by Regina Hebig, Christoph Meinel, Michael Menzel, Ivonne Thomas, Robert Warschofsky
Abstract:
The loosely coupled nature of Service-oriented Architectures raises the question how information for access control can be managed in an efficient way. Several specifications for Web Services exist to describe security requirements and to facilitate a provision of identity information. However, the integration of different standards regarding the expression of identity information in policies, claims and assertions comes along with an increased complexity. In order to identify and address the problems occurring with the combined use of standards as XACML, SAML and WS-Trust, we designed and implemented an architecture for identity- and attribute-based access control in decentralized environments. Our implementation provides an automated generation of access control policies in a format called XACML, a way to communicate required user attributes as claims across different domains based on the standards WS-Trust and WS-Policy, and a consistent mapping of retrieved attribute assertions to the XACML attributes in the access control policy.
Reference:
A Web Service Architecture for Decentralised Identity- and Attribute-Based Access Control (Regina Hebig, Christoph Meinel, Michael Menzel, Ivonne Thomas, Robert Warschofsky), In ICWS '09: Proceedings of the 2009 IEEE International Conference on Web Services, IEEE Computer Society, 2009.
Bibtex Entry:
@InProceedings{1587038,
AUTHOR = {Hebig, Regina and Meinel, Christoph and Menzel, Michael and Thomas, Ivonne and Warschofsky, Robert},
TITLE = {{A Web Service Architecture for Decentralised Identity- and Attribute-Based Access Control}},
YEAR = {2009},
BOOKTITLE = {ICWS '09: Proceedings of the 2009 IEEE International Conference on Web Services},
PAGES = {551--558},
ADDRESS = {Los Angeles, CA, USA},
PUBLISHER = {IEEE Computer Society },
PDF = {uploads/pdf/1587038_3709a551.pdf},
OPTacc_pdf = {},
ABSTRACT = {The loosely coupled nature of Service-oriented Architectures raises the question how information for access control can be managed in an efficient way. Several specifications for Web Services exist to describe security requirements and to facilitate a provision of identity information. However, the integration of different standards regarding the expression of identity information in policies, claims and assertions comes along with an increased complexity. In order to identify and address the problems occurring with the combined use of standards as XACML, SAML and WS-Trust, we designed and implemented an architecture for identity- and attribute-based access control in decentralized environments. Our implementation provides an automated generation of access control policies in a format called XACML, a way to communicate required user attributes as claims across different domains based on the standards WS-Trust and WS-Policy, and a consistent mapping of retrieved attribute assertions to the XACML attributes in the access control policy.}
}