
Unmodied Modied
AuthentiRequirements
Client
Client
cation
1) User perspective:
Familiar clients usYes
No
Yes
able
Login with credentials administered by
Yes
Yes
No
the home organization
AAI passwords only
No
Yes
Yes
accessible by the IdP
Operable in parallel
with service-specic
Yes
Yes
Yes
authentication methods
2) Service provider perspective:
Deployability
No major changes needed
Extensive use of standard components
Maintainability
maintained by third parties
Based on widely
SAML-based
used technology
Security
Enhanced by the use of SAML and TLS
Provisioning
Yes
Yes
Yes
Deprovisioning
Yes
Yes
Yes
Performance loss
700 ms
Legal Aspects
User consents can be requested
3) Identity provider perspective:
Legal Aspects
User consents can be requested
No need to modify
Yes
Yes
Yes
IdPs
TABLE I
E VALUATION RESULTS OF FACIUS WITH REGARD TO REQUIREMENTS
IDENTIFIED IN S ECTION II FROM THREE PERSPECTIVES
563
R EFERENCES
[1] J. Linn, Generic security service application program interface - RfC
1508, United States, 1993.
[2] M. Milinovic, J. Rauschenbach, S. Winter, L. Florio, D. Simonsen,
and J. Howlett, Deliverable DS5.1.1: eduroam service denition and
VIII. C ONCLUSION
In this paper, we presented FACIUS, an approach to federate
access to non web-based services using SAML, and applied
it exemplarily to federate SSH services. The approach allows
a user to register via a web interface, which can be leveraged
both for provisioning a certain context the service might need
locally and to get the users consent to submit his data to the
7 http://www.switch.ch/aai/support/tools/uApprove.html.
564