Professional Documents
Culture Documents
Federated Identity Architecture of The European eID System
Federated Identity Architecture of The European eID System
ABSTRACT Federated identity management is a method that facilitates management of identity processes
and policies among the collaborating entities without a centralized control. Nowadays, there are many
federated identity solutions, however, most of them covers different aspects of the identification problem,
solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution
and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze
different federated identify approaches, showing main features, and making a comparative study among
them. The former problem is even worst when multiple organizations or countries already have legacy
eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely
federated identity system that aims to serve almost 500 million people and that could be extended in mid-
term also to eID companies. The system is now being deployed at the EU level and we present the basic
architecture and evaluate its performance and scalability, showing that the solution is feasible from the point
of view of performance while keeping security constrains in mind. The results show a good performance of
the solution in local, organizational, and remote environments.
INDEX TERMS User authentication, single sign-on, identity federation, identity and access management
(IAM), authentication and authorization infrastructure (AAI), federated identity architecture (FIA).
2169-3536
2018 IEEE. Translations and content mining are permitted for academic research only.
75302 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 6, 2018
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
J. Carretero et al.: FIA of the European eID System
contributions, we have carried out an evaluation of the eIDAS Asymmetric encryption contemplates the use of a key pair,
servers in multiple environments. which consists in a private key and a public key, so that the
To cover all the contributions, while making an extensive sender can process the challenge successfully with its private
presentation of related topics, the paper has been organized key and the receiver is able to verify the response using the
as follows. Section II shows common approaches of authen- public key of the sender.
tication and key distribution. Section III discusses about In any case, the key distribution mechanism is a major char-
management of authentication of entities in the ICT world, acteristic of an authentication infrastructure. Key distribution
how they are represented and which are their capabilities and mechanisms may be symmetric or asymmetric, in addition
their permissions. Section IV presents a study on Web based of involving a trusted third party with capacity of distributing
FIM systems and most representative examples. Section V the keys. In terms of symmetric cryptography, one example of
covers FIM systems not based on Web services. Section VI key distribution protocol is Needham-Schroeder Symmetric
introduces a number of tools and frameworks that implement Key Authentication [8], which aims to establish a session key
at least one Identity Management protocol. Section VII shows between two parties on a network without sharing their pri-
representative examples of large scale identity federations. vate key with the other party. There is the need of a trustable
Section VIII presents the European Identity Federation Ini- third party that owns all the secret keys of the participants.
tiative, an identity federation solution proposed in Regulation There are also protocols that do not rely on third parties, but
(EU) 910/2014 by the Connecting Europe Facility (CEF) they are less extended (e.g. ISO One-pass Symmetric Key
office. Section IX discuses about the experiments carried Unilateral Authentication Protocol [9]).
out to asses the feasibility and performance of the deployed On the other hand, the main expression of asymmetric
solution. Finally, Section X summarizes major conclusions cryptography key distribution mechanism is through digi-
extracted from our work and introduces future work lines. tal certificates of identity, being X.509 [10] the most used
format. A digital certificate includes at least an identifier
II. USER AUTHENTICATION of the subject, its public key, and the digital signature of a
In a world where the services sector is increasingly estab- trusted entity called the Certification Authority (CA), over the
lished on the Internet, there is a necessity of providing mech- certificate itself. A X.509 based certificate includes multiple
anisms to authenticate users aiming to access personalized fields, such as version, serial number, validity, issuer ID,
and confidential information. Recognition paradigms (i.e. the cryptographic information to derive the public key such as the
act of allocating the identity of a user) cover the identifica- algorithm (e.g. RSA [11] or DSS [12]), extensions depending
tion of an identity within the population and the authentica- on the version, etc. The Public Key Infrastructure (PKI) [13]
tion of an identity by confirming that it belongs to the user is the combination of components that guarantee the trust
provided credentials. Authentication protocols are the basis of a subject without needing to have knowledge about her
of any identification system, as they enable the verification in advance. It starts with a third party entity, a Certifi-
claims in every step of the subsequent communication among cation Authority (CA), issuing digital certificates to end-
principals. Typical authentication problems include message users or other intermediate certificate authorities that also
integrity, data origin authentication, non-repudiation of the issues certificates, so that a chain of trust of the certificate is
sender and the receiver, and impersonation of the identity of established. The chain of trust is an ordered list of certificates,
sender and receiver. There are many approaches to ensure containing an end-user subscriber certificate and certificates
user authentication depending of the applied security con- of intermediate CAs until the root CA. Trusting the root
strains. Authentication schemes may rely on something the CA means to trust in all certificates issued by the root and
user knows (Knowledge based. E.g password), something the intermediate CAs.
user is (Biometric based. E.g. face or eye), or something There are also asymmetric cryptography algorithms to
the user has (Object based E.g. card) [5]. negotiate a shared session key between two parties without
The study of the paradigms for exchanging secrets to sharing any secret or the need of a third party. The most
guarantee the authentication of individuals and the confi- widely used is Diffie and Hellman [14], where no compro-
dentiality of messages has been a constant throughout the mising cryptographic material is sent between two parties
last decades. In the context of IT, passwords and keys may in order to generate a shared secret. It is worth to mention
be exchanged in multiple ways: explicitly (e.g. Basic HTTP that the choice of the encryption method and the distribution
Authentication [6] or POST forms); encrypted (e.g. EKE [7]); of keys depend on the problem faced, as there is no perfect
Or through a challenge/response mechanism in order to avoid combination. A good approach that is commonly adopted is
sending the secret. This last mechanism is becoming very to use authenticated Diffie-Hellman [15] to obtain a session
popular in the last years. It consists in sending a challenge key for encrypting the communication. With the objective of
(e.g. pseudo-random string) that must be processed to get a guaranteeing integrity, authentication, non-repudiation, and
response, which can only be obtained if the private key is to prevent from impersonation, the cryptographic material
known by the sender. Challenge/response mechanisms based exchanged between the participants is signed using a digital
on symmetric encryption require for both sender and receiver certificate, which is exchanged by the participants. If both
to know the private key in order to verify the response. participants trust the respective certificates, they both obtain
a secret key shared by means of Diffie-Hellman and, from Module (SAM), in PoS, and as a Hardware Security Mod-
this, they derive a private key to encrypt the communication ule (HSM). Radio Frequency Identification (RFID) systems
by means of symmetric cryptography (e.g. AES256 [16] and enable a contact-less transfer of data between the data-
3DES) since, by its nature, it can be made fast computation- carrying device and its reader. They are closely related to
ally by using hardware accelerators (FPGA, GPU, ...) and smart cards, since data may be stored inside, but the power
encryption of whole blocks. supply is achieved using magnetic or electromagnetic fields.
A very different authentication approach that avoids key RFIDs are not as cheap as bar codes, but support a larger set
management is the use of biometry. Biometrics is, in the of unique IDs than bar codes and can incorporate additional
context of identification systems, the science of counting data. Because of their added value, they are being large-
and measuring unmistakable and individual biological and/or scale adopted for managing services where smart cards are
behavioral patterns to recognize a person. Several biometric limited [21].
recognition modalities are used (e.g. speaking, face, iris, vas- Table 1 shows a comparison of the three classes of user
cular, DNA, fingerprints, etc.), as each one adapts better than authentication mechanisms considering some relevant fea-
other to different use cases. For example, an organic sample tures
like DNA is unique for each person, excepting identical twins,
and its recognition has practically zero error rate when ana- III. IDENTITY MANAGEMENT SYSTEMS
lyzed and compared, but the procedure is very time consum- In the previous section, we have briefly covered common
ing and very expensive [17]. Human fingerprint is assumed to approaches of authentication and key distribution and intro-
have a very high uniqueness and report low error rates when duced how trust infrastructures are built (e.g. PKI). In this
compared to other methods [18]. However, the reliability of section, we tackle authentication management, how entities
the procedure partially depends on the skin conditions and its are represented in the ICT world, and which are their capa-
cost depends on the capture technology. Biometrics presents bilities and permissions. In this section, we focus on iden-
also issues related to the acquisition techniques, which may tity management, that refers to the process of administrating
be categorized from invasive (e.g. blood sample, taken to information about the identity of users and controlling their
collect a person’s DNA), to minimally or non-invasive, access to organization resources, and identity management
(e.g. fingerprint or iris scan), or even collected without the systems (IdM), that are set of technologies that can be used in
subjects knowledge (e.g. face recognition). Each of them has Information and Communication Technology (ICT) system
different privacy implications [19]. to provide identity management.
There are many artifacts and devices, such as bar codes, In the scope of identity management there are many terms
OCRs, magnetic stripe cards, optical and laser cards, smart to refer to the parties involved and the identity information
cards, RFIDs, etc., used for recognition of individuals. Two related to parties. A Digital Identity [22] is the information
of them are notable by the features the offer: smart cards and used to represent an entity in an ICT system. An entity may
RFIDs. A smart card is an electronic data storage system be a person, an organization, a device, an application, etc.
with a minimum computing capacity due to its architec- The purpose of the ICT system is to determine which of the
ture and a minimum operating system combined with a file attributes describing an entity are used to build its identity.
system with the aim to offer security services. They have Within an ICT system, an identity shall be the set of those
been proved to be a trustworthy security provider, since they attributes related to an entity that are relevant to the particular
issue strong authentication for card holders, but they have domain of application served by that system. Depending on
to be in near contact with the card reader. They may be the specific requirements of this domain, this set of attributes
put into service as a Qualified/Secure Signature Creation related to the entity (the identity) may be, but does not have
Device (QSCD/SSCD) [20], may be used as a Secure Access to be, uniquely distinguishable from other identities in the
ICT system. Therefore, a digital identity is information of an limitations. It does not support attributes extension and
entity used by ICT systems to represent an internal or exter- federation, and the semantics of the attributes are not
nal agent. This information usually consists of an identifier, taken into consideration. Examples of this approach are the
which is an unique code used to refer the identity, and a set of Zentyal Directory Server [28] in Linux and the Windows
claims or attributes that represent the entity in the specific Domain [29].
domain, which may determine the specific capabilities of The Service Centric Paradigm consists of different
such entity in this domain [23]. The way for an entity to prove service providers deployed at different domains. Service
identity is by presenting its Credential in an authentication providers usually have registers of all identifiers and autho-
scheme, such as to send some secret known by the ICT system rizations of user credentials linked to the authentication sys-
and the entity (e.g. login and password), to present an artifact, tems. Following this paradigm, users have to manage, at least,
maybe issued by a third party (e.g. passport), or to to check one identity per service provider, since an entity may have
some biometric in case of humans (e.g. fingerprint). multiple identities and thus, every identity may have several
Three entities are usually involved in a typical IdM system: identifiers or attributes. This reduces the usability from the
user, identity provider, and service provider. The user is an user’s point of view. Moreover, service providers that operate
entity aiming to consume a service, it is usually registered in a global environment, such as the Internet, need global
in one or various identity providers. The Identity Provider identifiers. To achieve this uniqueness, several identifiers,
(IdP) is an entity that stores identities and their associated cre- such as company name, street address, domain name etc., are
dentials, provides authentication and authorization services encoded within digital certificates subscribed to the PKI. This
and issue assertions. The Service Provider (SP) is an entity paradigm can achieve dynamic replacement of services [30],
providing services to users. The SP relies on the IdP to handle so that the service chosen might depend on user prefer-
authentication by consuming authentication assertions, for ences or some other criteria. However, composition from
this reason, it is also referred as Relying Party (RP) [24]. different domains and delegation of users’ access rights are
IdM systems may be designed considering the control and still difficult to track and control.
consent over the digital identities to be used and the infor- The User Centric Paradigm supports identity manage-
mation that will be released. It is essential to inform users of ment on the user side, so that identifiers and credentials from
the purpose for which information is collected and about the different service providers are handled in the user side of the
parties that will get involved while sharing their information. communication, resulting in improved usability and authenti-
There are several regulations concerning privacy protection cation protocol flexibility [31]. Moreover, it enables users in
and identity disclosure. The ‘‘need to know’’ restriction is a any platform to access online services, enhancing mobility.
good approach when collecting user information to minimize User centric solutions are designed to be cost effective and
damage in case of a security breach [25]. The use of partial scalable from the perspective of the user, while at the same
identities by enabling pseudonyms and links to the holder time being compatible with traditional identity management
of the identity is also a good approach to fulfill privacy systems [32].
requirements. However, it is necessary to enforce a good man- A table comparing major features of the three previous
agement of the pseudonyms to maintain private the linkage paradigms is presented in [27]. Three major features are
between an identity and its pseudonym, to achieve anonymity compared: Centralized; Trust Domain; and Identity Han-
due to the use of a pseudonym in different contexts, to be dling, including authentication, identity number scale, iden-
able to transfer attributes from a pseudonym to another, and tity uniqueness, and credentials transmission. The table
to perform blind digital signature as well [26]. reflects that the user centric paradigm is more flexible, as it
According to [27], IdM systems can be classified by using can be distributed, can include multiple trust domains, and
Paradigms and Models. We refer to ‘‘paradigms’’ when we can support large scale identity management with unique Id,
speak in terms of implementation and deployment of the but it may face problems of credentials disclosure and privacy
system. ‘‘Models’’ refer to data storage and entity roles, it is to protection, but still security is better than in network and
say, where identities are stored and which is the responsibility service centric paradigm.
of each party.
B. MODELS OF IDENTITY MANAGEMENT
A. PARADIGMS OF IDENTITY MANAGEMENT The former paradigms can be used to provide identity man-
The three major paradigms, shown below, are defined taking agement following several models. The most extended iden-
into account the entity leading the identification process. tity management models are the isolated, centralized, and the
The Network Centric Paradigm congregates all iden- federated model, which are briefly detailed below.
tities in a database located on a central IdM system, usu- In the Isolated Model, the Service Provider (SP) and
ally referred as Domain Controller, where authentication Identity Provider (IdP) are combined in a single server. This
takes place. Each entity using a network device subscribed implies that identity storage and user operations, which
to the domain receives a unique and single identity from includes authentication and authorization, are carried out at
which authorization decision is taken. This was the earliest the same point (Figure 1-left). This model is a very simple
approach to the IdM technology development and it has many approach, which may cause many problems [31]. From the
point of view of the user, increasingly adoption of online other to exchange and share digital information preserving
services make users to handle one identity for each service privacy of the user information. As shown in Figure 1, SP
they are registered in, which means managing several creden- and IdP can be independent or they can be grouped in the
tials. If credentials are managed properly by users (different same SP (similar to a cooperation of isolated models). This
credentials for each service) there may be a lack of usability, configuration is usually called metadata (at least at web-based
and if credentials are poorly managed (same credentials for specifications) and can be exchanged in an informal and
each service) there may be a lack of security. unstructured way or normalized and structured way. Meta-
The Centralized Model consists of centralizing the iden- data is configuration data required to automatically negotiate
tity storage while separating the services. Multiple SPs agreements between system entities, comprising identifiers,
have to authenticate their users against a central IdP binding support and endpoints, certificates, keys, crypto-
(Figure 1-center). The most extended implementation is the graphic capabilities and security and privacy policies. Several
single sign-on (SSO) authentication method, which enables specifications normalize metadata structures and contents,
the user to access several SPs with a single identification thus supporting efficient management processes for scal-
instance. Other implementations are the common identifier able deployments [36]. Discovery and exchanging federation
model and the meta-identifier model. This model reduces metadata make easy to establish trust relationships and also
the usability problems derived from the Isolated Model, but to determine policies for obtaining services.
has a clear reliability problem, as it depends on a single While the main goal in Identity Federation is to pro-
point of failure: the IdP. Kerberos and CAS are examples of vide an efficient Single Sign On (SSO) service to identified
implementations of this model. individuals, identity providers and relying parties, the most
The Federated Model is a step forward on the Central- common services provided by a Federation consist of: con-
ized Model. In order to support the deployment of identity firming that an identity belongs to the user presenting the
management systems at heterogeneous topologies, parties credentials (Authentication); allowing or denying access to
involved in the identity management system establish an a protected resource (Authorization); transferring profile
agreement on which entities are part of the system, how enti- information or performing claim-based authorization (based
ties are going to be referred as, and the configuration param- on Attributes); and preserving the privacy of a principal
eters of the participating system parties. This model is a good representing her using anonymous identifiers establishing
approach for authenticating a user across multiple sites within an association (steady or transient) with her local identity
a company or across independent and disparate domains [33]. (pseudonymization).
A Service Provider in one domain can grant authorized access Pseudonyms and claims-based authorization services
to a resource it manages based on the exchange of identity, enhance user privacy in a federation. A Resource Provider
attribute, authentication and authorization assertions with an can request just a subset of attributes to access a resource and
Identity Provider (or any Security Token Service) in another an Identity Provider can assert that a particular principal pos-
domain [34]. The result is that a group of SPs are able to sesses these attributes without divulging the actual identity
recognize a user identity from other SPs within a federated of the principal. This allows the users to cross the boundaries
domain. This is called a Federated Identity [35]. of their organization and to be able to use partial identities.
Actors in the federated model define a Federated Identity As an example, a user may have one or more partial identities
Architecture (FIA), that groups IdPs and SPs that trust each for working, other for administrative procedures, etc. [37].
C. XACML
processing (RST/RSTR) is agnostic of the type of token being XACML stands for ‘‘eXtensible Access Control Markup
transmitted, enhancing the interoperability. In addition, Language’’, an international standard for describing secu-
it allows pseudonyms, attributes, and claims-based authoriza- rity access control policies in a compositional way by pro-
tion services with generic STS [45]. moting common terminology and interoperability between
access control implementations by multiple vendors. It is
B. SAML (SECURITY ASSERTION MARKUP LANGUAGE) primarily an attribute-based access control system, but it
The Security Assertion Markup Language (SAML) [46] is can be extended to a role-based access control system [48].
an OASIS standard that defines a XML-based framework for XACML was developed to standardize access control through
exchanging security information between entities regarding XML and as a way to unify the access control policy across
authentication, authorization, and specific attributes. Authen- a variety of enterprise applications by externalizing access
tication, attribute and authorization decision statements are control decisions.
expressed as SAML assertions, which may be trusted by all XACML defines an architecture with four major entities
parties involved in the domain. (see Figure 5): policy administration point (PAP), defining
The standard defines assertions, protocols, bindings, and policies; Policy Decision Point (PDP), that evaluates appli-
profiles. An assertion allows for one party to assert secu- cable policy, match requests against policies, and renders an
rity information in the form of statements about a subject. authorization decision; Policy Enforcement Point (PEP), per-
Generalized request/response protocols, such as Authenti- forming access control; And Policy Information and Retrieval
cation Request or Single Logout among others, have been Point (PIP), to get and to store access authorization policies
defined. The assertions are typically embedded in other struc- and attribute values. The user requests access to PEP, which
tures for transport. The defined bindings for assertions and ask to the PDP for the attributes. PDP applies the policy set by
request-response messages are SOAP [47], Reverse SOAP the PAP and returns the attributes, which are consulted with
(PAOS), HTTP Redirect, HTTP POST, HTTP Artifact, and the PIP and combined with contextual information to create
SAML URI, with the possibility to specify additional ones. the obligations to be enforced by the PEP. The architecture is
SAML profiles specify how assertions, protocols and bind- complemented with an attribute-based access control policy
ings are combined to provide interoperability in particular language and a processing model to execute policy rules.
scenarios. Examples of those profiles are Web Browser Single
Sign-On, Identity Provider Discovery and Single Logout. D. OAuth (OPEN AUTHORIZATION)
An example of a simple SSO is shown in Figure 4. The OAuth 2.0 protocol (RFC6749) [49] is an authorization
In addition, the specification follows a modular approach framework that enables a third-party consumer application to
that can be used in different protocol contexts, since asser- obtain access to some resource operated/hosted by a service
tions are defined as security tokens (i.e. WS-Security). Due provider with the resource owner consent and without sharing
to this, SAML has become the most consolidated stan- its credentials. This approach prevents issues associated to
dard protocol for identity federations. SAML has also been storing resource owner’s credentials, password compromis-
adopted to be used with several other standard frameworks ing, and limiting and revoking access to the resources.
(e.g. WS-Security, XACML, etc.) because its components are OAuth addresses these issues by introducing an authoriza-
modular and highly extensible. tion layer and separating the role of the client from that of
metadata and schemas with a specific format to notify the attributes of any type, that is unlinkable to users to avoid
provider-specific and status information, and web redirection tracking, and that allows to disclose dynamically subsets of
made from the user agent enabling the service provision. attributes following user specification to compare with clear
Despite it is a complete specification, it was not widely data. It allows developers to create interoperable implemen-
adopted by the community, but it have been included in the tations of U-Prove protocol participants.
Kantara Initiative [55], which is a global and open initiative VOOT [62] is a protocol providing a data model to asso-
to provide a strategic vision and real world innovation for the ciate users in a group with a resource or service in read-only
digital identity transformation that includes identity relation mode. As described by Kremers in [63], the specification
management, user managed access, identities of things, and defines the communication protocol between a client appli-
minimum viable consent receipt. cation and a VOOT provider, while the user group directory
User-Managed Access to Web Resources (UMA) [39], may be accessed by the provider by other mechanisms, such
[56] is an open specification under active development by the as LDAP or SQL. The VOOT API is based in REST, and the
Kantara Initiative. It uses the OAuth resource registration and provider support OAuth and Basic HTTP Authentication. The
OAuth and OpenID Connect grants. UMA provides to the proxy operation make possible to combine information from
users with a mechanism to make the authorization decision several group providers using one API service. In addition,
over their resources hosted by a Web based resource owner. VOOT does not provide federation mechanisms, but it plays
Users define their own policies: customer privacy, consent, well with SAML or OpenID Connect identifiers for federa-
and control data sharing. tion purposes.
Systems for Cross-domain Identity Management PAPI [64] is an identity service that allows a users to access
(SCIM) [57] is a protocol for cross-domain identity pro- to the web servers of the resource provider through access
visioning via HTTP. The SCIM specification is a standard points in order to evaluate the trust of the user requests to the
designed for provisioning and managing identities, such as resource providers. The access in only available for a limited
users and groups, in cloud-based applications and cross- period of time set by the authentication server. It consists of
domain services. Its two major components are a core schema two main components: the Authentication Server (AS), in the
based on attributes within JSON objects, and a protocol spec- role of IdP, providing a single point of authentication, and
ification with a REST API for exchanging identity resources the Point of Access (PoA) handling access decisions over
via JSON that allows massive bulk updates. SCIM does resources. There are PAPI components implemented in Java,
not provide authentication or authorization, instead it relies Perl, and PHP.
on the Transport Layer Security (TLS) or standard HTTP CAS Protocol [65] is a ticket-based protocol for CAS.
authentication and authorization schemes. It relies on a single server that is responsible for authenti-
Facebook Connect is a single sign-on application that cating users and granting accesses to applications. Authen-
allows users to interact on other websites through the tication requests come from a client application through
Web [58] using their Facebook identity. Third party Web sites embedded CAS services. The protocol uses two kind of tick-
can access to Facebook users’ data to make the authentica- ets: TGT (Ticket Granting Ticket), valid for single sing on
tion. Facebook Connect is proprietary, thus the protocol is session of a user, and ST (Service Ticket), valid for the access
not open. Facebook Connect is subject to replay attacks and granted by the CAS server to an application for a specific user.
masquerade attacks [58]. Idemix [66] is a a prototype of an anonymous credential
Google Sign-in [59] is a secure authentication system that system. It is based on high-level primitives and interfaces
enables the user to sign in with their Google Account to providing an abstraction layer to handle security and privacy
access all Google services in a secure manner. Google also features allowing integration into access control systems. The
provides a user-centric APIs and services to integrate Google credential system relies on protocols for pseudonym regis-
Sign-in in the applications. It is compatible with authorization tration, credential issuing and credential verification. Parties
protocols OAuth2.0 and OpenID Connect. involved in the system are users, obtaining and showing
Eclipse Higgins [60] is based on an active client (called a credentials, and organizations, issuing and verifying creden-
selector–a personal identity manager) based on information tials. Users may maintain unlinkable pseudonyms with differ-
cards or i-cards. Those cards contain a set of data fields ent organizations while perform claim based authentication.
(claims) about the user and they can be shared with friends Idemix also enables de-anonymization in some scenarios.
and businesses trusted by the user. They can be used to SWIFT Identity [67] is a framework to manage access
login to i-card-compatible websites, as well as to present services to users thought their virtual identities. It allows
other information about the user. The selector client can be performing SSO between services. The main goal is to
integrated in browsers and it runs on a computer or mobile make an aggregation of identities from different providers
device. to find them in a single meeting service in a pseudonymous
Microsoft U-Prove [61] is a user-centric proprietary sys- and unlinkable way. Parties involved are the End User,
tem based on device-protected tokens using anonymous cre- accessing services with their identities, the Service Provider,
dentials on smart cards. A U-Prove token is a new type consuming authentication asserts to authorize access to a
of credential, similar to a PKI certificate, that can encode service, the Identity Aggregator, as the main point of trust and
TABLE 2. Web-Based FIM specification comparison. Diameter allow intermediate nodes in the communication
between client and server. They are referred as ‘‘proxies’’
in RADIUS and ‘‘agents’’ in Diameter. In terms of authen-
tication, both protocols support the use of NAIs, CHAP,
EAP and PAP, but RADIUS implementation of these pro-
tocols has some security flaws and limitations [75], [76].
From the authentication point of view, both protocols offer
some support for access rules, authorization restrictions, and
filters, but not a complete support. In addition, Diameter
Base protocol allows users to be periodically reauthenti-
cated and/or reauthorized on-demand [77], and authorization
without authentication, better than RADIUS. For compat-
ibility and extensibility reasons, Diameter is also a better
choice since its design fixes limitations in RADIUS mech-
anisms [78]. There is a proprietary solution developed by
Cisco called TACACS+, which also complements the inde-
performing identity provisioning, the Authentication Provider,
pendent authentication, authorization, and accounting (AAA)
issuing authentication asserts about the End User, and the
architecture.
Attribute Provider that manages End User’s attributes. The
Protocols commonly used in combination with AAA pro-
process contemplates the creation of the virtual identity, its
tocols are EAP and LDAP. The Extensible Authentication
aggregation and the consumption of the service.
Protocol (EAP) [79] is an authentication framework that
G. COMPARISON supports multiple authentication methods (e.g. EAP-TLS,
A schematic comparison of multiple features of some of the EAP-SIM, EAP-AKA, PEAP, LEAP y EAP-TTLS, etc.).
most relevant web specifications is shown in Table 2. It takes This protocol was designed to manage authentication in
into account literature about security analysis of federated accesses to the network, so it does not require support
IDM systems [68] and background on the field [69], [70]. for IP network layer. However, EAP usually is encapsu-
lated by other protocol, such as Point-to-Point Protocol
V. NOT WEB-BASED FEDERATED IDENTITY (PPP) or IEEE 802. The Lightweight Directory Access Pro-
MANAGEMENT tocol (LDAP) [80], [81] is an application layer protocol that
Apart from the proliferation of web-based mechanisms for provides access to distributed directory services to manage
authentication and single sign-on, there are protocols that domain-level information. The protocol stores authentication
manage these processes in environments where it is not fea- information, such as credentials, and it is used to authenti-
sible to base communications on HTTP. They are usually cate, although it is possible to store other identity attributes
much older and studied protocols, which are more related to (user contact data, location of various network resources,
domain-level management and deployed at networks where permissions, certificates, etc). In short, LDAP is a unified
devices are more controlled. access protocol to a set of information about a network that
implements the data and service models specified in the
A. AUTHENTICATION, AUTHORIZATION AND X.500 Directory Access Protocol (DAP).
ACCOUNTING (AAA) BASED
IDENTITY FEDERATIONS B. APPLICATION-AGNOSTIC IDENTITY FEDERATIONS
Its a term used to refer to a family of protocols that This section describes some protocols that allow adding an
mediate network based access [71] managing authentication underlying authentication layer to applications that initially
and authorization of users and the accounting of network do not implement it on their own. They also provide mech-
resources information between a Network Access Server anisms to reduce the degree of coupling of the applications
(NAS) and an Authentication Server. that consume these protocols.
Two protocols for AAA are worth to mention in terms
of relevance: Remote Authentication Dial In User Service a: Kerberos Protocol
(RADIUS) [72], [73], that is the most widely deployed; The Kerberos Network Authentication Service RFC4120 [82]
Diameter [74], a more complete protocol fixing some is a distributed authentication service allowing a user to
RADIUS limitations, but less popular. The mode of operation prove its identity to a service without exchanging any com-
of both protocols is similar. RADIUS operates in a pure state- promising material through the network, and thus, avoiding
less client-server paradigm, while Diameter operates more for an attacker to impersonate the user by intercepting the
like a peer-to-peer protocol, since all nodes can initiate the communication. Kerberos is based in part on Needham and
communication and keep some state information. RADIUS Schroeder’s trusted third-party authentication protocol [83].
runs over UDP, while Diameter can use reliable transport It may include integrity check and confidentiality for mes-
protocols, such as TCP or even SCTP. Both RADIUS and sages sent between the client and server.
of another family, since the channel does not support these UNITY is a complete solution for identity federation and
assertions, but the receiver can interpret and decode them. inter-federation management [96]. Management of groups
These specifications are a hybrid between these two worlds. and group hierarchies, Single Sign-On and federation ser-
Two examples are Application Bridging for Federated Access vices can be outsourced to Unity. It supports authenti-
Beyond the Web (ABFAB) [92] and Federated Kerberos cation of users from identity providers based in SAML,
(FedKERB) [93]. OIDC, or LDAP, as well as native usernamepassword and
As described in [33], they are architectures that achieve X.509 certificates. UNITY also acts as an OAuth autho-
federated authentication and authorization access control to rization and resource server to issue access tokens, enables
applications beyond the web. They are able to transport delegated access to user attributes and enables bridging of
SAML assertions of a network-centric IdP over RADIUS SAML identity federations [97].
attributes by means of a deployed AAA infrastructure. Both simpleSAMLphp is an open source native PHP applica-
of them manage user authentication against this IdP through tion that is mainly focused in dealing with SAML 2.0 as a
EAP by using GSS-API and they allow to freely deploy Service Provider (SP) and SAML 2.0 as an Identity Provider
access control policies without forcing to use a specific (IdP). However, it also supports some other identity pro-
one. The main difference between them are that, for the tocols and frameworks, such as Shibboleth 1.3, A-Select,
authentication and single sign-on process, ABFAB relies on CAS, OpenID, WS-Federation or OAuth, and it is easily
a component in the client side called Identity Manager that extendable, so that new modules can be developed [98].
remembers user credentials provided to access a specific It offers user consent, discovery, validation, statistics, moni-
Resource Provider (RP) in case it has to use them in a toring, metadata management. In addition, SimpleSAMLphp
new access to the same RP. On the other hand, FedKERB scales pretty well. Configuring a high availability SP or IdP
manages authentication using Kerberos, and thus, using a is not difficult since there is very little state to share between
centralized KDC that provides the well-known features of this the nodes of a cluster. It also offers support for Mem-
protocol. cached, so that sessions between multiple instances may be
shared.
VI. FRAMEWORKS AND TOOLS FOR IDENTITY Central Authentication Service (CAS) [99] is, in addition
FEDERATIONS to an open and well-documented protocol, a client-server
There are many tools and frameworks that implement at application providing a library of clients for Java, .Net, PHP,
least one Identity Management protocol in order to provide Perl, Apache, uPortal, and others that are able to intercon-
a solution that supports various use cases (e.g. authenti- nect with their open-source Java server component to offer
cation, authorization, identity provisioning, accountability, enterprise Single Sign-On. It supports various methods of
etc.). In addition, many of those tools are designed to facilitate authentication (e.g. LDAP, X.509, RADIUS, etc.), multiple
integration into organizational environments in production, authentication and authorization protocols (e.g. CAS, SAML,
supporting in many cases scalability and modularity. OAuth, OpenID, etc.), multifactor authentication and many
other features. It integrates with uPortal, BlueSocket, Tiki-
A. OPEN FRAMEWORKS AND TOOLKITS Wiki, Mule, Liferay, Moodle and others [100]. An open
Open source solutions are developed and supported, either by source implementation of a CAS framework is available
the community of developers, or by organizations that offer through their GitHub repository [101].
maintenance of the software in production. OpenAM [102] is an open source centralized access
Shibboleth is an open source SAML implementation. The management solution providing authentication, authorization
Shibboleth Consortium is responsible for the development of decisions to access resources, and federation services in a
the Shibboleth SP and IdP as open source software, among single, integrated solution. The whole system is developed
others [94]. It allows authentication, authorization, content in Java and it is deployed as a WAR project, providing
personalization, and enables single sign-on across a broad a high availability and a highly scalable and extensible
range of services from many different providers. Shibbo- multi-platform infrastructure. Features may be extended to
leth consists of several individual components: IdP, SP, and the framework through its SDKs and several REST end-
discovery service (DS), which may be deployed separately points. OpenAM supports SAML, OAuth2, OpenID Connect
depending on the specific needs of the organization. It cur- and UMA. It offers a small SAML 2.0 application, which
rently supports most of the profiles defined by SAML 1.1 and lets service providers quickly add SAML 2.0 support to
SAML 2.0 and the possibility to enable WS-Federation with their Java applications. OpenAM is part of the ForgeRock
ADFS at the SP [95]. It could also be improved by installing Identity Relationship Management platform, which features
software extensions into the Identity Provider, such as dele- other products such as OpenIG, a SSO solution to enter-
gated CAS authentication metadata extension, discovery, two prise, legacy, and custom applications that may work together
factor authentication (e.g. Google Authenticator) and support with OpenAM to integrate Web applications, and OpenICF,
for a Kerberos Login Handler, and support for X.509 login an Enterprise and Cloud Identity Infrastructure Connector
handler, among others. They are also working on adding offering a consistent layer between target resources and
support for the OpenID Connect protocol on Shibboleth 3. applications.
B. OTHER OPEN FRAMEWORKS AND TOOLS process enforcement by setting the effective user and group
The Apache mod_auth_mellon [103] is an authentication ID for the current process, between others.
module for Apache. It authenticates the user against a The Argus Authorization Service [117] provides a dis-
SAML 2.0 IdP, and grants access to directories depending on tributed authorization framework.As it is based on the
attributes received from the IdP. mod_auth_mellon can easily XACML standard, it uses security policies to take the autho-
be used as a proxy service to handle secure authentication rization decision to perform a certain action on a particular
between a client application and a SAML 2.0 compliant service. The authorization process relies on three compo-
Identity Providers by indicating these applications are Service nents: the Policy Administration Point (PAP), in charge of
Providers for the IdP, this allows clients to avoid handling the authorization policy management, the Policy Decision
all SAML 2.0 requests and responses. It is able to validate Point (PDP), implementing the authorization engine, and
all SAML assertions. Once assertions are validated, SAML the Policy Enforcement Point Server (PEP Server), ensuring
claims attributes are made available in Apache and can easily the integrity and consistency of the authorization requests
be passed down to applications through Response Headers. received from the PEP clients, which are also provided by the
The Globus Toolkit is an open source software toolkit framework. Argus supports SAML2-XACML2, X.509 and
used for building grids [104]. The toolkit includes software VOMS specifications.
services and libraries for resource monitoring, discovery, and LASSO [118] is a free software library used to define
management, plus security and file management [105]. The processes for federated identities, single sign-on and related
Globus Toolkit Authentication and Authorization Module functionality. Lasso is built on top of libxml2, XMLSec
relies on Globus Security Infrastructure using X.509 certifi- and OpenSSL and implements the Liberty Alliance ID-FF
cates, TLS and proxy certificates to authenticate and autho- 1.2 protocols and supports SAML 2.0 and several features of
rize grid users. It relies on MyProxy [106] to manage user cre- ID-WSF. It works in GNU/Linux, MacOS X and Microsoft
dentials and to handle authentication, GridFTP [107], [108] Windows distributions.
to deploy the Globus service, and GRAM [109] for LemonLDAP::NG (LL::NG) [119] is a modular WebSSO
resource management. Identity federation and attribute- (Single Sign On) based on Apache modules. It simplifies the
based authorization through the Globus toolkit is studied building of a protected area with a few changes in the appli-
in [110]. cation. It manages both authentication and authorization and
Moonshot [111] is a technology to provide users SSO provides headers for accounting. So you can have a full AAA
and for extending the benefits of federated identity to non- protection for your web space, as described below. LL::NG
web services, which includes cloud infrastructures, high per- can easily interconnect to other authentication systems using
formance computing & grid infrastructures, and other com- SAML, OpenID, CAS, as in a federation. Its SOAP API
monly deployed services including mail, file store, remote can also be used to dialog directly with custom applications.
access, and instant messaging. Moonshot is based on the It is composed by three main components: the Manager, for
IETFs Application Bridging for Federated Access Beyond administrators to configure and explore sessions, the Portal,
web (ABFAB) open standards [112]. It applies strong net- the core of the system where authentication of users take
work authentication by means of EAP/RADIUS, and strong place, and the Identity Provider, with services provided via
authorization as used by many national federations, by using SAML, OpenID or CAS, and application lists. The Handler
SAML assertions [113]. consists of Apache modules used to protect applications.
The Virtual Organization Membership Service WSO2 Identity Server is a unified authentication server
(VOMS) [114] is an authorization management technology and rights management tool, developed since 2007, notably
that allows virtual organizations to manage their users, roles, by Dr. Sanjiva Weerawarana, one of the fathers of the WS-*
groups and attributes assigned to users. Authorization poli- architectural vision. WSO2 Manager API is based on the Car-
cies are expressed as Access Control Lists (ACLs) linked bon platform and implements OSGi specifications common
to VOMS groups. It also includes an audit log if necessary. to all WSO2 products, which are modular and scalable. The
VOMS outputs can be used in a delegation workflow. VOMS solution allows users to load data from any external source,
mainly focuses on X.509, but the VO membership can be LDAP, Active Directory, JDBC, its own base or an integrated
queried through a SAML attribute query as well, although Apache Directory Server. It provides a unified authentication
this feature is not used in production [115]. system via OAuth 1.0 & 2.0, OpenID, SAML2 and Kerberos
The LCMAPS [116] framework is a Local Credential KDC. Policy access control is done via the XACML 2.0 and
Mappping Service that allows to take various credentials as 3.0 specifications.
input (e.g. a certificate and/or VOMS credentials) and to map LinOTP is an open source One-Time Password (OTP)
them to Unix credentials as output (POSIX credentials like solution maintained by the German company Leading Secu-
User ID, Group ID, etc.). Just like LCAS, its predecessor, rity Experts (LSE GmbH). It is a robust, professional solu-
LCMAPS is mainly focused on Grid jobs. It provides an tion that can be integrated with a heterogeneous infrastruc-
advanced and flexible plugin engine and a wide variety of ture. OTPs are passwords generated at a given time, that
plugins exist, including plugins to support the mapping onto are valid over a short period of time and used only once.
a local Unix account and group, including VOMS attributes, These passwords are generated thanks to certain hardware,
like tokens and even smartphones. LinOTP has interfaces TABLE 3. Toolkit comparison in terms of goals and supported protocols.
with all types of tokens that support the HMAC-OTP pro-
tocol, as well as with hybrid solutions like MOTP devices.
LinOTP is distributed under the AGPL v3. An Enterprise
edition is also available. From a technical standpoint, LinOTP
is a server written in Python providing communications via
simple HTTP queries. This means it can be also adminis-
trated using tools different than those provided as part of the
distribution. For example, a custom web interface could be
developed and included in a special section of an Intranet site.
There are several other tools in the scope of identity
management, such as HEXAA [120], COmanage [121],
Grouper [122], Perun [123], Apache Syncope [124],
Evolveum MidPoint [125] etc. also aimed to manage projects,
virtual groups, resources, identity provisioning, etc. They are
not commented in this paper, as we are addressing major
initiatives.
C. PROPRIETARY SOLUTIONS
The need of managing identity of users in the different envi-
ronments and controlling access to products, has generated
a plethora of commercial solutions for identity management,
being some of them open to any user or company and other
proprietary solutions to generate identities valid only in a
line of products or a commercial provider. The end goal is
to avoid multiple sign-on and digital channels for the same standards-based platform for developers. Azure AD is also
user, which creates siloed and fragmented customer data, designed to work with on-premises Active Directory and
by providing the users with a single sign-on mechanism. other directories, allowing organizations to leverage exist-
The most representative examples of proprietary solutions are ing on premises infrastructure for the cloud.It has a pro-
shown below. grammable API through the Azure AD Authentication
OKTA Identity Cloud [126], [127] is a high-availability Library (ADAL) and the Multi-Factor Authentication SDK.
identification service providing single sign-on and multifac- Salesforce Identity Management (SIM) [132] provides
tor authentication to customers. The service can be linked Customer Identity and Access Management (CIAM) services
to any web and mobile application, providing two-factor to manage customer identities fully integrated into business
authentication. Moreover, it can be integrated with AD/LDAP processes. It is an integrated identity platform providing sin-
across multiple domains federation. gle sign-on, single user profile and consent management, and
OneLogin [128] is a cloud software solution that integrates extension to IoT devices. SIM is compatible with several
with web servers to provide secure access to company and identity standards, including SAML, OAuth, OpenID Con-
commercial applications available through the web (SAP, nect, SCIM and FIDO U2F.
ORACLE, G-Suite, etc.). It performs transparent multi-factor Microsoft Active Directory Federation Services
authentication and authorization using SAML or LDAP. (AD FS) [133] is a standards-based service that allows
Auth0 [129] is an identity management platform that the secure sharing of identity information between trusted
enables SSO, enterprise federation, and connection to Active business partners across the Internet. AD FS is Microsoft’s
Directories such as LDAP and ADFS. It also provide user implementation of the WS-Federation Passive Requestor Pro-
management, mechanisms for multifactor authentication, file protocol. It provides single sign on, centralized federated
protection against password leakages, and biometric access. partner management, and an extensible architecture.
RSA SecurID Access [130] provides a cloud RSA Authen- A schematic comparison of some of the most relevant
tication Service using RSA SecurID tokens with on-premise solutions for identity federation is shown in Table 3.
multifactor authentication, SSO, centralized access, and
authentication policies. It also accepts authentication requests VII. LARGE SCALE IDENTITY FEDERATIONS
from third-party SSO solutions configured to use RSA While most proprietary solutions promote centralized ser-
SecurID access. vices with a unified identification scheme, in many situations
Microsoft Azure Active Directory for Microsoft the organizations already have their own identification sys-
solutions [131]. It is a comprehensive identity and access tems that are not easy to modify. A typical example is the
management service that combines directory services, iden- creation of worldwide thematic networks (universities, pub-
tity governance, application access management, and a lishers, education, etc.) grouping institutions or companies
For this reason, the Interoperable SAML 2.0 Profile STORK [149] and STORK 2.0 [150] projects showed that
(SAML2Int) is the only SAML 2.0 profile allowed in it was possible to use national eIDs in cross border use cases
eduGAIN, and other federations, like eIDAS, STORK or by designing a system using a Pan European Proxy Service
InCommon (described in next sections) are also SAML-based (PEPS), which acts as a single gateway and intermediary for
federations. In [147], the authors propose to use an inter- foreign eIDs towards domestic Service providers, or relying
mediate entity to connect several federations like eduGAIN, on a middleware that allows a distributed implementation
STORK, and eIDAS. of the identification system. FutureID project [151] built
Scalability is directly related to the architectural design of a comprehensive, flexible, privacy-aware, and ubiquitously
the federation network. Two main architectural approaches usable identity management infrastructure for Europe that
are currently used for identity federations [148]: is integrated with existing eID technology and trust infras-
• Full mesh federations. In this structure everything is tructures, emerging federated identity management services
distributed and there is no need for a central component. and modern credential technologies to provide a user-centric
Thus, every organization in the federation operates their system. The feasibility and results of those projects were the
own Identity Provider (IdP) connected to a local user base for a proposal of an identity federation solution in antici-
database and an arbitrary number of Service Providers pation of the adoption of the Regulation (EU) 910/2014 [152],
(SP). This structure is the most common due to its sim- the so-called eIDAS Regulation, which should be in force in
plicity, distributed deployment, and availability features. all Member States at the end of 2018. This regulation provides
Moreover, it allows easily incremental growing of the a common method to enable secure and seamless electronic
federation. interactions between businesses, citizens, and public author-
• Hub & Spoke with distributed or central login. This ities in Europe. The eIDAS Regulation ensures that people
architecture relies on a central hub or proxy via which and businesses can use their own national electronic iden-
all security assertions are sent. The hub serves as a tification schemes (eIDs) to access public services in other
Service Provider versus the Identity Providers and as EU countries where eIDs are available. As a result, it cre-
an Identity Provider versus the Service Providers in ates an European level trust network on electronic services
the federation. In distributed login, each organization (e.g. digital signatures) by ensuring that they will work across
still operates their own Identity Provider connected to borders and have the same legal status as traditional paper
a local user database, but, both, the Identity Provider based processes [153].
and the Server Provider must contact the central hub for The federation solution consists of a network of Member
Identification. With centralized login, there is only one States, each one subscribed to a federated operator, namely
single Identity Provider in the federation, connecting to eIDAS Node. The approach that has been taken is that each
all user databases. This architecture, specially the central Member State has to deploy an eIDAS Node, which has the
login version, may have availability problems due to the role of Identity Provider for the national electronic identi-
existence of a single point of failure. Scalability is also fication scheme (eID) from any other country. All Service
limited due to the capacity of the single elements. Providers participating in the network must be subscribed
Federated identity management in full mesh federations to the eIDAS Node of this country. This way, every citizen
provides very good scalability properties, as Id management recognized by a member state is to be recognized within the
can be made at several levels (SP, local IdP, federated IdP, ...), trust network at European level, enabling the consumption
which allows to distribute the load and avoiding single points of services in other member states that, until now were not
of failure. The number of steps needed for authentication is allowed, or whose concession was tedious. This is a very
however proportional to the federation levels. For example, ambitious approach, since it enables cross-border authenti-
in STORK it was usually 2, but in interfederation identifica- cation of Member States citizens without the need to unify
tion, like those created using eduGAIN would be at least 3. the authentication method (eID Scheme) of the member states
Thus, the latency of the operation will be directly proportional participating in the Identity Federation.
to the depth of the federation. However, this latency can be The deployment of the nodes to create this trust network is
reduced by using proxies in different places. in charge of a governmental institution of the Member State
(e.g. a ministry), since it is going to be coupled to the national
VIII. EUROPEAN IDENTITY FEDERATION INITIATIVE public eID Scheme and authentication assertions are going
Since the beginning of the XXI century many European to be managed. A flaw in the system or a disclosure of con-
countries have developed eIdentification systems for their fidential information could compromise the security of the
nationals, leading to a very diverse landscape. Examples are infrastructure. Technically, the eIDAS node implementation
the German nPA, the Dutch DigiD or the Spanish eDNI. is still evolving, as the deployment is going on and several
As a result, the idea of using Federated Identity Management works are evaluating the behavior of the system. For example,
across Europe become a reality. Thus, along the FP7 pro- a security analysis of eIDAS has been published in [154]
grame several projects were carried out to develop a pan- showing that 7 of the 15 European eID services deployed
European eID interoperability infrastructure allowing cross- were still vulnerable to Denial-of-Service (DoS) and Server
border identification using national Ids. Side Request Forgery (SSRF). Another example is the work
TABLE 5. Features of the server nodes used in the experiments. a new identification request to the eIDAS node. For those
tests, we studied the breakdown of the steps of an eID request,
throughput of the servers, and the use of CPU and RAM
memory.
We run two kind of experiments for the eIDAS nodes: a
single process server and a server with 3 replicas, one of
them acting also as load balancer using round-robin. In every
experiment the eIDAS nodes were restarted to avoid warm
identification performance. It was aimed to analyze how cache effects.
the eIDAS Node behaves in a private cloud environment,
where there are many users using different resources.
This environment is representative of the organization 2) PERFORMANCE STUDY FOR A CLIENT SESSION
of ICT services in many companies nowadays, therefore This experiment measures the time needed in the eIDAS node
the experiment results should provide interesting infor- to serve an ID request for a client that has been already
mation on the evolution of the eIDAS Node according identified. As the eIDAS node has a temporal cache for
to the variation of the number of clients and the network some ID data, if the cache is warm, time should be reduced
overhead. considerably, as compared with the values of the independent
• Federated EU Environment. In the third scenario, clients.
we created a federated environment joining connecting This experiment consisted on running a client that issued
an eIDAS node in Frankfurt (Germany) to University id requests at the maximum possible rate, which means that
Carlos III of Madrid (Spain). This scenario is designed to there were no delays between successive requests. The num-
evaluate the behavior of eIDAS Nodes in more realistic ber of ID requests varied from 1 to 64 and for the results we
conditions, as they will be initially deployed in EU have removed the ID number 1 to avoid the cold cache effect.
countries. Average latency of the network is 20 ms.
• Federated Mexico Environment. In the fourth scenario,
D. SCALABILITY EVALUATION
we created a federated environment using a remote orga- We analyzed the overhead of the different actors participating
nization in Cinvestav (Mexico), connected to University in the identification process by making experiments increas-
Carlos III of Madrid (Spain). We are employing a part- ing the number of simultaneous clients for one server in
ner in Mexico aiming to get worst-case results due to the four environments described and breaking down the eID
network distance. Average network latency is 120 ms. request time considering the messages shown in Figure 10.
A single eIDAS Node was set up for each environment Figure 12(top) shows a breakdown indicating the average
to serve client requests arriving from different organization time per metric and number of clients for the local envi-
subdomains. Table 5 summarizes the environments where we ronment. In the figure, we can observe how the time of the
are performing the evaluation. The client is the same than in request increases with the number of clients in a significant
all environments. The server in the EU is the same than in way for more than 8 clients. This is due to the saturation of
local and organization environments. The server in Mexico is the computing resources of the server. This effect is more
similar, but it has only 6 cores instead of 12. Again, both client important on the time corresponding to TSR, which represents
and server nodes are based on Linux Ubuntu 16.04 LTS. The the cost in terms of time for signing request reception by
eIDAS node used was version 1.4. eIDAS node, TRA that represents the cost in terms of time for
sending the answer to the client, and TLGN , which represents
C. EXPERIMENTS the time for login. The effect of TSR occurs because the
For each environment, we run two kind of experiments, scala- eIDAS Node queues up the requests while the rest of the
bility and performance, as described below. Every experiment received jobs are being processed, increasing the waiting time
was executed 10 times and the average results and standard of the requests. TRA is due also to a similar effect. TLGN
deviation were computed. Average results are shown in the grows due to the saturation of the server CPU. As may be
evaluation results section. Certificates were used for the ver- seen, TVR, the time for validating the request generated by
ification of the eIDAS nodes each time a connection is made. TSR is much more smaller and remains almost stable.
In our experiments, users are identified through user id and Figure 12(bottom) shows the time breakdown of an eID
password. request, while varying the number of clients, for the orga-
nization environment. The behavior is similar to the local
1) SCALABILITY WITH INDEPENDENT CLIENTS scenario, but consumed time grows slightly due to the net-
To evaluate the scalability of the eIDAS Node to serve eID work latency. The figure shows a similar behavior for the
requests from new clients, a stress test was executed on the first 8 clients, but starts growing beyond that number, due to
four scenarios by varying the number of clients from 1 to 64. the saturation of the cores of the server. Again, the penalty is
For each experiment, we run a set of independent clients identified in the time consumed for signing and validation of
executing them in parallel (simultaneously). Each client sent requests in the server.
FIGURE 12. Effect of increasing number of clients on the time per FIGURE 13. Effect of increasing number of clients on the time per
message type of each client request in the local (top) and organization message type of each client request in federated environment
(down) environments. in EU (top) and Mexico (bottom).
FIGURE 15. CPU and RAM Evolution per Requests in organization and As may been, times are considerably reduced for all envi-
federated Mexico Environment. ronments, being around 1 second for local and organiza-
tional environment, 2.5 seconds for federated EU nodes and
9 seconds for federated environment in Mexico. Furthermore,
time increases in the last environment are due to the network
latency, which cannot be avoided. The results shown are
logical as most of the CPU time is dedicated to cipher and
decipher operations, which are simplified when there are
already results cached from a valid previous identification.
In these evaluations, the number of CPU cores is irrelevant,
as we are metering only one Id request and only one instance
of the eIDAS server is running. This is the reason because
local and organizacional are so similar. However, given the
scalability results of Figure 16, we can predict that it would be
FIGURE 16. Scalability of the eIDAS node activating three servers and strongly enhanced in real operation of the system with warm
load balance in a federated and local environment. caches and a large number of clients.
X. CONCLUSION
Mexico is different due to bursting effect and network latency, Digital identity management is a relevant security subject to
which is preventing good usage of CPU as many threads in access ubiquitous on-line services, as organizations have to
the server as blocked waiting for the network. RAM behavior exchange personal information in a secure way for preserving
has a growing evolution line as the server loads new requests integrity and confidentiality. This problem is even worst when
data in memory, but it is not saturated. which is similar in the organizations do not share a centralized architecture for
both environments. Proportional usage is lower in EU server single sign-on, which may be due to the existence of previ-
as the memory size is larger. ous eID systems or even to political reasons. The Federated
eIDAS Node Load Balancing Identity Architecture aims to tackle this problem, allowing
Figure 16 plots the comparative service time between a each organization to use their own eID. However, a complex
single node and a load balanced system composed by three architecture must be built to rely the identification of any
nodes. In the figure, we observe that with a small number of entity to their original eID server in a secure way.
clients (four clients), using a single eIDAS Node is similar As shown in this work, there are already many FIA solu-
to the load balancing approach. However, as the number of tions. Examples are eduGAIN and InCommon Federation,
clients grows, the time needed to respond a request is always popular solutions arising in EU and USA respectively. Both
lower in the load balanced system. For the EU environment, are based on Shibboleth, an open source SAML implemen-
we obtained up to 2× performance in the load balanced tation. The WS-Federation initiative, a standard based on
server. However, in the Mexico environment, scalability was the WS-* family, focuses on the Web Services environment
almost 3×, compared to the baseline. Thus, we can conclude and allows each participant to have its own policies, which,
that the load balance mechanisms provide good results with combined, determine the security requirements to commu-
very low overhead. nicate. However, most of them cover different aspects of
the identification problem, solving in some cases specific
E. PERFORMANCE EVALUATION problems. Thus, none of these initiatives has consolidated as
Table 6 shows the average time needed for a user identifica- a unique solution and surely it will remain like that in a near
tion after she has been identified at least once, which means future. To assist users choosing a possible solution, we have
that the cache of the eIDAS node is storing some data for the presented a survey of FIA, showing main features and making
user during some time. a comparative analysis among them.
The former problem worsens when organizations or coun- [15] S. Blake-Wilson and A. Menezes, ‘‘Authenticated Diffe–Hellman key
tries, already have legacy eID systems, as it is the case of agreement protocols,’’ in Proc. Conf. Sel. Areas Cryptogr. (SAC). Cham,
Switzerland: Springer, 1998.
Europe. In this situation, highly distributed FIAs is a good [16] M. J. Dworkin et al., ‘‘Advanced encryption standard (AES),’’ Federal
technical and secure approach to provide a feasible solution. Inf. Process. Standard, Tech. Rep. NIST 197, 2001. [Online]. Available:
In the paper, we have presented the European eID solution, https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
[17] J. Lynch, ‘‘From fingerprints to DNA: Biometric data collection in
a purely federated identity system that aims to serve almost U.S. immigrant communities and beyond,’’ Electron. Frontier Found.,
500 millions people and that could be extended in mid-term May 2012, doi: 10.2139/ssrn.2134481.
also to companies eID. The system is now being deployed [18] R. Cappelli, M. Ferrara, A. Franco, and D. Maltoni, ‘‘Fingerprint
verification competition 2006,’’ Biometric Technol. Today, vol. 15,
at the EU level and we have presented the basic architecture nos. 7–8, pp. 7–9, 2007. [Online]. Available: http://www.sciencedirect.
and evaluated its performance and scalability, showing that com/science/article/pii/S0969476507701406
the solution is feasible from the point of view of performance, [19] S. Prabhakar, S. Pankanti, and A. K. Jain, ‘‘Biometric recognition: Secu-
rity and privacy concerns,’’ IEEE Secur. Privacy, vol. 1, no. 2, pp. 33–42,
while keeping security constrains in mind. Mar. 2003.
As shown in this paper, federated identity systems still [20] Directive 1999/93/EC on a Community Framework for Electronic Sig-
have research lines open, going from the improvement in natures, Eur. Parliament Council 13 December 1999, Brussels, Belgium,
2000.
performance and scalability to the proposal of new models to [21] R. Want, ‘‘An introduction to RFID technology,’’ IEEE Pervasive Com-
make integration easier for large scale organizations. In the put., vol. 5, no. 1, pp. 25–33, Jan. 2006.
case of the European eID system, there are still a lot of open [22] Information Technology—Security Techniques—A Framework for Iden-
tity Management, Standard ISO/IEC 24760-1, Dec. 2011.
lines, such as managing the evolution of the eID authenti- [23] E. Bertino and K. Takahashi, Identity Management: Concepts, Technolo-
cation servers, shortening the latency and complexity of the gies, and Systems. Norwood, MA, USA: Artech House, 2011.
deployment and integrating existing private eID systems. [24] S. C. Lee, ‘‘An introduction to identity management,’’ SANS
Inst. InfoSec Reading Room, Bethesda, MD, USA, Tech. Rep.,
Mar. 2003. [Online]. Available: https://www.sans.org/reading-
REFERENCES room/whitepapers/authentication/an-introduction-to-identity-
management-852
[1] G. Alpár, J. Hoepman, and J. Siljee. (Jan. 2011). ‘‘The identity crisis. [25] K. Cameron, ‘‘The laws of identity,’’ Microsoft Corp., Redmond, WA,
security, privacy and usability issues in identity management.’’ [Online]. USA, Tech. Rep. 5-2005, 2005.
Available: http://arxiv.org/abs/1101.0427 [26] S. Clauß and M. Köhntopp, ‘‘Identity management and its support
[2] J. Jensen, ‘‘Federated identity management challenges,’’ in Proc. 7th Int. of multilateral security,’’ Comput. Netw., vol. 37, no. 2, pp. 205–219,
Conf. Availability, Rel. Secur., Aug. 2012, pp. 230–235. 2001. [Online]. Available: http://www.sciencedirect.com/science/article/
[3] A. A. Malik, H. Anwar, and M. A. Shibli, ‘‘Federated identity manage- pii/S1389128601002171
ment (FIM): Challenges and opportunities,’’ in Proc. Conf. Inf. Assurance [27] Y. Cao and L. Yang, ‘‘A survey of identity management technology,’’ in
Cyber Secur. (CIACS), Dec. 2015, pp. 75–82. Proc. IEEE Int. Conf. Inf. Theory Inf. Secur., Dec. 2010, pp. 287–293.
[4] R. Dhamija and L. Dusseault, ‘‘The seven flaws of identity management: [28] Zentyal. Accessed: Dec. 4, 2017. [Online]. Available: http://www.
Usability and security challenges,’’ IEEE Secur. Privacy, vol. 6, no. 2, zentyal.com/about-us/
pp. 24–29, Mar. 2008. [29] Windows Domain. Accessed: 2012. [Online]. Available:
[5] L. O’Gorman, ‘‘Comparing passwords, tokens, and biometrics for user https://technet.microsoft.com/en-us/library/cc977987.aspx
authentication,’’ Proc. IEEE, vol. 91, no. 12, pp. 2021–2040, Dec. 2003. [30] L. Bussard, E. Di Nitto, A. Nano, O. Nano, and G. Ripa, ‘‘An approach to
[6] J. Reschke, The ‘Basic’ HTTP Authentication Scheme, document identity management for service centric systems,’’ in Proc. ServiceWave.
RFC 7617, Internet Requests for Comments, Sep. 2015. Cham, Switzerland: Springer, 2008, pp. 254–265.
[7] S. M. Bellovin and M. Merritt, ‘‘Limitations of the Kerberos authentica- [31] A. Jøsang and S. Pope, ‘‘User centric identity management,’’ in Proc.
tion system,’’ ACM SIGCOMM Comput. Commun. Rev., vol. 20, no. 5, AusCERT Asia Pacific Inf. Technol. Secur. Conf., 2005, p. 77.
pp. 119–132, 1990. [32] T. El Maliki and J.-M. Seigneur, ‘‘A survey of user-centric identity
[8] R. M. Needham and M. D. Schroeder, ‘‘Using encryption for authen- management technologies,’’ in Proc. Int. Conf. Emerg. Secur. Inf., Syst.,
tication in large networks of computers,’’ Commun. ACM, vol. 21, Technol. (SECUREWARE), Oct. 2007, pp. 12–17.
no. 12, pp. 993–999, Dec. 1978. [Online]. Available: http://doi.acm. [33] A. Pérez-Méndez, F. Pereñíguez-García, R. Marín-López,
org/10.1145/359657.359659 G. López-Millán, and J. Howlett, ‘‘Identity federations beyond the Web:
A survey,’’ IEEE Commun. Surveys Tuts., vol. 16, no. 4, pp. 2125–2141,
[9] J. Clark and J. L. Jacob, ‘‘A survey of authentication protocol literature:
4th Quart., 2014.
Version 1.0,’’ Univ. York, York, U.K., Tech. Rep., Dec. 1997.
[34] D. W. Chadwick, ‘‘Federated identity management,’’ in Foundations of
[10] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and Security Analysis and Design V. Cham, Switzerland: Springer, 2009,
W. Polk, Internet X.509 Public Key Infrastructure Certificate and Cer- pp. 96–120.
tificate Revocation List (CRL) Profile, document RFC 5280, Internet [35] S. S. Y. Shim, G. Bhalla, and V. Pendyala, ‘‘Federated identity manage-
Requests for Comments, RFC Editor, May 2008. [Online]. Available: ment,’’ Computer, vol. 38, no. 12, pp. 120–122, Dec. 2005.
http://www.rfc-editor.org/rfc/rfc5280.txt
[36] R. Herbe, SAML Metadata Guidance Version 1.0, document, OASIS
[11] R. L. Rivest, A. Shamir, and L. Adleman, ‘‘A method for obtain- Security Services (SAML) TC, Working Draft, 2014.
ing digital signatures and public-key cryptosystems,’’ Commun. ACM, [37] J. Torres, M. Nogueira, and G. Pujolle, ‘‘A survey on identity management
vol. 21, no. 2, pp. 120–126, Feb. 1978. [Online]. Available: http://doi.acm. for the future network,’’ IEEE Commun. Surveys Tuts., vol. 15, no. 2,
org/10.1145/359340.359342 pp. 787–802, 2nd Quart., 2013.
[12] E. B. Barker, ‘‘Digital signature standard (DSS),’’ Federal Inf. Pro- [38] M. Goodner, M. Hondo, A. Nadalin, M. McIntosh, and D. Schmidt,
cess. Standard, Gaithersburg, MD, USA, Tech. Rep. NIST 4-186, ‘‘Understanding ws-federation,’’ Microsoft IBM, Armonk, NY, USA,
2013. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST. Tech. Rep. 8-2007, 2007.
FIPS.186-4.pdf [39] M. P. Machulak, E. L. Maler, D. Catalano, and A. van Moorsel,
[13] S. Chokhani, W. Ford, R. Sabett, C. Merrill, and S. Wu, Internet X.509 ‘‘User-managed access to Web resources,’’ in Proc. 6th ACM Workshop
Public Key Infrastructure Certificate Policy and Certification Practices Digit. Identity Manage. (DIM), 2010, pp. 35–44. [Online]. Available:
Framework, document RFC 3647, Internet Requests for Comments, RFC http://doi.acm.org/10.1145/1866855.1866865
Editor, Nov. 2003. [40] H. Takabi, J. B. D. Joshi, and G.-J. Ahn, ‘‘Security and privacy challenges
[14] W. Diffie and M. E. Hellman, ‘‘New directions in cryptography,’’ IEEE in cloud computing environments,’’ IEEE Secur. Privacy, vol. 8, no. 6,
Trans. Inf. Theory, vol. 22, no. 6, pp. 644–654, Nov. 1976. pp. 24–31, Nov. 2010.
[41] R. T. Fielding et al., Hypertext Transfer Protocol, document RFC 2616, [67] A. Pérez, G. López, Ó. Cánovas, and A. F. Gómez-Skarmeta, ‘‘Formal
Internet Requests for Comments, RFC Editor, Jun. 1999. [Online]. Avail- description of the SWIFT identity management framework,’’ Future
able: http://www.rfc-editor.org/rfc/rfc2616.txt Gener. Comput. Syst., vol. 27, no. 8, pp. 1113–1123, 2011.
[42] E. Rescorla, HTTP Over TLS, document RFC 2818, Internet Requests [68] S. Simpson and T. Grossß, ‘‘A survey of security analysis in federated
for Comments, RFC Editor, May 2000. [Online]. Available: http://www. identity management,’’ in Privacy and Identity Management. Facing
rfc-editor.org/rfc/rfc2818.txt up to Next Steps. Cham, Switzerland: Springer, 2016, pp. 231–247,
[43] T. Dierks and E. Rescorla, The Transport Layer Security (TLS) doi: 10.1007/978-3-319-55783-0_16.
Protocol Version 1.2, document RFC 5246, Internet Requests for [69] A. Jøsang, ‘‘Identity management and trusted interaction in Inter-
Comments, RFC Editor, Aug. 2008. [Online]. Available: http://www. net and mobile computing,’’ IET Inf. Secur., vol. 8, pp. 67–79,
rfc-editor.org/rfc/rfc5246.txt Mar. 2014. [Online]. Available: http://digital-library.theiet.org/content/
[44] M. Goodner and T. Nadalin, Web Services Federation Language journals/10.1049/iet-ifs.2012.0133
(WS-Federation) Version 1.2, OASIS Standard, May 2009. [70] J. Werner, C. M. Westphall, and C. B. Westphall, ‘‘Cloud
[45] M. Goodner, M. Hondo, A. Nadalin, M. McIntosh, and D. Schmidt, identity management: A survey on privacy strategies,’’ Comput.
‘‘Understanding WS-federation,’’ Microsoft IBM, Armonk, NY, USA, Netw., vol. 122, pp. 29–42, Jul. 2017. [Online]. Available:
Tech. Rep. 8-2007, 2007. http://www.sciencedirect.com/science/article/pii/S1389128617301664
[46] S. Cantor, I. J. Kemp, N. R. Philpott, and E. Maler, Assertions and [71] J. Vollbrecht et al., AAA Authorization Framework, document RFC 2904,
Protocols for the OASIS Security Assertion Markup Language, OASIS Internet Requests for Comments, RFC Editor, Aug. 2000. [Online]. Avail-
Standard, Mar. 2005. able: http://www.rfc-editor.org/rfc/rfc2904.txt
[47] M. Gudgin et al., ‘‘Simple object access protocol (SOAP) 1.2,’’ in Proc. [72] C. Rigney, S. Willens, A. Rubens, and W. Simpson, Remote Authenti-
World Wide Web Consortium, 2003, pp. 1–26. cation Dial in User Service (RADIUS), document RFC 2865, Internet
[48] H. R. N. Carroline Ramli and F. Nielson, ‘‘The logic of XACML,’’ Sci. Requests for Comments, RFC Editor, Jun. 2000. [Online]. Available:
Comput. Program., vol. 83, no. 1, pp. 80–105, Apr. 2014. http://www.rfc-editor.org/rfc/rfc2865.txt
[49] D. Hardt, The Oauth 2.0 Authorization Framework, document RFC 6749, [73] C. Rigney, RADIUS Accounting, document RFC 2866, Internet
Internet Requests for Comments, RFC Editor, Oct. 2012. [Online]. Avail- Requests for Comments, RFC Editor, Jun. 2000. [Online]. Available:
able: http://www.rfc-editor.org/rfc/rfc6749.txt http://www.rfc-editor.org/rfc/rfc2866.txt
[50] N. Sakimura, J. Bradley, M. Jones, B. de Medeiros, and C. Mortimore, [74] V. Fajardo, J. Arkko, J. Loughney, and G. Zorn, Diameter Base Protocol,
‘‘OpenID connect core 1.0 incorporating errata set 1,’’ OpenID Found., document RFC 6733, Internet Requests for Comments, RFC Editor,
San Ramon, CA, USA, 2014. Oct. 2012. [Online]. Available: http://www.rfc-editor.org/rfc/rfc6733.txt
[51] T. Bray, The JavaScript Object Notation (JSON) Data Interchange For- [75] B. Aboba and A. Palekar, IEEE 802.1x and Radius Security, document
mat, document RFC 7159, Internet Requests for Comments, RFC Editor, IEEE 802-11-01, 2001, pp. 1–46.
Mar. 2014. [Online]. Available: http://www.rfc-editor.org/rfc/rfc7159.txt [76] J. Edney and W. A. Arbaugh, Real 802.11 Security: Wi-Fi Protected
[52] OpenID Connect Federation. Accessed: Jan. 21, 2018. [Online]. Avail- Access and 802.11i. Reading, MA, USA: Addison-Wesley, 2003.
able: http://openid.net/specs/openid-connect-federation-1_0.html [77] D. S. P. Calhoun, G. Zorn, and D. Mitton, Diameter Network Access
[53] The Liberty Alliance. Accessed: Dec. 15, 2017. [Online]. Available: http:// Server Application, document RFC 40005, The Internet Society, 2005.
www.projectliberty.org/ [Online]. Available: https://tools.ietf.org/html/rfc4005
[54] Liberty Alliance ID-FF 1.2 Specifications. Accessed: Dec. 15, 2017. [78] A. Hosia, ‘‘Comparison between RADIUS and diameter,’’ in Proc. Sem-
[Online]. Available: http://www.projectliberty.org/resource_center/ inar InternetWorking, 2003, pp. 1–15.
specifications/liberty_alliance_id_ff_1_2_specifications/ [79] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz,
[55] Kantara. (2018). Kantara Initiative. [Online]. Available: https:// Extensible authentication protocol (EAP), document RFC 3748, Internet
kantarainitiative.org/ Requests for Comments, RFC Editor, Jun. 2004. [Online]. Available:
[56] E. Maler, D. Catalano, M. Machulak, and T. Hardjono, ‘‘User-managed http://www.rfc-editor.org/rfc/rfc3748.txt
access (UMA) profile of OAuth 2.0,’’ Internet Eng. Task Force, Fremont, [80] K. Zeilenga, Lightweight Directory Access Protocol (LDAP): Technical
CA, USA, Tech. Rep., 2015. Specification Road Map, document RFC 4510, Internet Requests for
[57] P. Hunt, K. Grizzle, M. Ansari, E. Wahlstroem, and C. Mortimore, System Comments, RFC Editor, Jun. 2006. [Online]. Available: http://www.rfc-
for Cross-domain Identity Management: Protocol, document RFC 7644, editor.org/rfc/rfc4510.txt
Internet Requests for Comments, RFC Editor, Sep. 2015. [81] J. Sermersheim, Lightweight Directory Access Protocol (LDAP): The
[58] M. Miculan and C. Urban, ‘‘Formal analysis of Facebook Connect single Protocol, document RFC 4511, Internet Requests for Comments,
sign-on authentication protocol,’’ in Proc. Student Res. Forum, 37th Int. RFC Editor, Jun. 2006. [Online]. Available: http://www.rfc-editor.
Conf. Current Trends Theory Pract. Comput. Sci. (SOFSEM), vol. 11, org/rfc/rfc4511.txt
2011, pp. 22–28. [82] C. Neuman, T. Yu, S. Hartman, and K. Raeburn, The Kerberos Network
[59] Google. (2018). Google Identity Platform. [Online]. Available: Authentication Service (V5), document RFC 4120, Internet Requests for
https://developers.google.com/identity/ Comments, RFC Editor, Jul. 2005. [Online]. Available: http://www.rfc-
[60] Eclipse Higgins. Accessed: Jan. 4, 2018. [Online]. Available: editor.org/rfc/rfc4120.txt
https://projects.eclipse.org/projects/technology.higgins [83] B. C. Neuman and T. Ts’o, ‘‘Kerberos: An authentication service for
[61] W. Mostowski and P. Vullers, ‘‘Efficient U-Prove implementation for computer networks,’’ IEEE Commun. Mag., vol. 32, no. 9, pp. 33–38,
anonymous credentials on smart cards,’’ in Security and Privacy in Com- Sep. 1994.
munication Networks (Lecture Notes of the Institute for Computer Sci- [84] S. Hartman, K. Raeburn, and L. Zhu, Kerberos Principal Name Canon-
ences, Social Informatics and Telecommunications Engineering). Cham, icalization and Cross-Realm Referrals, document RFC 6806, Internet
Switzerland: Springer, 2012, pp. 243–260. Requests for Comments, RFC Editor, Nov. 2012.
[62] VOOT Protocol, Accessed: Nov. 30, 2017. [Online]. Available: https:// [85] I. Cervesato, A. D. Jaggard, A. Scedrov, and C. Walstad, ‘‘Specifying
openvoot.org/ Kerberos 5 cross-realm authentication,’’ in Proc. Workshop Issues Theory
[63] M. Kremers. (2014). VOOT Specifications. Accessed: Jan. 4, 2018. Secur., 2005, pp. 12–26.
[Online]. Available: https://wiki.geant.org/display/gn3pjra3/VOOT+ [86] S. Sakane, M. Ishiyama, and S. Zrelli, Problem Statement on the Cross-
specifications Realm Operation of Kerberos, document RFC 5868, 2010.
[64] R. Castro-Rojo and D. R. López, ‘‘The PAPI system: Point of access to [87] J. Linn, Generic Security Service Application Program Interface Version
providers of information,’’ Comput. Netw., vol. 37, no. 6, pp. 703–710, 2, Update 1, document RFC 2743, Internet Requests for Comments, RFC
2001. Editor, Jan. 2000.
[65] CAS Project. CAS Protocol. Accessed: Jan. 3, 2018. [Online]. Available: [88] T. Bialaski and M. Haines, LDAP in the Solaris Operating Environment:
https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html Deploying Secure Directory Services. Upper Saddle River, NJ, USA:
[66] J. Camenisch and E. van Herreweghen, ‘‘Design and implementation Prentice-Hall, 2003.
of the idemix anonymous credential system,’’ in Proc. 9th ACM Conf. [89] A. Melnikov and K. Zeilenga, Simple Authentication and Security Layer
Comput. Commun. Secur. (CCS), 2002, pp. 21–30. [Online]. Available: (SASL), document RFC 4422, Internet Requests for Comments, RFC
http://doi.acm.org/10.1145/586110.586114 Editor, Jun. 2006.
[90] S. Josefsson and N. Williams, Using Generic Security Service Application [118] Lasso. Accessed: Dec. 4, 2017. [Online]. Available:
Program Interface (GSS-API) Mechanisms in Simple Authentication and http://lasso.entrouvert.org/
Security Layer (SASL): The GS2 Mechanism Family, document RFC [119] LemonLDAP NG. Accessed: Jan. 10, 2018. [Online]. Available:
5801, Internet Requests for Comments, RFC Editor, Jul. 2010. https://lemonldap-ng.org/
[91] E. Lear, H. Tschofenig, H. Mauldin, and S. Josefsson, A Simple Authen- [120] Higher Education External Attribute Authorities (HEXAA).
tication and Security Layer (SASL) and Generic Security Service Appli- Accessed: Sep. 2017. [Online]. Available: https://geant3plus.
cation Program Interface (GSS-API) Mechanism for OpenID, document archive.geant.net/opencall/Authentication/Pages/HEXAA.aspx
RFC 6616, Internet Requests for Comments, RFC Editor, May 2012. [121] Comanage. Accessed: Dec. 5, 2017. [Online]. Available: https://www.
[92] S. Winter and J. Salowey, Update to the Extensible Authentication Proto- internet2.edu/products-services/trust-identity/comanage/
col (EAP) Applicability Statement for Application Bridging for Federated [122] Grouper. Accessed: Dec. 5, 2017. [Online]. Available: https://www.
Access Beyond Web (ABFAB), document RFC 7057, Internet Requests for internet2.edu/products-services/trust-identity/grouper/
Comments, RFC Editor, Dec. 2013. [123] Perun. Accessed: Mar. 2018. [Online]. Available: https://perun-aai.org/
[93] R. Marín-López, F. Pereñìguez, G. López, and A. Pérez-Méndez, ‘‘Pro- [124] Apache Syncope. Accessed: Feb. 28, 2018. [Online]. Available:
viding EAP-based Kerberos pre-authentication and advanced authoriza- https://syncope.apache.org/
tion for network federations,’’ Comput. Standards Interfaces, vol. 33, [125] Evolveum. midPoint: The Identity Governance and Administration
no. 5, pp. 494–504, 2011. [Online]. Available: http://www.sciencedirect. Tool. Accessed: Apr. 27, 2018. [Online]. Available: https://
com/science/article/pii/S092054891100016X evolveum.com/midpoint/
[94] R. L. Morgan, S. Cantor, S. Carmody, W. Hoehn, and K. Klingenstein, [126] T. Ferrill, ‘‘Okta identity management,’’ PC Mag., May 2017. [Online].
‘‘Federated security: The Shibboleth approach,’’ Educause Quart., Available: https://www.pcmag.com/article2/0,2817,2491438,00.asp
vol. 27, no. 4, pp. 12–17, 2004. [Online]. Available: https://www. [127] OKTA Multi-Factor Authentication. Accessed: Dec. 14, 2017. [Online].
learntechlib.org/p/103716 Available: https://www.okta.com/products/it/
[95] Shibboleth WiKi. Accessed: Mar. 2018. [Online]. Available: [128] OneLogin. OneLogin Web Access Management (WAM). Accessed:
https://wiki.shibboleth.net/confluence/display/SHIB2/Home Sep. 2017. [Online]. Available: https://www.onelogin.com/product/
[96] Unity. Accessed: Nov. 29, 2017. [Online]. Available: http://www. web-access-management
unity-idm.eu/ [129] Auth0. Accessed: Mar. 9, 2018. [Online]. Available: https://auth0.com/
[97] Aarc WiKi: Unity. Accessed: 2016. [Online]. Available: [130] RSA Link. RSA SecurID Access Overview. Accessed: Apr. 2018.
https://wiki.geant.org/display/AARC/UNITY [Online]. Available: https://community.rsa.com/docs/DOC-54266
[98] SimpleSAMLphp. Accessed: Nov. 29, 2017. [Online]. Available: [131] Microsoft. Azure Active Directory. Accessed: Jan. 6, 2018. [Online].
https://simplesamlphp.org/ Available: https://azure.microsoft.com/en-us/services/active-directory/
[99] P. Aubry, V. Mathieu, and J. Marchal, ‘‘Open-source single sign-on with [132] Salesforce. Salesforce Identity Management Solution. Accessed:
CAS (central authentication service),’’ Actes EUNIS, pp. 1318–1882, Jan. 5, 2018. [Online]. Available: https://www.salesforce.com/
2004. products/platform/products/identity/
[100] Central Authentication Service (CAS). Accessed: Dec. 2017. [Online]. [133] MD Network. Active Directory Federation Services.
Available: https://www.apereo.org/projects/cas Accessed: Jan. 6, 2018. [Online]. Available: https://msdn.microsoft.com/
[101] Apereo CAS—Enterprise Single Sign on for all Earthlings and Beyond. en-us/library/bb897402.aspx
Accessed: Jan. 8, 2018. [Online]. Available: https://apereo.github.io/cas/ [134] EduGAIN Overview. Accessed: Jan. 5, 2018. [Online]. Available:
[102] Forgerock Identity Platform. Access Management (Based on the Ope- https://www.geant.org/Services/Trust_identity_and_security/
nam Open Source Project). Accessed: Jan. 6, 2018. [Online]. Available: eduGAIN/Pages/About-eduGAIN.aspx
https://www.forgerock.com/platform/access-management/ [135] Kanatra Initiative. (2018). SAML V2.0 Interoperability Deployment
[103] mod_auth_Mellon Respository. Accessed: Feb. 2018. [Online]. Avail- Profile V1.0 (Draft). [Online]. Available: https://kantarainitiative.
able: https://github.com/UNINETT/mod_auth_mellon github.io/SAMLprofiles/saml2int.html
[104] Globus Web Site. Accessed: Nov. 29, 2017. [Online]. Available: [136] InCommon Identity Management Federation. Accessed: Jan. 5, 2018.
http://toolkit.globus.org/toolkit/ [Online]. Available: https://www.incommon.org/
[105] I. Foster, ‘‘Globus toolkit version 4: Software for service-oriented sys- [137] CLARIN Federated Identity. Accessed: Jan. 5, 2018. [Online]. Available:
tems,’’ in Network and Parallel Computing. Berlin, Germany: Springer, https://www.clarin.eu/content/federated-identity
2005, pp. 2–13, doi: 10.1007/11577188_2. [138] DARIAH Authentication Authorization Infrastructure. Accessed:
[106] J. Basney, M. Humphrey, and V. Welch, ‘‘The MyProxy online credential Jan. 5, 2018. [Online]. Available: https://wiki.de.dariah.eu/
repository,’’ Softw., Pract. Exper., vol. 35, no. 9, pp. 801–816, 2005. display/publicde/DARIAH+AAI+Documentation
[107] W. Allcock et al., ‘‘The Globus striped GridFTP framework and [139] ELIXIR Authentication and Authorisation Services. Accessed:
server,’’ in Proc. ACM/IEEE Conf. Supercomput. (SC), Nov. 2005, p. 54, Jan. 5, 2018. [Online]. Available: https://www.elixir-europe.org/news/
doi: 10.1109/SC.2005.72. developing-elixir-authentication-and-authorisation-services
[108] J. Bresnahan, M. Link, G. Khanna, Z. Imani, R. Kettimuthu, and I. Foster, [140] (2018). REFEDS. [Online]. Available: https://refeds.org/federations
‘‘Globus GridFTP: What’s new in 2007,’’ in Proc. 1st Int. Conf. Netw. [141] National Institute of Informatics. Academic Access Management Feder-
Grid Appl. (ICST), 2007, p. 19. ation in Japan (GakuNin). Accessed: Jan. 27, 2018. [Online]. Available:
[109] V. Welch et al., ‘‘Security for grid services,’’ in Proc. 12th IEEE Int. Symp. https://www.gakunin.jp/en-fed/
High Perform. Distrib. Comput., Jun. 2003, pp. 48–57. [142] Australian Access Federation (AAF). Accessed: Jan. 25, 2018. [Online].
[110] T. Barton et al., ‘‘Identity federation and attribute-based authorization Available: https://aaf.edu.au/
through the Globus toolkit, shibboleth, gridshib, and myproxy,’’ in Proc. [143] CANARIE Network Research Education Network. Canadian Access
5th Annu. PKI R&D Workshop, vol. 4, 2006, pp. 1–30. Federation (CAF). Accessed: Jan. 20, 2018. [Online]. Available:
[111] Moonshot. Accessed: 2016. [Online]. Available: https://www. https://www.canarie.ca/identity/caf/
jisc.ac.uk/rd/projects/moonshot [144] C. Perez. (2007). PAPI EE. Adapting PAPI to Shibboleth. [Online]. Avail-
[112] J. Howlett, S. Hartman, H. Tschofenig, and J. Schaad, Application Bridg- able: http://papi.rediris.es/rep/PAPIShib.pdf
ing for Federated Access Beyond Web (ABFAB) Architecture, document [145] L. Catuogno and C. Galdi, ‘‘Achieving interoperability between federated
RFC 7831, Internet Requests for Comments, RFC Editor, May 2016. identity management systems: A case of study,’’ J. High Speed Netw.,
[113] Moonshot WiKi. Accessed: Jan. 9, 2018. [Online]. Available: vol. 20, no. 4, pp. 209–221, 2014.
https://wiki.moonshot.ja.net/ [146] Rediris. (2011). ShibbolethFilter: An Implementation That Allows
[114] Virtual Organization Membership Service (VOMS). [Online]. Available: PAPI-Based Federations to Interact With Shibboleth-Based Resources.
http://italiangrid.github.io/voms/index.html [Online]. Available: http://papi.rediris.es/java/
[115] Aarc Wiki: VOMS. Accessed: Jun. 2017. [Online]. Available: [147] E. M. Torroglosa-García and A. F. Skarmeta-Gómez, ‘‘Towards inter-
https://wiki.geant.org/display/AARC/VOMS operabilty in identity federation systems,’’ J. Wireless Mobile Netw.,
[116] Local Credential Mapping Service (LCMAPS). Accessed: 2015. [Online]. Ubiquitous Comput., Dependable Appl., vol. 8, no. 2, pp. 1–25, 2017.
Available: https://www.nikhef.nl/grid/lcaslcmaps/lcmaps [148] S. Andraj and L. Hammerle. (2017). Identity Federation Archi-
[117] Argus Documentation. [Online]. Available: http://argus- tectures. [Online]. Available: https://wiki.geant.org/display/eduGAIN/
documentation.readthedocs.io Federation+Architectures