A conceptual model for attribute aggregation

Authors:
David W. Chadwick;George Inman;Nate Klingenstein
Affiliations:
University of Kent, UK;University of Kent, UK;Internet2 Consortium, USA
Venue:
Future Generation Computer Systems
Year:
2010

Citing 4
Cited 4

The PERMIS X.509 role based privilege management infrastructure

Future Generation Computer Systems - Special section: Selected papers from the TERENA networking conference 2002
The Philosophy of TeraGrid: Building an Open, Extensible, Distributed TeraScale Facility

CCGRID '02 Proceedings of the 2nd IEEE/ACM International Symposium on Cluster Computing and the Grid
A concept for attribute-based authorization on D-Grid resources

Future Generation Computer Systems
Cross-domain authorization for federated virtual organizations using the myVocs collaboration environment

Concurrency and Computation: Practice & Experience

Editorial: Special section: Security, trust and privacy in Grid systems

Future Generation Computer Systems
A flexible architecture for privacy-aware trust management

Journal of Theoretical and Applied Electronic Commerce Research
Formal description of the SWIFT identity management framework

Future Generation Computer Systems
User-centric identity management using trusted modules

EuroPKI'10 Proceedings of the 7th European conference on Public key infrastructures, services and applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper describes a conceptual model for attribute aggregation that allows a service provider (SP) to authorise a user's access request based on attributes asserted by multiple identity providers (IdPs), when the user is known by different identities at each of the IdPs. The user only needs to authenticate to one of the IdPs and the SP is given an overall level of assurance (LoA) about the authenticity of the user and his/her attributes. The model employs a new component called a Linking Service (LS), which is a trusted third party under the control of the user, whose purpose is to link together the different IdP accounts that hold a user's attributes, along with their respective LoAs. There are several possible interaction models for communications between the IdPs, the SP, LSs and the user, and each is described. The model is underpinned with a fully specified trust model, which also describes the implications when participants do not fully trust each other as required. Finally, the paper describes how the model has been implemented by mapping onto existing standard protocols based on SAMLv2.