Article

Using XACML for privacy control in SAML-based identity federations

Author:

Wolfgang HommelAuthors Info & Claims

CMS'05: Proceedings of the 9th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security

Pages 160 - 169

https://doi.org/10.1007/11552055_16

Published: 19 September 2005 Publication History

Abstract

With Federated Identity Management (FIM) protocols, service providers can request user attributes, such as the billing address, from the user's identity provider. Access to this information is managed using so-called Attribute Release Policies (ARPs). In this paper, we first analyze various shortcomings of existing ARP implementations; then, we demonstrate that the eXtensible Access Control Markup Language (XACML) is very suitable for the task. We present an architecture for the integration of XACML ARPs into SAML-based identity providers and specify the policy evaluation workflows. We also introduce our implementation and its integration into the Shibboleth architecture.

References

[1]

Cantor, S., Kemp, J., Philpott, R., Maler, E.: Security Assertion Markup Language v2.0. OASIS Security Services Technical Committee Standard (2005).

[2]

Varney, C.: Liberty Alliance -- Privacy and Security Best Practices 2.0. http://project-liberty.org/specs/ (2003).

[3]

Kaler, C., Nadalin, A.: Web Services Federation Language (WS-Federation). http://www-106.ibm.com/developerworks/webservices/library/ws-fed/ (2003).

[4]

Erdos, M., Cantor, S.: Shibboleth architecture (v05). http://shibboleth.internet2. edu/docs/ (2002).

[5]

Moses, T.: OASIS eXtensible Access Control Markup Language 2.0, core specification. OASIS XACML Technical Committee Standard (2005).

[6]

Reagle, J., Cranor, L.F.: The Platform for Privacy Preferences. In: Communications of the ACM. Volume 42., ACM Press (1999) 48-55.

Digital Library

[7]

Langheinrich, M.: A P3P Preference Exchange Language -- APPEL 1.0. http://www.w3.org/TR/P3P-preferences/ (2002).

[8]

Nazareth, S., Smith, S.: Using SPKI/SDSI for Distributed Maintenance of Attribute Release Policies in Shibboleth. Technical Report TR2004-485, Department of Computer Science, Dartmouth College, Hanover, HN 03744 USA (2004).

[9]

Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylnen, T.: SPKI Certificate Theory. IETF Proposed Standard, RFC 2693 (1999).

Digital Library

[10]

Rivest, R., Lampson, B.: SDSI -- A Simple Distributed Security Infrastructure. Presented at CRYPTO'96 Rumpsession (1996).

[11]

Lepro, R.: Cardea: Dynamic Access Control in Distributed Systems. Technical Report TR NAS-03-020, NASA Advanced Supercomputing Division, Ames (2003).

[12]

Mazzuca, P.: Access Control in a Distributed Decentralized Network: An XML Approach to Network Security. Honors Thesis, Dartmouth College (2004).

[13]

Chadwick, D., Otenko, A.: The PERMIS X.509 Role Based Privilege Management Infrastructure. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. SACMAT, ACM Press (2002) 135-140.

Digital Library

[14]

Anderson, A.H.: The Relationship Between XACML and P3P Privacy Policies. http://research.sun.com/projects/xacml/ (2004).

[15]

Proctor, S.: Sun's XACML implementation. http://sunxacml.sf.net/ (2004).

[16]

Anderson, A.: XML Digital Signature profile of XACML 2.0. OASIS TC Committee draft, 16. September 2004 (2004).

Cited By

Kolter JSchillinger RPernul G(2007)A privacy-enhanced attribute-based access control systemProceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security10.5555/1770560.1770575(129-143)Online publication date: 8-Jul-2007
https://dl.acm.org/doi/10.5555/1770560.1770575
Humphrey MPark SFeng JBeekwilder NWasson GHogg JLaMacchia BDillaway B(2007)Fine-grained access control for GridFTP using SecPALProceedings of the 8th IEEE/ACM International Conference on Grid Computing10.1109/GRID.2007.4354136(217-225)Online publication date: 19-Sep-2007
https://dl.acm.org/doi/10.1109/GRID.2007.4354136
Mbanaso UCooper GChadwick DProctor S(2006)Privacy Preserving Trust Authorization Framework Using XACMLProceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks10.1109/WOWMOM.2006.92(673-678)Online publication date: 26-Jun-2006
https://dl.acm.org/doi/10.1109/WOWMOM.2006.92
Show More Cited By

Recommendations

Enabling Privacy-preserving Credential-based Access Control with XACML and SAML
CIT '10: Proceedings of the 2010 10th IEEE International Conference on Computer and Information Technology

In this paper we describe extensions to the access control industry standards XACML and SAML to enable privacy-preserving and credential-based access control. Rather than assuming that an enforcement point knows all the requester’s attributes, our ...
An XACML-based privacy-centered access control system
WISG '09: Proceedings of the first ACM workshop on Information security governance

The widespread diffusion of the Internet as the platform for accessing distributed services makes available a huge amount of personal data, and a corresponding concern and demand from users, as well as legislation, for solutions providing users with ...
Towards Better AAA in Identity Federations

Many organizations have adopted SAML-based identity federation as a standard component of their enterprise architecture. A service provider in a federation may be viewed as a combination of an assertion consumer service ACS responsible for interactions ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

CMS'05: Proceedings of the 9th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security

September 2005

359 pages

ISBN:3540287914

Editors:
Jana Dittmann
Research Group Multimedia and Security Department of Computer Science, Otto-von-Guericke-University of Magdeburg, Germany
,
Stefan Katzenbeisser
Philips Research Europe, Information and System Security, Eindhoven, The Netherlands
,
Andreas Uhl
Department of Computer Sciences, University of Salzburg, Salzburg, Austria

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 19 September 2005

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kolter JSchillinger RPernul G(2007)A privacy-enhanced attribute-based access control systemProceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security10.5555/1770560.1770575(129-143)Online publication date: 8-Jul-2007
https://dl.acm.org/doi/10.5555/1770560.1770575
Humphrey MPark SFeng JBeekwilder NWasson GHogg JLaMacchia BDillaway B(2007)Fine-grained access control for GridFTP using SecPALProceedings of the 8th IEEE/ACM International Conference on Grid Computing10.1109/GRID.2007.4354136(217-225)Online publication date: 19-Sep-2007
https://dl.acm.org/doi/10.1109/GRID.2007.4354136
Mbanaso UCooper GChadwick DProctor S(2006)Privacy Preserving Trust Authorization Framework Using XACMLProceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks10.1109/WOWMOM.2006.92(673-678)Online publication date: 26-Jun-2006
https://dl.acm.org/doi/10.1109/WOWMOM.2006.92
Alsaleh MAdams C(2006)Enhancing consumer privacy in the liberty alliance identity federation and web services frameworksProceedings of the 6th international conference on Privacy Enhancing Technologies10.1007/11957454_4(59-77)Online publication date: 28-Jun-2006
https://dl.acm.org/doi/10.1007/11957454_4
Chadwick DOtenko SNguyen T(2006)Adding support to XACML for dynamic delegation of authority in multiple domainsProceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security10.1007/11909033_7(67-86)Online publication date: 19-Oct-2006
https://dl.acm.org/doi/10.1007/11909033_7
Hommel W(2006)Policy-based integration of user and provider-sided identity managementProceedings of the 2006 international conference on Emerging Trends in Information and Communication Security10.1007/11766155_12(160-174)Online publication date: 6-Jun-2006
https://dl.acm.org/doi/10.1007/11766155_12

View Options

View options

Media

Figures

Other

Tables

View Table of Contents