A Web Service Architecture for Decentralised Identity- and Attribute-Based Access Control

The loosely coupled nature of Service-oriented Architectures raises the question how information for access control can be managed in an efficient way. Several specifications for Web Services exist to describe security requirements and to facilitate a provision of identity information. However, the integration of different standards regarding the expression of identity information in policies, claims and assertions comes along with an increased complexity. In order to identify and address the problems occurring with the combined use of standards as XACML, SAML and WS-Trust, we designed and implemented an architecture for identity- and attribute-based access control in decentralized environments. Our implementation provides an automated generation of access control policies in a format called XACML, a way to communicate required user attributes as claims across different domains based on the standards WS-Trust and WS-Policy, and a consistent mapping of retrieved attribute assertions to the XACML attributes in the access control policy.

[1]  David W. Chadwick,et al.  Using SAML to Link the Globus Toolkit to the Permis Authorisation Infrastructure , 2004, Communications and Multimedia Security.

[2]  Vittorio Bertocci,et al.  Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities , 2007 .

[3]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[4]  Anne H. Anderson Domain-independent, composable Web services policy assertions , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[5]  Giovanni Della-Libera,et al.  Web Services Security Policy Language (WS-SecurityPolicy) , 2002 .

[6]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[7]  Ian T. Foster,et al.  A Multipolicy Authorization Framework for Grid Security , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[8]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[9]  Günther Pernul,et al.  Enabling Attribute-based Access Control in Authentication and Authorisation Infrastructures , 2007, Bled eConference.

[10]  Rebekah Lepro,et al.  Cardea: Dynamic Access Control in Distributed Systems , 2004 .