Federated Authentication in a Hierarchy of IdPs by Using Shibboleth
暂无分享,去创建一个
By using widespread single sign-on (SSO) technologies, it is becoming common that services are provided in the form of SSO. However, it is also becoming common that the structure of IdPs is complex. A single person may have his/her identity in an organizations, in its sub organizations, and possibly in a virtual organization. A problem is that such identities are provided by independent IdPs. Considering that a major motivation of SSO is that we can reduce cost by integrating authentication, this scenario is never desirable. To solve this problem, we propose a hierarchy of IdPs. In particular, an IdP in a sub organization can rely on assertions of its parent organization, which enables authentication delegation. Moreover, delegation of authentication introduces hierarchy of trust. We define its protocol based on the idea that an IdP also issues authentication request to other IdPs as usual SPs. Its prototype implementation on Shibboleth is also shown. Our authentication delegation is widely applicable to actual scenarios in hierarchically organized institutions and virtual organizations.
[1] Hiroyuki Sato. Analyzing Semantics of Documents by Using a Program Analysis Method , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.
[2] Hiroyuki Sato,et al. Design of Graded Trusts by Using Dynamic Path Validation , 2010, IFIPTM.
[3] Ian T. Foster,et al. A security architecture for computational grids , 1998, CCS '98.
[4] Joan Feigenbaum,et al. Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.