Securing digital identities in the cloud by selecting an apposite Federated Identity Management from SAML, OAuth and OpenID Connect

Proceedings - International Conference on Research Challenges in Information Science

Volumn , Issue , 2017, Pages 163-174

  Naik, Nitin ^a   Jenkins, Paul ^a  

^a MINISTRY OF DEFENCE   (United Kingdom)

Author keywords

DoS; Federated Identity Management; FIdM; MITM; OAuth; OpenID Connect; SAML; SSO; XSS

Indexed keywords

ARCHITECTURAL DESIGN; DOS; ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS; MARKUP LANGUAGES; NETWORK SECURITY; SECURITY OF DATA; SOCIETIES AND INSTITUTIONS; STANDARDS;

FEDERATED IDENTITY MANAGEMENTS; FIDM; MITM; OAUTH; OPENID CONNECT; SAML;

AUTHENTICATION;

EID: 85024505356     PISSN: 21511349     EISSN: 21511357     Source Type: Conference Proceeding    
DOI: 10.1109/RCIS.2017.7956534     Document Type: Conference Paper

References (40)

1. N. Naik and P. Jenkins, "A secure mobile cloud identity: Criteria for effective identity and access management standards," in 2016 4th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud 2016). IEEE, 2016, pp. 89-90.
2. N. Naik, "Connecting Google cloud system with organizational systems for effortless data analysis by anyone, anytime, anywhere," in IEEE International Symposium on Systems Engineering (ISSE 2016). IEEE, 2016.
3. N. Naik and P. Jenkins, "An analysis of open standard identity protocols in cloud computing security paradigm," in 14th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC 2016). IEEE, 2016.
4. C. A. Gunter, D. Liebovitz, and B. Malin, "Experience-based access management: A life-cycle framework for identity and access management systems," IEEE Security & Privacy, vol. 9, no. 5, p. 48, 2011.
5. N. Naik, "Migrating from virtualization to dockerization in the cloud: Simulation and evaluation of distributed systems," in IEEE 10th International Symposium on the Maintenance and Evolution of Service-Oriented and Cloud-Based Environments, (MESOCA 2016). IEEE, 2016, pp. 1-8.
6. A. Gopalakrishnan, "Cloud computing identity management," SETLabs briefings, vol. 7, no. 7, pp. 45-55, 2009.
7. N. Naik, "Building a virtual system of systems using Docker Swarm in multiple clouds," in IEEE International Symposium on Systems Engineering (ISSE 2016). IEEE, 2016.
8. -, "Applying computational intelligence for enhancing the dependability of multi-cloud systems using docker swarm," in IEEE Symposium Series on Computational Intelligence (SSCI), 2016.
9. N. Klingenstein, T. Hardjono, H. Lockhart, and S. Cantor. (2012) OASIS Security Services (SAML) TC. [Online]. Available: Https://www.oasis-open.org/committees/tc home.phpwg abbrev=security
10. N. Ranjbar and M. Abdinejadi, "Authentication and Authorization for Mobile Devices," B.Sc. Dissertation, Department of Computer Science and and Engineering Goteborg, Sweden, 2012.
11. Pingidentity.com. (2011) A standards-based mobile application idm architecture. [Online]. Available: Http://www.enterprisemanagement360.com/wp-content/files mf/white paper/exp final wp mobile-application-idm-arch-8-11-v4
12. T. J. Smedinghoff. (2008) Introduction to online identity management. [Online]. Available: Https://www.uncitral.org/pdf/english/colloquia/EC/Smedinghoff Paper-Introduction to Identity Management
13. C. Forster and N. Readshaw. (2008, April 29) Using SAML security tokens with microsoft web services enhancements: A standards-based approach enabled by tivoli federated identity managers. [Online]. Available: Http://www.ibm.com/developerworks/tivoli/library/t-samlwse/
14. A. Hindle. (2010, May 8) Authentication vs. Authorization-Part 2: SAML and OAuth. [Online]. Available: Http://www.axiomatics.com/blog/entry/authentication-vs-authorization-part-2-saml-and-oauth-2.html
15. R. Boyd, Getting Started with OAuth 2.0, 2nd ed. OReilly Media, 2012.
16. G. Brail and S. Ramji, OAuth-The Big Picture. Apigee, 2014. [Online]. Available: Http://pages.apigee.com/rs/apigee/images/oauth-ebook-2012-02
17. D. Hardt. (2012, October) The OAuth 2.0 authorization framework. [Online]. Available: Https://tools.ietf.org/html/rfc6749
18. M. Jones and D. Hardt. (2012, October) The OAuth 2.0 authorization framework: Bearer token usage. [Online]. Available: Https://tools.ietf. org/html/rfc6750
19. J. Richer and W. Mills. (2012, November 28) OAuth 2.0 message authentication code (MAC) tokens. [Online]. Available: Https://tools. ietf.org/html/draft-ietf-oauth-v2-http-mac-02
20. M. Jones, B. Campbell, and C. Mortimore. (2015, May) JSON web token (JWT) profile. [Online]. Available: Https://tools.ietf.org/html/rfc7523
21. B. Campbell, C. Mortimore, and M. Jones. (2014, November 12) SAML 2.0 profile for OAuth 2.0 client authentication and authorization grants. [Online]. Available: Https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23
22. IBM.com. (2015, September 8) Invoking the authorization endpoint for openid connect. [Online]. Available: Http://www-01.ibm.com/support/knowledgecenter/SSEQTP 8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp oidc auth endpoint.html
23. Openid.com. (2014) What is OpenID Connect [Online]. Available: Http://openid.net/connect/
24. N. Sakimura. (2014) OpenID Connect Core 1.0 incorporating errata set 1. [Online]. Available: Http://openid.net/specs/openid-connect-core-1 0. html
25. J. Basney, J. Gaynor, and W. Edwards. (2013) OpenID connect for myproxy protocol specification. [Online]. Available: Https://redmine. ogf.org/dmsf files/13113download=20852
26. Connect2id.com. (2015) OAuth 2.0 authorisation endpoint. [Online]. Available: Http://connect2id.com/products/server/docs/api/authorization
27. Oasis-open.org. (2008, March 25) Security Assertion Markup Language (SAML) v2.0 technical Overview. [Online]. Available: Http://docs. oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
28. N. Naik, P. Jenkins, P. Davies, and D. Newell, "Native web communication protocols and their effects on the performance of web services and systems," in Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, 2016, pp. 219-225.
29. N. Naik and P. Jenkins, "Web protocols and challenges of web latency in the web of things," in Ubiquitous and Future Networks (ICUFN), 2016 Eighth International Conference on. IEEE, 2016, pp. 845-850.
30. J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen, "On breaking saml: Be whoever you want to be." in USENIX Security Symposium, 2012, pp. 397-412.
31. SANS. (2003) Global information assurance certification paper. [Online]. Available: Https://www.giac.org/paper/gsec/2876/saml-common-security-language-web-services/104846
32. J. Naithan, "SAML proposal for securing XML web services.Project paper," University of St. Thomas, Saint Paul, 2008.
33. J. Hodges, O. C. McLaren, P. Mishra, R. Netegrity, T. Moses, E. E. Prodromou, and S. M. Erdos, "Security and privacy considerations for the oasis security assertion markup language (saml)," 2002.
34. V. Mladenov, C. Mainka, and J. Schwenk, "On the security of modern single sign-on protocols: Second-order vulnerabilities in openid connect," arXiv preprint arXiv:1508.04324, 2015.
35. T. Groß, "Security analysis of the saml single sign-on browser/artifact profile," in Computer Security Applications Conference, 2003. Proceedings. 19th Annual. IEEE, 2003, pp. 298-307.
36. D. Fett, R. Küsters, and G. Schmitz, "A comprehensive formal security analysis of oauth 2.0," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016, pp. 1204-1215.
37. R. Millman. (2016, January 11) Researchers find two flaws in OAuth 2.0. [Online]. Available: Https://www.scmagazine.com/researchers-find-two-flaws-in-oauth-20/article/530038/
38. G. Curtis. (2016, July 16) Preventing mix-up attacks with OpenID Connect. [Online]. Available: Http://openid.net/2016/07/16/preventing-mix-up-attacks-with-openid-connect/
39. A. Armando, R. Carbone, L. Compagna, J. Cuellar, G. Pellegrino, and A. Sorniotti, "From multiple credentials to browser-based single signon: Are we more secure" in IFIP International Information Security Conference. Springer, 2011, pp. 68-79.
40. W. Li and C. J. Mitchell, "Analysing the Security of Google's implementation of OpenID Connect," in Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 2016, pp. 357-376.