A Proposal for Extending the Eduroam Infrastructure with Authorization Mechanisms

Manuel Sánchez, Gabriel López, Óscar Cánovas, Antonio F. Gómez-Skarmeta

2007

Abstract

Identity federations are emerging in the last years in order to make easier the deployment of resource sharing environments among organizations. One common feature of those environments is the use of access control mechanisms based on the user identity. However, most of those federations have realized that user identity is not enough to offer a more grained access control and value added services. Therefore, additional information, such as user attributes, need to be taken into account. This paper presents how one of those real and widely spread identity federations, eduroam, has been extended in order to make use of user attributes and to adopt authorization decisions during the access control process. This authorization framework has been integrated by means of the NAS-SAML infrastructure, which defines a network access control service based on SAML and the AAA architecture.

References

  1. T. Scavo, S.C.: Shibboleth Architecture. Technical Overview. (2005) Working Draft 02.
  2. J. Beatty, a.: Liberty Protocols and Schema Specification Version 1.1. (2003) Liberty Alliance Project.
  3. : Trans-European Research and Education Networking Association (TERENA) home page. (http://www.terena.nl)
  4. Wierenga, K., Florio, L.: Eduroam: past, present and future. In: TERENA Networking Conference. (2005)
  5. C. Rigney, S. Willens, A.R., W.Simpson: Remote Authentication Dial In User Service (RADIUS). (2000) RFC 2865.
  6. LAN MAN Standards Committee of the IEEE Computer Society: IEEE Draft P802.1X/D11: Standard for Port based Network Access Control. (2001)
  7. : Dame Project. (2006) http://dame.inf.um.es.
  8. López, G., Cánovas, O., Gómez, A.F., Jimenez, J.D., Marín, R.: A network access control approach based on the aaa architecture and authorzation attributes. Journal of Network and Computer Applications JNCA (2006) To be published.
  9. Eve, M., Prateek, M., Rob, P.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML)v1.1. (2003) OASIS Standard.
  10. et al., A.A.: EXtensible Access Control Markup Language (XACML) Version 1.0. (2003) OASIS Standard.
  11. Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Transaction on Information and System Security 4 (2001)
  12. López, G., Cánovas, O., Gómez, A.F.: Use of xacml policies for a network access control service. In: Proceedings 4th International Workshop for Applied PKI, IWAP 05, IOS Press (2005) 111-122
  13. de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., Spence, D.: Generic AAA Architecture. (2000) RFC 2903.
  14. Calhoun, P., Loughney, J., Guttman, E., Zorn, G., Arkko, J.: DIAMETER base protocol. (2003) RFC 3588.
  15. López, G., Óscar Cánovas, Gómez-Skarmeta, A.F., Otenko, S., Chadwick, D.: A heterogeneos network access service based on permis and saml. In: Proceedings 2nd European PKI Workshop. Volume 3545 of Lecture Notes in Computer Science., Springer (2005) 55-72
  16. Cánovas, O., Lopez, G., Gómez-Skarmeta, A.: A credential conversion service for samlbased scenarios. In: Proceedings First European PKI Workshop. Volume 3093 of Lecture Notes in Computer Science., Springer (2004) 297-305
  17. Sanchez, M., Lopez, G., Cánovas, O., Gómez-Skarmeta, A.: Grid Authorization Based on Existing AAA Architectures. (2006) Submitted to The Fourth International Workshop on Security In Information Systems WOSIS-2006.
  18. Calhoun, P., G.Zorn, Spence, D., Mitton, D.: Diameter Network Access Server Application. (2005) RFC 4005.
  19. Carmody, S.: Radius profile of SAML. Revision 2. (2006) http://stc. cis.brown.edu/stc/Projects/Projects-using-Shib/eduRoam/ Radius-SAML-Profile-v1.html.
  20. López, D.R., Macias, J., Molina, M., Rauschenbach, J., Solberg, A., Stanica, M.: Deliverable DJ5.2.3.1: Best Practice Guide - AAI Cookbook - First Edition. (2006) GN2 JRA5. Geant 2.
Download


Paper Citation


in Harvard Style

Sánchez M., López G., Cánovas Ó. and F. Gómez-Skarmeta A. (2007). A Proposal for Extending the Eduroam Infrastructure with Authorization Mechanisms . In Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007) ISBN 978-972-8865-96-2, pages 23-32. DOI: 10.5220/0002408400230032


in Bibtex Style

@conference{wosis07,
author={Manuel Sánchez and Gabriel López and Óscar Cánovas and Antonio F. Gómez-Skarmeta},
title={A Proposal for Extending the Eduroam Infrastructure with Authorization Mechanisms},
booktitle={Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)},
year={2007},
pages={23-32},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002408400230032},
isbn={978-972-8865-96-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)
TI - A Proposal for Extending the Eduroam Infrastructure with Authorization Mechanisms
SN - 978-972-8865-96-2
AU - Sánchez M.
AU - López G.
AU - Cánovas Ó.
AU - F. Gómez-Skarmeta A.
PY - 2007
SP - 23
EP - 32
DO - 10.5220/0002408400230032