An Approach for Integrating Kerberized non Web-based Services with Web-based Identity Federations

Aleksandr Bersenev, Arsen Hayrapetyan, Marcus Hardt, Michael Simon

2015

Abstract

Many identity federations are designed to be used with web browsers. This paper proposes an approach for integrating non web-based applications with web-based identity federations using Kerberos protocol. We evaluate this approach by making NFS server available for users of SAML-based identity federation of Baden- Württemberg state of Germany. We make use of LDAP-Facade software for federating non web-based services. We have modified the web-interface component of LDAP-Facade to enable the registration with kerberized services. Our approach can be used without modifications on the client side.

References

  1. Adamson, W. and Williams, N. (2014). Nfsv4 multi-domain fedfs requirements. Internet-Draft draft-adamsonnfsv4-multi-domain-federated-fs-reqs-05, IETF Secretariat.
  2. Astrand, L. H. and Yu, T. (2012). Deprecate des, rc4-hmacexp, and other weak cryptographic algorithms in kerberos. RFC 6649, RFC Editor.
  3. Dierks, T. and Rescorla, E. (2008). The transport layer security (tls) protocol version 1.2. RFC 5246, RFC Editor.
  4. Garcia, A., Bourov, S., Hammad, A., van Wezel, J., Neumair, B., Streit, A., Hartmann, V., Jejkal, T., Neuberger, P., and Stotzka, R. (2011). The large scale data facility: Data intensive computing for scientific experiments. In Parallel and Distributed Processing Workshops and Phd Forum (IPDPSW), 2011 IEEE International Symposium on, pages 1467-1474.
  5. Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., and Maler, E. (2005). Profiles for the oasis security assertion markup language (saml) v2.0. OASIS Standard.
  6. Krawczyk, H., Bellare, M., and Canetti, R. (1997). Hmac: Keyed-hashing for message authentication. RFC 2104, RFC Editor.
  7. Köhler, J., Labitzke, S., Simon, M., Nussbaumer, M., and Hartenstein, H. (2012). Facius: An easy-to-deploy saml-based approach to federate non web-based services. pages 557-564.
  8. Köhler, J., Simon, M., Nussbaumer, M., and Hartenstein, H. (2013). Federating hpc access via saml: Towards a plug-and-play solution. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7905 LNCS:462-473.
  9. Linn, J. (2000). Generic security service application program interface version 2, update 1. RFC 2743, RFC Editor.
  10. Marín-López, R., Pereñíguez, F., López, G., and PérezMéndez, A. (2011). Providing eap-based kerberos pre-authentication and advanced authorization for network federations. Computer Standards and Interfaces, 33(5):494-504.
  11. Melnikov, A. and Zeilenga, K. (2006). Simple authentication and security layer (sasl). RFC 4422, RFC Editor.
  12. Neuman, C., Yu, T., Hartman, S., and Raeburn, K. (2005). The kerberos network authentication service (v5). RFC 4120, RFC Editor.
  13. Pérez-Méndez, A., Pereñíguez-García, F., Marín-López, R., and López-Millán, G. (2013). Out-of-band federated authentication for kerberos based on pana. Computer Communications, 36(14):1527-1538.
  14. Pérez-Méndez, A., Pereñíguez-García, F., Marín-López, R., López-Millán, G., and Howlett, J. (2014). Identity federations beyond the web: A survey. IEEE Communications Surveys and Tutorials, 16(4):2125-2141.
  15. Schlitter, N., Yasnogor, A., and Sprajc, C. (2014). bwsync&share: A cloud solution for academia in the state of baden-württemberg. In Kao, O. and Hildmann, T., editors, Cloudspeicher im Hochschuleinsatz : Proceedings der Tagung C loudspeicher im Hochschuleinsatzäm 05. und 06. Mai 2014 am ITService-Center (tubIT) der Technischen Universität Berlin, volume 2014.
  16. Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., Beame, C., Eisler, M., and Noveck, D. (2003). Network File System (NFS) version 4 Protocol. RFC 3530, RFC Editor.
  17. Shepler, S., Eisler, M., and Noveck, D. (2010). Network File System (NFS) Version 4 Minor Version 1 Protocol. RFC 5661, RFC Editor.
  18. Smith, R. (2012). Application bridging for federated access beyond web (abfab) use cases. Internet-Draft draftietf-abfab-usecases-05, IETF Secretariat.
  19. Wu, T. D. (1999). A real-world analysis of kerberos password security. In NDSS. The Internet Society.
Download


Paper Citation


in Harvard Style

Bersenev A., Hayrapetyan A., Hardt M. and Simon M. (2015). An Approach for Integrating Kerberized non Web-based Services with Web-based Identity Federations . In Proceedings of the 10th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2015) ISBN 978-989-758-115-1, pages 144-150. DOI: 10.5220/0005509901440150


in Bibtex Style

@conference{icsoft-pt15,
author={Aleksandr Bersenev and Arsen Hayrapetyan and Marcus Hardt and Michael Simon},
title={An Approach for Integrating Kerberized non Web-based Services with Web-based Identity Federations},
booktitle={Proceedings of the 10th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2015)},
year={2015},
pages={144-150},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005509901440150},
isbn={978-989-758-115-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 10th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2015)
TI - An Approach for Integrating Kerberized non Web-based Services with Web-based Identity Federations
SN - 978-989-758-115-1
AU - Bersenev A.
AU - Hayrapetyan A.
AU - Hardt M.
AU - Simon M.
PY - 2015
SP - 144
EP - 150
DO - 10.5220/0005509901440150