Um Mecanismo de Integração de Identidades Federadas entre Shibboleth e SimpleSAMLphp para aplicações de Nuvens. / A Federated Identity Integration Mechanism between Shibboleth and SimpleSAMLphp for Cloud Applications.

BATISTA NETO, Luiz Aurélio

19 October 2014

Submitted by Maria Aparecida (cidazen@gmail.com) on 2017-08-04T14:25:51Z No. of bitstreams: 1 Luiz Aurélio Batista Neto.pdf: 2595761 bytes, checksum: 07f714d6c1f7297c78081b105edc8633 (MD5) / Made available in DSpace on 2017-08-04T14:25:51Z (GMT). No. of bitstreams: 1 Luiz Aurélio Batista Neto.pdf: 2595761 bytes, checksum: 07f714d6c1f7297c78081b105edc8633 (MD5) Previous issue date: 2014-10-19 / CAPES / Cloud computing applications are vulnerable to security threats originating from the Internet, because of the resources with other users and managed by third parties sharing. The diversity of services and technologies still presents a challenge to identity integration and user data in the distributed context. To address these issues, identity management techniques, especially those using a federated approach, appear crucial to protect the information from unauthorized access and allow the exchange of resources between the different trusted parties among themselves. The objective of this work is to develop a model that allows integration between identity providers through the Security Assertion Markup Language (SAML) protocol, in order to provide access to applications in multiple domains of Cloud Computing. In this scenario, each domain users and groups services as the mechanism of representation of the user according to the identity management system used (Shibboleth or SimpleSAMLphp). The proposed model is implemented to verify its applicability. In the experiments by computer simulation, the results obtained demonstrate the feasibility of the presented model. / Aplicações de Computação em Nuvem estão vulneráveis a ameaças de segurança oriundas da Internet, por conta do compartilhamento de recursos com outros usuários e gerenciados por terceiros. A diversidade de serviços e tecnologias se apresenta ainda como desafio para integração de identidades e dados de usuários no contexto distribuído. Para lidar com essas questões, técnicas de gerenciamento de identidades, especialmente as que utilizam a abordagem federada, se mostram fundamentais para proteger as informações de acessos não autorizados e permitir o intercâmbio de recursos entre as diferentes partes confiáveis entre si. O objetivo deste trabalho é desenvolver um modelo que permita a integração entre provedores de identidades por meio do protocolo Security Assertion Markup Language (SAML), com a finalidade de prover o acesso a aplicações em múltiplos domínios de Computação em Nuvem. Neste cenário, cada domínio agrupa usuários e serviços conforme o mecanismo de representação do usuário de acordo com o sistema de gerenciamento de identidades utilizado (Shibboleth ou SimpleSAMLphp). O modelo proposto é implementado para verificar a sua aplicabilidade. Nos experimentos realizados por simulação computacional, os resultados obtidos demonstram a viabilidade do modelo apresentado.

Ciência da Computação

Federated Identity Management : AD FS for single sign-on and federated identity management

Wikblom, Carl

January 2012

Organizations are continuously expanding their use of computer ser-vices. As the number of applications in an organization grows, so does the load on the user management. Registering and unregistering users both from within the organization and also from partner organizations, as well as managing their privileges and providing support all accumu-lates significant costs for the user management. FIdM is a solution that can centralize user management, allow partner organizations to feder-ate, ease users’ password management, provide SSO functionality and externalize the authentication logic from application development. An FIdM system with two organizations, AD FS and two applications have been deployed. The applications are constructed in .NET, with WIF, and in Java using a custom implementation of WS-Federation. In order to evaluate the system, a functional test and a security analysis have been performed. The result of the functional test shows that the system has been implemented successfully. With the use of AD FS, users from both organizations are able to authenticate within their own organization and are then able to access the applications in the organizations without any repeated authentication. The result of the security analysis shows that the overall security in the system is good. The use of AD FS does not allow anyone to bypass authentication. However, the standard integra-tion of WIF in the .NET application makes it more susceptible to a DoS attack. It has been indicated that FIdM can have positive effects on an organization’s user management, a user’s password management and login procedures, authentication logic in application development, while still maintaining a good level of security.

Federated identity management

active directory federation services

windows identity foundation

WS-Federation

Computer Engineering

Datorteknik

A Framework To Implement OpenID Connect Protocol For Federated Identity Management In Enterprises

Rasiwasia, Akshay

January 2017

Federated Identity Management (FIM) and Single-Sign-On (SSO) concepts improve both productivity andsecurity for organizations by assigning the responsibility of user data management and authentication toone single central entity called identity provider, and consequently, the users have to maintain only oneset of credential to access resources at multiple service provider. The implementation of any FIM and SSOprotocol is complex due to the involvement of multiple organizations, sensitive user data, and myriadsecurity issues. There are many instances of faulty implementations that compromised on security forease of implementation due to lack of proper guidance. OpenID Connect (OIDC) is the latest protocolwhich is an open standard, lightweight and platform independent to implement Federated IdentityManagement; it offers several advantages over the legacy protocols and is expected to have widespreaduse. An implementation framework that addresses all the important aspects of the FIM lifecycle isrequired to ensure the proper application of the OIDC protocol at the enterprise level. In this researchwork, an implementation framework was designed for OIDC protocol by incorporating all the importantrequirements from a managerial, technical and security perspective of an enterprise level federatedidentity management. The research work closely follows the design science research process, and theframework was evaluated for its completeness, efficiency, and usability.

FIM

SSO

OpenID Connect

OIDC

Single Sign On

Federated Identity Management

Computer Systems

Datorsystem

SECURE MIDDLEWARE FOR FEDERATED NETWORK PERFORMANCE MONITORING

Kulkarni, Shweta Samir

06 August 2013

No description available.

Computer Engineering

federated identity

entitlement service

enterprise access policy

SSASy: A Self-Sovereign Authentication Scheme

Manzi, Olivier

January 2023

Amidst the wild west of user authentication, this study introduces a new sheriff in town: the Self-Sovereign Authentication Scheme (SSASy). Traditional authentication methods, like passwords, are often fraught with usability and security concerns, leading users to find workaround ways that compromise the intended security. Federated Identities (FI) offer a convenient alternative, yet, they infringe on users' sovereignty over their identity and lead to privacy concerns. To address these challenges, this study proposes SSASy, which leverages cryptography and browser technology to provide a sovereign, usable, and secure alternative to the existing user authentication schemes. The proposal, which is a proof-of-concept, is comprised of a core library, which provides the authentication protocol to developers, and a browser extension that simplifies the authentication process for users. SSASy is available as an open-source project on GitHub for practical demonstration on multiple browser stores, bringing our theoretical study into the realm of tangible, real-world application. SSASy is evaluated and compared to existing authentication schemes using the "Usability-Deployability-Security" (UDS) framework. The results demonstrate that, although other authentication schemes may excel in a specific dimension, SSASy delivers a more balanced performance across the three dimensions which makes it a promising alternative.

Authentication

Usable Security

Federated Identity

Self-Sovereign Identity

Self-Sovereign Authentication

Natural Sciences

Naturvetenskap

Computer and Information Sciences

Data- och informationsvetenskap

Single Sign-On : Risks and Opportunities of Using SSO (Single Sign-On) in a Complex System Environment with Focus on Overall Security Aspects

Cakir, Ece

January 2013

Main concern of this thesis is to help design a secure and reliable network system which keeps growing in complexity due to the interfaces with multiple logging sub-systems and to ensure the safety of the network environment for everyone involved. The parties somewhat involved in network systems are always in need of developing new solutions to security problems and striving to have a secure access into a network so as to fulfil their job in safe computing environments. Implementation and use of SSO (Single Sign-On) offering secure and reliable network in complex systems has been specifically defined for the overall security aspects of enterprises. The information to be used within and out of organization was structured layer by layer according to the organizational needs to define the sub-systems. The users in the enterprise were defined according to their role based profiles. Structuring the information layer by layer was shown to improve the level of security by providing multiple authentication mechanisms. Before implementing SSO system necessary requirements are identified. Thereafter, user identity management and different authentication mechanisms were defined together with the network protocols and standards to insure a safe exchange of information within and outside the organization. A marketing research was conducted in line of the SSO solutions. Threat and risk analysis was conducted according to ISO/IEC 27003:2010 standard. The degree of threat and risk were evaluated by considering their consequences and possibilities. These evaluations were processed by risk treatments. MoDAF (Ministry of Defence Architecture Framework) used to show what kind of resources, applications and the other system related information are needed and exchanged in the network. In essence some suggestions were made concerning the ideas of implementing SSO solutions presented in the discussion and analysis chapter.

SSO

information security

authentication

federated identity

multi-factor authentication

MoDAF framework

SAML

LDAP

certificate authority

kerberos

shibboleth

SSO architectures

risk evaluation.

Computer Sciences

Datavetenskap (datalogi)

Securing Cloud Storage Service

Zapolskas, Vytautas

January 2012

Cloud computing brought flexibility, scalability, and capital cost savings to the IT industry. As more companies turn to cloud solutions, securing cloud based services becomes increasingly important, because for many organizations, the final barrier to adopting cloud computing is whether it is sufficiently secure. More users rely on cloud storage as it is mainly because cloud storage is available to be used by multiple devices (e.g. smart phones, tablets, notebooks, etc.) at the same time. These services often offer adequate protection to user's private data. However, there were cases where user's private data was accessible to other users, since this data is stored in a multi-tenant environment. These incidents reduce the trust of cloud storage service providers, hence there is a need to securely migrate data from one cloud storage provider to another. This thesis proposes a design of a service for providing Security as a Service for cloud brokers in a federated cloud. This scheme allows customers to securely migrate from one provider to another. To enable the design of this scheme, possible security and privacy risks of a cloud storage service were analysed and identified. Moreover, in order to successfully protect private data, data protection requirements (for data retention, sanitization, and processing) were analysed. The proposed service scheme utilizes various encryption techniques and also includes identity and key management mechanisms, such as "federated identity management". While our proposed design meets most of the defined security and privacy requirements, it is still unknown how to properly handle data sanitization, to meet data protection requirements, and provide users data recovery capabilities (backups, versioning, etc.). / Cloud computing erbjuder flexibilitet, skalbarhet, och kapital kostnadsbesparingar till IT-industrin. Eftersom fler företag vänder sig till moln lösningar, trygga molntjänster blir allt viktigare, eftersom det för många organisationer, det slutliga hindret att anta cloud computing är om det är tillräckligt säkert. Fler användare förlita sig påmoln lagring som det är främst pågrund moln lagring är tillgängligt att användas av flera enheter (t.ex. smarta telefoner, tabletter, bärbara datorer, etc.) påsamtidigt. Dessa tjänster erbjuder ofta tillräckligt skydd för användarens privata data. Men det fanns fall där användarens privata uppgifter var tillgängliga för andra användare, eftersom denna data lagras i en flera hyresgäster miljö. Dessa händelser minskar förtroende molnleverantörer lagring tjänsteleverantörer, därför finns det ett behov av att säkert migrera data från en moln lagring till en annan. Denna avhandling föreslår en utformning av en tjänst för att erbjuda säkerhet som tjänst för molnmäklare i en federativ moln. Detta system gör det möjligt för kunderna att säkert flytta från en leverantör till en annan. För att möjliggöra utformningen av detta system, möjliga säkerhet och risker integritet av ett moln lagring tjänst har analyserats och identifierats. Dessutom att man framgångsrikt skydda privata uppgifter, dataskydd krav (för data retention, sanering och bearbetning) analyserades. Den föreslagna tjänsten systemet utnyttjar olika krypteringsteknik och även inkluderar identitet och nyckelhantering mekanismer, såsom "federerad identitetshantering". Även om vår föreslagna utformningen uppfyller de flesta av den definierade säkerhet och integritet krav, är det fortfarande okänt hur korrekt hantera data sanering, för att uppfyller kraven för dataskydd och ge användarna data recovery kapacitet (säkerhetskopior, versionshantering osv.)

Cloud

storage

security

privacy

zero knowledge

Security as a Service

federation

broker

Cloud Service Provider (CSP)

federated cloud

federated identity management

OAuth

OpenID

CDMI

interoperability

Communication Systems

Kommunikationssystem