Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Published byMaximillian Peter Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin"— Presentation transcript:

1 Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin Richard.Cissee@DAI-Labor.de www.DAI-Labor.de

2 Richard Cissée 02.12.20032 Overview Main building blocks of Identity Management Systems: AAA components Authentication: Validating the identity of users Authorization: Granting access rights to users for specific services Accounting: Monitoring resource usage User Management components Management of identities and personal information (Single Sign-On Mechanisms)

3 Richard Cissée 02.12.20033 Introduction: Multi-Agent System Technology Software agents are characterized by Autonomy/ Proactiveness: An agent acts (on behalf of a user, as a part of a multi-agent system etc.) by trying to reach given goals Ability to communicate with other agents, e.g. by offering and using services Mobility: Agents may migrate between different host platforms, depending on their current tasks Intelligence: An agent encapsulates knowledge, such as personal information Multi-Agent System Technology especially suitable for distributed, heterogeneous, dynamic systems

4 Richard Cissée 02.12.20034 AAA: Authentication Authentication methods as means to establish identity via something the user is: biometrics something the user knows: passwords/ PINs (*) something the user has: hardware tokens (e.g. smart cards) / software tokens (digital certificates) (*) or combinations thereof. In the last case, Authentication is possible without identification Some methods (*) are usable by agents, others by human users only

5 Richard Cissée 02.12.20035 Authentication in Agent- Based IM Systems Each user is represented by a user agent Authentication as a two-step procedure: Human user – user agent via conventional methods (optional) User agent – target application/ service (mainly via certificates) Potential risks of malicious agents compromising the security of the system have to be addressed

6 Richard Cissée 02.12.20036 AAA: Authorization Access Control Lists authorize users to access specific services large number of relationships updating information is error-prone (e.g. removing users) Role-Based Access Control mechanisms authorize user roles to access specific services Each user identity is assigned one or several roles Roles are granted privileges Separation of duties: User may not participate via more than one role in a transaction Reduced number of relationships Improved accuracy of Access Control information

7 Richard Cissée 02.12.20037 Authorization in Agent- Based IM Systems Role-Based Access Control suitable because of underlying role concept in multi-agent systems User Agents are assigned roles by adding components/ knowledge to the agent, or by updating the agent role assignment information Agents may negotiate role assignments In the case of trusted agents, Authorization without management of assignment information is feasible

8 Richard Cissée 02.12.20038 AAA: Accounting Mechanisms for monitoring the usage of specific resources, sub-services etc. Accounting information required to determine whether Authentication/ Authorization information has to be modified to update additional user information (Personalization) to support Session Management (especially in the context of mobile services) Further purposes (Billing, System configuration) outside the main focus of Identity Management

9 Richard Cissée 02.12.20039 Management of Identities and Personal Information Main goal: Interoperability of identity management information Synchronization of distributed information Benefit for users: Simplified sign-on to different services/ applications Emerging XML standards, e.g. Security Assertion Markup Language (SAML) for Authentication and Authorization Different approaches (centralized, federated, agent- based management of identity information)

10 Richard Cissée 02.12.200310 Centralized Single Sign-On (1/2)

11 Richard Cissée 02.12.200311 Centralized Single Sign-On (2/2) Central authentication server (Example: Passport) User signs on to authentication server and, if successful, is automatically signed on to further participating services/ applications Problems: Trust (user has to trust authentication server) Security (authentication server as single point of failure/ central point of attack) Privacy (personal information that is collected in addition to authentication information)

12 Richard Cissée 02.12.200312 Federated Simplified Sign- On (1/2)

13 Richard Cissée 02.12.200313 Federated Simplified Sign- On (2/2) (Example: Liberty Alliance Specification) User signs on to different service/ applications and may opt-in to federate the respective accounts. With each sign-on the user is seamlessly signed on to further services/ applications within a group of participants (‚Circle of Trust‘) Problems: Trust Privacy (personal information that is collected in addition to authentication information)

14 Richard Cissée 02.12.200314 Agent-Based Single Sign-On (1/2)

15 Richard Cissée 02.12.200315 Agent-Based Single Sign-On (2/2) User logs in to personal user agent User agent manages account information required for different services/ applications as well as additional personal information User agent resides on platform controlled by the user (online/ on mobile device/ special hardware) No central authentication server or exchange of information between participating services/ applications required Increased privacy, security & trust

16 Richard Cissée 02.12.200316 Conclusion Multi-Agent System Technology as a possible solution for different aspects of Identity Management Systems Open issues: Integration of existing and agent-based approaches Consequences of introducing agents as additional entities – with own identities?

Download ppt "Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin"

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Secure Communication Architectures.

Secure Communication Architectures.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Access Control Methodologies

Access Control Methodologies
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Authentication & Kerberos

Authentication & Kerberos
Digital Identities for Networks and Convergence Joao Girao, Amardeo Sarma.

Digital Identities for Networks and Convergence Joao Girao, Amardeo Sarma.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Www.mobilevce.com © 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.

© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.
Network Identity Kai Kang 27 th October 2004. Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.

Network Identity Kai Kang 27 th October Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Distributed Network and System Management Based on Intelligent and Mobile Agents Jianguo Ding 25/03/2002 DVT-DatenVerarbeitungsTechnik FernUniversität.

Distributed Network and System Management Based on Intelligent and Mobile Agents Jianguo Ding 25/03/2002 DVT-DatenVerarbeitungsTechnik FernUniversität.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Understanding Active Directory

Understanding Active Directory
Applying the ISO RM-ODP Standard in e-Government B. Meneklis 1, A. Kaliontzoglou 2,3, D. Polemi 1, C. Douligeris 1 1 University of Piraeus, Department.

Applying the ISO RM-ODP Standard in e-Government B. Meneklis 1, A. Kaliontzoglou 2,3, D. Polemi 1, C. Douligeris 1 1 University of Piraeus, Department.

Similar presentations

Ads by Google