A Survey of Payment Approaches for Identity Federations in Focus of the SAML Technology

Identity Federations are increasingly being used to establish convenient and secure attribute-based authentication and authorization systems. Whilst this process began mainly in the academic sector, it is assumed that over the next few years more and more commercial Service Providers will join Identity Federations in order to offer their services and products to federated customers. However, the introduction of commercial Service Providers demands a solution for payment, which has not been deployed during the early years of Identity Federations. Thus, Service Providers have to implement not only the federation application, but also additional payment solutions; a problem, by which the federation may appear unattractive for Service Providers, especially semi-commercial or those requiring micropayments. Even for large commercial providers entering a federation, the lack of payment support is a major disadvantage that may lead to either customer or profit loss. Thus, although a combination of electronic Payment solutions and Identity Federation approaches would provide several benefits to its participants, there has not been much investigation of such combinations. Therefore, this paper analyses electronic payment approaches as well as Identity Federation mechanisms and focuses on a solution to bridge these two aspects. Besides early stages of identity-based payments, final full integrated SAML-based payment approaches, which merge payments and Identity Federation into a powerful business solution, are also highlighted. However, since security is a major concern when focusing on payment solutions, several approaches have been investigated, including security and privacy evaluations, and, within this survey, only those solutions providing a sufficient level of security and privacy have been taken into consideration.

[1]  Scott Cantor,et al.  Shibboleth Architecture Technical Overview , 2005 .

[2]  Jari Arkko,et al.  Diameter Base Protocol , 2003, RFC.

[3]  Ákos Frohner,et al.  From gridmap-file to VOMS: managing authorization in a Grid environment , 2005, Future Gener. Comput. Syst..

[4]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[5]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2003, Future Gener. Comput. Syst..

[6]  Yi Mu,et al.  A Fair Electronic Cash Scheme , 2001, ISEC.

[7]  Unrecognized Payment for Services in Session Initiation Protocol (SIP) , 2007 .

[8]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[9]  B. Clifford Neuman,et al.  Requirements for network payment: the NetCheque perspective , 1995, Digest of Papers. COMPCON'95. Technologies for the Information Superhighway.

[10]  David J. Lutz Payment processes for identity federations: the SAML-based payment approach , 2011 .

[11]  Weidong Kou,et al.  Payment Technologies for E-Commerce , 2003, Springer Berlin Heidelberg.

[12]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[13]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[14]  Burkhard Stiller,et al.  Token-Based Payment in Dynamic SAML-Based Federations , 2008, AIMS.

[15]  B. Clifford Neuman,et al.  NetCash: a design for practical electronic currency on the Internet , 1993, CCS '93.

[16]  Georg Carle,et al.  Charging in the IP Multimedia Subsystem: A Tutorial , 2007, IEEE Communications Magazine.

[17]  Athanasios Karantjias,et al.  A Federated Privacy-Enhancing Identity Management System (FPE-IMS) , 2007, 2007 IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications.

[18]  Burkhard Stiller,et al.  Combining identity federation with Payment: The SAML-based Payment Protocol , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[19]  Harri Hakala,et al.  Diameter Credit-Control Application , 2005, RFC.

[20]  David J. Lutz Federation Payments using SAML Tokens with Trusted Platform Modules , 2007, 2007 12th IEEE Symposium on Computers and Communications.

[21]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[22]  David J. Lutz,et al.  Bridging between SAML-Based Payment and Other Identity Federation Payment Systems , 2011, DEIS.

[23]  Ueli Maurer,et al.  Digital Payment Systems with Passive Anonymity-Revoking Trustees , 1996, ESORICS.

[24]  L. Jean Camp,et al.  Trust and Risk in Internet Commerce , 2000 .

[25]  David Wasley,et al.  Shibboleth Architecture Protocols and Profiles , 2005 .

[26]  Susan Landau,et al.  Achieving Privacy in a Federated Identity Management System , 2009, Financial Cryptography.

[27]  Scott Cantor,et al.  Shibboleth Architecture Conformance Requirements , 2005 .

[28]  David W. Chadwick An X.509 Role Based Privilege Management Infrastructure , 2001 .

[29]  Punya Mishra,et al.  Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML) v1. 1 , 2003 .

[30]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[31]  Klaus Spremann,et al.  Telegeld : Electronic-Money, Smart Cards und E-Commerce werden Realität , 1998 .

[32]  Burkhard Stiller,et al.  Title: Applied Federation Technology: The Charging of Roaming Students , 2009 .

[33]  Peter Thompson,et al.  Liberty ID-FF Architecture Overview , 2003 .

[34]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallet with Observers , 2002 .

[35]  Siddharth Bajaj,et al.  Web Services Federation Language (WS- Federation) , 2003 .

[36]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[37]  David J. Lutz,et al.  Harmonizing service and network provisioning for federative access in a mobile environment , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[38]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.