Conference PaperPDF Available

Abstract

With a view to provide more effective, enhanced and accessible services to their citizens, Governments around the globe have started different web services under the initiative of e-Government. Many such services extensively utilise the Federated Identity framework due to its huge number of benefits. This paper analyses how different e-initiatives in Bangladesh can take advantage of this technology by illustrating use-cases in two different domains. As the online service and the e-Governance paradigm in Bangladesh are relatively new and evolving rapidly, we believe that this is the high-time to consider the benefits this technology can bring for the Government as well as the citizen.
Identity Federations: A New Perspective for
Bangladesh
Md. Sadek Ferdous
School of Computing
Science, University of
Glasgow, Glasgow, Scotland
E-mail:
m.ferdous.1@research.gla.a
c.uk
Mohammad Jabed
Morshed Chowdhury
Chief Technical Officer,
Centre For Technology
Development, Dhaka,
Bangladesh
E-mail:
jabedmorshed@gmail.com
Md. Moniruzzaman
Department of Computer
Science, University of
Calgary, Canada
E-mail:
mmoniruz@ucalgary.ca
Farida Chowdhury
Department of Computing
Science and Mathematics,
University of Stirling,
Scotland
E-mail: fch@cs.stir.ac.uk
Abstract With a view to provide more effective, enhanced and
accessible services to their citizens, Governments around the
globe have started different web services under the initiative of e-
Government. Many such services extensively utilise the
Federated Identity framework due to its huge number of benefits.
This paper analyses how different e-initiatives in Bangladesh can
take advantage of this technology by illustrating use-cases in two
different domains. As the online service and the e-Governance
paradigm in Bangladesh are relatively new and evolving rapidly,
we believe that this is the high-time to consider the benefits this
technology can bring for the Government as well as the citizen.
Keywords- Identity fedaration, authentication, security
I. INTRODUCTION
Currently there are literally thousands of websites around
the world providing a plethora of different services via the
Internet. Originally, the protocols for digital communication
were mainly designed to exchange information efficiently and
reliably and the web and web-based services were not foreseen
in its current form. At that budding stage, the identities of
communicating parties could be assumed, and there was no
need to verify it formally. It led to the omission of Identity
Layer which could be used for formal verification of Identity
[1]. As the web and web-based services started to evolve,
verification of identity became a crucial part as Service
Providers (SP, in short; the administrative body that offers and
provides any service) need to identify users, to provide correct
services and only to the authorised users. To adjust the
situation, the process of authentication was subsequently
added to verify the correctness of claimed identities. The
authentication process requires users to register to generate or
retrieve required identities which are usually accompanied
with another or security token known as the credential. As the
number of web-services as well as the user-base was
expanding rapidly, more and more identities and credentials
were issued, and soon their management became challenging,
both for service providers and for users. Identity Management
(IdM, in short) was introduced by the industry to facilitate
online management of user identities which resulted in various
different identity management systems.
Initially, these systems were not are interoperable, meaning
identity authentication performed in one system was not
recognised by others. However, as the landscape for web and
web-based services started to change, novel business scenarios
(e.g. B2B or Business to Business) started to emerge which
required collaborations between business partners. To
facilitate such collaborations, a novel Identity Management,
called Identity Federation (also known as Federated Identities
or Federation of Identities), was introduced which enabled
organizations to provide services across their own borders by
transferring authenticated identities among their trusted
partners and collaborators. This paper aims to bring this
exciting technology into the attention of different stakeholders
involved in providing different web-enabled services in
Bangladesh by providing a soft introduction to the technology
at first and then illustrating how this technology can be fitted
into the web-service landscape in Bangladesh.
With that said, the rest of the paper is organised as follows.
Section 2 outlines the background concepts related to Identity
Management and Identity Federation along with its many
advantages. Section 3, then, discuses a few use-cases on two
different domains, the Government and Higher Educational
Institutes, to highlight the prospect of Identity Federation in
Bangladesh. We discuss the security and privacy issues in
Federated services in Section 4, describe a few related works in
Section 5, outline a few technical challenges to implement this
technology in Bangladesh in Section 6 and we conclude in
Section 7.
II. PRELIMINARIES
Identity Management: Formally, Identity Management
consists of technologies and policies for representing and
recognizing entities using digital identifier within a specific
context [2], [3]. Microsoft’s .NET Passport [4], Liberty
Alliance’s Architecture[5], Shibboleth [6], OpenID [7],
Microsoft’s Card Space [8], Eclipse’s Higgins [9], SourceID
[10], DotGNU Virtual Identities [11], etc. are the examples of
different Identity Management systems.
Service Provider: A service provider (SP, in short) usually
provides service to the clients or to the other service providers.
Examples include mobile phone operators, different web
In proceedings of the International Conference on Informatics, Electronics & Vision (ICIEV), 2012
service providers, etc. [12]. In its simplest form, a service
provider may also include an identity provider (see below).
Identity Provider: An identity provider (IdP in short)
provides digital identity to entities to enable them to receive
service from a service provider. In its general form, it includes
a credential provider.
Client/User: A client/user receives services from a service
provider. To receive the service, the client usually needs to
supply a digital identifier and a related credential to be
authenticated as the valid user of that service.
Identity Domain: An identity domain is the virtual
boundary, context or environment in which a digital identifier
is valid, that is, it can be used to uniquely identify an entity.
Single Sign On (SSO): Single Sign On is the capability that
allows users to log-in in one system and then access other
related but autonomous systems without further log-ins. A
good example is the Google Single Sign On service which
allows users to log in a Google service, e.g., Gmail, and then
allows them to access other Google services such as Calendar,
Documents, YouTube, Blogs and so on.
Identity Federation: A federation with respect to the
Identity Management is a business model in which a group of
two or more trusted partners legally bind themselves with a
business and technical contract. It allows a user to access
restricted resources seamlessly and securely from other
partners. The system that manages Identity Federation is
commonly known as Federated Identity Management (FIM)
System. Using a FIM System, users can authenticate
themselves in one identity domain and receive personalised
services across multiple domains without any further
authentication [13]. A federation can be formed within a
single identity domain that consists of only one IdP and more
than one SP with each SP being a separate autonomous
organisation. It can also be formed among several identity
domains where each domain may consist of several IdPs and
SPs. The issue of trust is a fundamental concept in FIM as
different autonomous bodies need to trust each other inside the
federation and thus form the so-called Circle of Trust (CoT).
FIM offers a good number of benefits to both different
organisations and their users [13], [14]. It provides the
advantage of separation of duties between the SP and IdP,
scalability for SPs, generating revenue for IdP through their
authentication services to the SP, standard based approach
with improved security and privacy and easy integration of
new stakeholders by expanding the circle of trust. For users, it
offers SSO with security and privacy and alleviating the need
to remember many user-ids and passwords for accessing
different services.
III. BANGLADESH PERSPECTIVES
Bangladesh is still at its infancy in providing web based
services to its citizens in comparison to the developed
countries. The diversity and the huge range of web-based
services one experiences in the developed countries are just
not present yet. This is also reflected in many web traffic
reports. According to these reports, the top visited websites in
Bangladesh include the online version of the popular daily
newspapers, several Bengali blogging websites, Bengali
magazines, Bangladeshi job portals, etc. [15], [16].
Bangladeshi Government under the e-Government initiative is
committed to establish a solid e-infrastructure throughout the
country so that its citizens can get necessary services through
websites from their home. Currently, the focal point of such
services is the National Web Portal of Bangladesh [17] which
enlists a wide range of e-initiatives from the Government of
Bangladesh. Unfortunately, none of them are among the top
visited websites according to the web traffic report [15], [16].
The reason could be that those services are still not matured
enough to attract people’s attention and therefore they do not
feel the necessity to visit there. There is no doubt that more
people will use these services if their range and quality
increase. The same thing can be said regarding the quality of
web services that can be found in the higher educational
institutes in Bangladesh. There are currently 30 public, 54
private universities, two international and two special
universities that are functional as of July 2011 [18].
Many of these websites are below average in terms of
quality and merely provide any useful services other than
providing some basic information or email facility to faculties
and vary rarely to the students. However, they are evolving
fast and most of them may reach up to a standard very soon.
As both the e-Government initiatives and the web services in
Higher education sector are evolving, we would like to take
the opportunity to investigate how identity federation can be
used to improve the underlying infrastructure as well as to
offer better services. We outline the advantages in the
following case studies.
A. Case Study 1: e-Governance in Bangladesh
In today’s world, Governments and business organizations
around the world heavily use Internet for increasing their
efficiency. In such online environments, it is essential to share
sensitive personal and business information securely among
different government offices as well as with citizens and
different business partners. An FIM infrastructure can be the
ideal choice to share such information securely across
organisational boundaries which would reduce administrative
and infrastructure cost while increasing efficiency with
enhanced security. In the following, we explain how
Bangladeshi government can use the Federated IdM to get
these advantages [13].
Government to citizen: Centre to any IdM system is the
Identity that determines who a person is online and a
Government is the first authority to create an official identity
for a citizen in the form of a birth certificate. Then the
government keeps providing different Identity documents such
National ID card, Passport, Driving License, Tax
Identification Number, Marriage certificate, Death certificate,
so on and so forth. All these ID documents are provided by
different governmental organisations. The traditional non-
federated e-services would require a citizen to visit different
websites to receive respective services and need to manage
different credentials which soon would become a problem for
a citizen. Moreover, many of such services would warrant for
enhanced security and privacy. As mentioned earlier, the
Govt. of Bangladesh has undertaken many e-initiatives to
provide better services towards her citizen as well as to reduce
the difficulties many people face to avail these services in the
current setting. Unfortunately, the need for security and
privacy in these initiatives is simply overlooked in many
cases. One of the prime examples is the Result publishing
website by the Intermediate and Secondary Education Boards,
Bangladesh (http://www.educationboardresults.gov. bd/) that
is being used actively to publish the result of different public
examinations such as JSC, SSC, HSC, Alim, Dakhil, etc. This
is an excellent service that allows students to receive their
exam results as soon as published which significantly reduces
the complexities as well as troubles one had to go through to
collect his/her results previously. However, the main focus of
this website is just to publish the result ignoring the need for
security and privacy. To illustrate the devastating as well as
negative impacts such lacking could have, let us consider the
following two scenarios:
i) The service interface is very simple anyone can view the
result of anyone by entering the correct Roll number,
selecting other appropriate parameters such as the name,
Year and Board of the exam. This information submitted
into the server which, presumably, queries the database
using the submitted parameters and upon finding the
required information send the result which are then
displayed in the browser. However, the website and the
service do not use any transport layer security such as SSL
(Secure Socket Layer) or TLS (Transport Layer Security)
and thus unable to satisfy two (Confidentiality and
Integrity) out of three (Availability being the third one)
key components of Information Security [19]. Lack of
Confidentiality will allow any attacker to look at the
information while they are en-route from the server to the
client and lack of Integrity will allow any attacker to alter
the contents while they are en-route such that falsified
result may appear on the client browser, e. g. the result of a
student will show Pass where he/she eventually has failed
and vice-versa. Such an attack cannot change any result,
however, stored in the database and submitting the query
from another network will eventually show the correct
result. Nevertheless, such scenario could be particularly
dangerous as well as intimidating considering the impact it
can have over the victim. We analyse these issues in
details in Section 5.
ii) Another issue is of privacy. The service being very open
will allow anyone to view anyone’s result. After
submitting a random value as a Roll number, we have been
able to retrieve someone’s results fairly easily. It also
includes private information such as Date of Birth, Exam
Result, etc. which are quite private in nature are open to
public. These sorts of information should only be
accessible by authorised personnel. This clearly can invade
someone’s privacy, even if he or she may not be aware of
the situation. We analyse the privacy in details in Section
5.
Such lack of security and privacy issue can be greatly taken
care of and other complexities can be reduced significantly
using any federated approach. This is outlined in the following
use-cases.
i) Assuming, the Government of Bangladesh has
established Federated Identity services for their citizens
linking different governmental services together. The
focal point of such services is the National Personal
Portal of a citizen. The infrastructure could be based on
SAML (Security Assertion Markup Language, protocol
to enable Identity Federation) using the SAML compliant
IdP and SP such as Shibboleth, SimpleSAMLphp, ZXID,
OpenSSO, Lasso, etc. [20]. Because of its php interface
let us assume that the SPs are using SimpleSAMLphp to
provide SAML-enabled services. Use-cases based on
other SAML implementations can be easily
accommodated into our use-cases without any change or
with a very few changes in the following steps.
ii) Mr. Rahim is a citizen of Bangladesh. He is provided
with the National ID card. For the sake of this example,
we assume the ID no. in the card acts as the user-id for
any citizen. Also for brevity, we are assuming a
password based credential; however, it can be anything
such as smart card, hardware token, digital certificate,
etc. for enhanced security. He needs to avail some
governmental services and so he visits the National
Personal Portal.
iii) Before he can access any service, he needs to
authenticate himself. The SAML interface of the portal
checks if there is a security context signifying Mr. Rahim
is already authenticated. Assuming not, the portal will
redirect the user to the SSO services of the central
Identity Provider.
iv) The SSO service checks if there is any security context
meaning the user is already authenticated. Assuming no
previous authentication, it displays the authentication
page to the user.
v) Mr. Rahim types in his ID no and the related password
and hits the enter key. Being a part of the SAML
federation, all communicates are secured with industry
standard security such as Web PKI using HTTPS
protocol which ensures the submitted user-id and
credential will not be transferred in plain text.
vi) The SSO service at the IdP validates authentication and
if successful, redirects him to the assertion consuming
service at the National Portal with a security context
embedded inside the SAML assertion.
vii) The National Portal displays the Homepage to Mr.
Rahim.
viii) Mr. Rahim has changed his house since last time he
visited the portal. Therefore, he wants to change his
registered address. He chooses the National Population
Registry link. Being a different service provider, he is
forwarded to the Registry service.
ix) Scenarios of step iii will take place.
x) The SSO service at the IdP will find that the user is
already authenticated and thus no need for authentication
and it redirects the user to the assertion consuming
service at the Registry service with a security context
embedded inside the SAML assertion.
xi) Upon receiving a successful security context, the
Registry service displays the page where he can change
his address and saves it.
xii) Upon completing the task, he is redirected back to the
National Portal. Now he wants to return his annual
income tax and so chooses the tax return link.
xiii) This takes him to the National revenue service and the
previously mentioned flows take place.
xiv) Finishing all his tasks, Mr. Rahim log out from the
National Portal. He is very pleased with the federated
services as he needs not visit different websites and logs
in several times with different credentials. It has made
his life simple.
Intra-Government use-case: The previous use-case can be
used to exemplify an Intra-Government use-case. Different
vital information sometime needs to be shared among several
organisational boundaries inside Government, for example
among different ministries. As before, the traditional identity
systems would require one to have accounts at different
organisations to access resources located in different
autonomous organisations. Following the scenarios from the
previous use-case, a federated approach would be simple and
easy to use yet secure and well-organised. We’re not
providing any use-case for these scenarios to keep the length
of the paper reasonable.
Government to business: Likewise, the Government has to
offer different services to other business organisations and
they in return need to provide different information at different
times. Company registration, license maintenance, VAT
declarations all these services require a business enterprise
to contact at different Government organisations. Like before,
a federated approach could be ideal for such scenarios and we
are omitting for these scenarios to shorten the length of the
paper.
B. Case Study 2: Higher Educational Institutes in
Bangladesh
e-Service in Higher Education sector is extremely important.
This allows users (students, teachers, researchers and
administrative authorities) to access the respective services
from anywhere via Internet. For students, example of such
services could be the respective Student Management System
that will allow them to update and maintain their student data
as well as access library to order new resources and renew
their borrowed ones. For teachers, such service could allow
them administer course related data and such examples could
be given for other stakeholders. Administratively, such
institutions consist of different departments each being
autonomous yet collaborative in different contexts. As
mentioned earlier, Identity Federation offers a lot of
advantages in such scenarios. Not to mention, many
information passing between these bodies are highly sensitive
thereby requiring a system with enhanced security. We will
present two use-cases to illustrate the advantages in Intra-
University and Inter-University settings.
Intra-University:
i) Rahim is a student of the ABC University which has
enabled Federated services among its different
administrative and academic organisations.
ii) Rahim wants to accomplish a few tasks from his home.
The focal point of the services offered to the students is
the Student Portal System. Rahim visits the Student
Portal System.
iii) Like before, the Student Portal System will check if he
already has a session. If yes, it skips steps iv and v.
iv) Rahim is redirected to the central University IdP where
he has to authenticate himself.
v) Upon successful authentication, he is again redirected to
the portal with his identity information.
vi) Having authenticated himself, he lands on the homepage
of the portal.
vii) There are links for different services and he, at first,
wishes the check his email and so clicks the link for
emails.
viii) He is forwarded to the email service which redirects him
to the IdP again (assuming there is no previous session
with the email service).
ix) The IdP finds the user is already authenticated and so
redirects him again to the email service with the identity
information.
x) He can now read, send or do whatever related to the
email services.
xi) Once he completes using the email service, he wants to
visit the library service to renew his book loan.
xii) He clicks the library link and the usual flows take place.
xiii) After completing the task at the library website, Rahim
wants to order his transcripts and so he clicks the
Transcript link that will take him the Examination
Control Office which is responsible to provide this
service and again the usual flows take place.
xiv) Once he is done, he logs out.
A Federated approach has saved time and hassle for him by
allowing him to avail different services by logging in just
once. In traditional setting, he would have to log in at least
four different places.
Inter-University: Collaboration among different
universities is a key feature in western universities. During
collaborations, researchers need to share different resources
among themselves securely. Federations can be used to
securely share such resources across the universities that will
allow researchers from one university to access resources
located at another university using the credential of the first
university. Not only for a joint research program, federations
can be used by any related individual of a university to access a
resources at other universities with minimum effort.
IV. SECURITY & PRIVACY ISSUES
Major concerns in Federated services are different security
and privacy issues. Security requirements refer to the
mechanisms that are utilised to establish and retain security of
the user during the lifetime of the relationship between a user
and the corresponding SP. Privacy requirements refer to the
conditions that an organisation must follow to protect and
preserve confidential user data from unauthorised access. In
traditional web-based services where each SP has its own
identity and security domain, security requirements for that
respective service are regulated by that SP. For example, the
SP determines solely if it needs a specific security
infrastructure (e.g. Web PKI) for its services. Similarly,
Privacy is of little concern in such settings as privacy
requirements are governed solely by that respective
organisation and any breach of user-privacy is more likely to
be confined there within. However, when different identity
and security domains are involved and the user data are to
cross those domains, it is very important to establish a
common yet strong security and privacy model across all
domains to ensure that a relatively weaker model in any one
domain cannot undermine the security and privacy in other
domains. Generally, Federated Systems are relatively based on
a strong security model. Unfortunately, the privacy model is
relatively week and tends to vary from one service to another
as different services have different privacy requirements. In
this section we will analyse different security and privacy
issues in SAML based Federated Systems.
A. Security Requirements
The core requirements that guarantee the security of any
transmitted user data in an information system are:
Confidentiality, Integrity, Authenticity, Non-repudiation and
Availability [19]. Confidentiality ensures that the user data is
disclosed only to the intended and authorised party. Integrity
guards against the malicious and intentional modification of
the user data during transmission. Authenticity ensures that
parties involved in a transaction can prove what they claim to
be and the data is generated from the original source. Non-
repudiation guarantees that once a party in a transaction
commits into a transaction it cannot deny it. SAML utilises the
PKI with SSL/TLS protocol and digital certificates to ensure
Confidentiality, Integrity, Authenticity and Non-repudiation
where each assertion in SAML is encrypted and digitally
signed to meet these requirements. To enable this, each
service provider has to deploy Web PKI using digital
certificates to be a part of the SAML Federation. The fifth
security requirement Availability is to ensure that an entity can
provide services when required. However, ensuring service
availability of each entity (SP and IdP) in the federation are
business decisions regulated by each organisation. That is
why there is not any concrete requirement specified in the
SAML to ensure such level of availability. There are many
methods to ensure availability based on reliability theory and
the organisation has to choose their own to reflect their
business policy.
B. Privacy Requirements
Privacy is a complex issue that changes over time and tends
to vary considerably from one country to another. However,
the core requirements here are to consider the usage of
Anonymous/Pseudonymous Identifier during a transaction and
to control identity linkability across different organisations. In
Federated settings, users provide their identifiers to the IdP
and the IdP generates/releases an anonymous (or a
pseudonymous) identifier inside the assertion for the SP. The
ideal way to preserve the user-privacy is to deploy a per-site
pseudonymous identifier so that the IdP will generate a
pseudonymous identifier for each specific SP. In the context
of this paper, while providing Government to citizen services,
it may not be very relevant or even necessary to use
pseudonymous identifiers to access the services. However, in
Government-to-business cases, it must preserve the user-
privacy in those organisations as there is no guarantee a group
of organisations may not act maliciously. SAML supports the
generation and release of per-site pseudonymous identifier.
V. RELATED WORK
There are many ever-growing examples of Identity
Federation, both in the Government sector and the higher
education sector, around the world. Some countries have
federated web services like DigiD in the Netherlands [21], E-
government in New Zealand under e-GIF Standard [22], while
others have a central SSO enabled portal such as Government
Gateway in UK [23], Danish IT Citizen Portal [24], GovHK
and MyGovHK in Hong Kong [25], My eID in Belgium [26],
MyPage in Norway [27], Bürgerkarte in Austria [28], etc.
There are ample examples of federation in education sector
such as UK Access Management Federation for Education and
Research [29], the SWITCH in Switzerland [30], Feide in
Norway [31], CARSI in China [32], CAFe in Brazil [33],
InCommon in USA [34], etc. And these numbers are growing
very rapidly.
Sadly, e-Services are still at its budding stage in Bangladesh.
We’re just experiencing several initiatives in the Government
to implement different services via Web. Identity federation
can greatly improve these services. To the best out knowledge,
we did not find any proposal or implementation regarding
identity federation for e-Services in Bangladesh.
VI. DISCUSSIONS
A list of recommendations regarding e-Government in
Bangladesh can be found in [35], [36]. We are enlisting a few
of them below to exemplify the ways identity federations can
be used to achieve and utilize them.
i) e-Government should be better integrated with civil
service reform: To achieve this goal, it is essential to
ensure civil service authorities are accountable, open and
responsive and consequently each public service reaches
the doorstep of every citizen. These criteria can only be
met with e-Initiatives via the Internet. A Personal Portal
could be used to combine every single public service and
act as a single focal point to offer all services. Identity
Federation is the key to accomplish such scenarios
efficiently and securely.
ii) Infrastructure and Connectivity: It has been suggested to
provide Broadband Internet access to Govt. offices down
to Upazilla level, expand shared access in LGIs, post
offices and schools and build a National data centre and
National ID platform for e-services. Broadband access at
the Upazilla level can ensure the required underlying
infrastructure and federation can utilize it to provide
shared accesses at root level via web-enabled services.
National data centre can be the central database and act
as the central Identity Provider for the federation.
National ID can be used as the core user-id with a
suitable credential. A standard Web Public Key
Infrastructure (PKI) needs to be integrated with these
service to ensure security and privacy.
iii) Better coordination of e-Government strategy and
planning: One of the core advantages of the federation is
the better coordination among disparate organisations;
therefore, federations can be used as a tool to achieve
this.
iv) Security of authentication in e-Services can be improved
with federated services. As this a single point of
authentication, it will be relatively easier for the
Government to ensure state of the art security measures
for this infrastructure. In the same time, The Government
should be very careful otherwise it will be a single point
of failure.
v) This will pave the way to achieve interoperability
between different e-Initiatives of the Government.
vi) This will also ease the life of the Government web
service developers and maintenance staffs. As developers
will be provided with standard authentication
mechanisms, they do not have to bother about the
authentication
vii) As the federation standard uses standard procedures, it
will help or foster the standardization of other e-Service
interfaces.
VII. CONCLUSIONS
In this paper we have briefly analysed the advantages of
identity federation and how they can be used to simplify many
aspects e-Services for every party involved. Security and
privacy are deeply integrated into the federation standard
which comes as an added benefit. Many countries around the
world are adopting federated standards for their rich list of
benefits. Government of Bangladesh can get the benefits by
adopting the identity federation. However, considering the
current level of e-Services, building a federation within
Government organisations is a mammoth task. It requires
insightful vision, rigorous planning, sufficient fund and above
all the willingness to achieve them. On the other hand, the
complexity and scale is much less for Higher Education
institutes. Most universities are yet to build their own
infrastructures for e-Services. The University Grant
Commission can lay down a combined plan that the
universities will utilize to build their infrastructures with the
possibility for expansion to the federations. As the e-Service
landscape of Bangladesh is just forming, we believe that this is
the best time to envision the crucial role identity federations
can play in e-Services and then plan and act accordingly.
REFERENCES
[1] Kim Cameron: The Laws of Identity. May 2005.
http://www.identityblog.com/stories/2004/12/09/thelaws.html
[2] Md. Sadek Ferdous. Identity Management with Petname Systems.
Master’s thesis 2009. http://ntnu.diva-
portal.org/smash/get/diva2:347842/FULLTEXT01
[3] Jøsang, A., Al Zomai, M., Suriadi, S.: Usability and privacy in identity
management architectures. In: L. Brankovic, C. Steketee (eds.) Fifth
Australasian Information Security Workshop (Privacy Enhancing
Technologies) (AISW 2007), {CRPIT}, vol.68, pp. 143--152. ACS,
Ballarat, Australia (2007).
[4] Microsoft .NET Passport. www.passport.net
[5] Liberty ID-FF Architecture Overview Version:1.2-errata-v1.0
http://www.projectliberty.org/liberty/content/download/318/2366/file/dr
aft-liberty-idffarch-overview-1.2-errata-v1.0.pdf
[6] Shibboleth Project. Shibboleth Architecture Protocols and Profiles.
Working Draft 05, 23 November, 2004. Internet2/MACE, 2004
[7] OpenID. http://openid.net/
[8] Microsoft Windows CardSpace.
http://www.microsoft.com/windows/products/winfamily/cardspace/defa
ult.mspx
[9] Higgins- Open Source Identity Framework.
http://www.eclipse.org/higgins/index.php
[10] SourceID-Open Source Federated Identity Management.
http://www.sourceid.org/
[11] DotGNU Virtual Identities.
http://www.gnu.org/software/dotgnu/auth.html
[12] Wikipedia entry on service provider. Accessed on June 25, 2011.
http://en.wikipedia.org/wiki/Service_provider
[13] Liberty Alliance Whitepaper: Benefits of Federated Identity to
Government, March 7, 2004.
http://projectliberty.org/liberty/content/download/388/2723/file/Liberty_
Government_Business_Benefits.pdf
[14] David W Chadwick. Federated identity management: In A. Aldini, G.
Barthe, and R. Gorrieri, editors, FOSAD 2008/2009, number 5705 in
LNCS, pages 96-120. Springer-Verlag, Berlin, January 2009.
[15] Top Sites in Bangladesh by Alexa. Accessed on 08 July, 2011.
http://www.alexa.com/topsites/countries/BD
[16] Top 20 popular Bangladeshi websites. Accessed on 08 July, 2011.
http://banglacomputing.net/top20sites.php
[17] National Web Portal of Bangladesh.
http://www.bangladesh.gov.bd/index.php?option=com_frontpage&Itemi
d=1
[18] List of Universities in University Grant Commission. Accessed on 08
July, 2011. www.ugc.gov.bd
[19] Wikipedia entry on Information Security. Accessed on June 25, 2011.
http://en.wikipedia.org/wiki/Information_security
[20] SAML Open Source Initiatives. http://saml.xml.org/wiki/saml-open-
source-implementations
[21] http://www.digid.nl/english/
[22] http://www.e.govt.nz/
[23] http://www.gateway.gov.uk/
[24] https://www.borger.dk/Sider/default.aspx
[25] http://www.gov.hk/en/residents/
[26] http://eid.belgium.be/
[27] http://www.norway.no/minside/
[28] http://www.buergerkarte.at/
[29] http://www.ukfederation.org.uk/
[30] http://www.switch.ch/aai/
[31] http://www.feide.no/
[32] http://shibboleth.edu.cn/
[33] http://wiki.rnp.br/pages/viewpage.action;jsessionid=B195EB224503DE
CD433A70C5A2DCB37E?pageId=41190088
[34] http://www.incommonfederation.org/
[35] Bangladesh Enterprise Institute (BEI) report: Realizing the Vision of
Digital Bangladesh through e-Government. July 2010. www.bei-
bd.org/downloadreports/view/48/download
[36] Report from the Prime Minister’s office: Digital Bangladesh for Poverty
Reduction and Good Governance, June 2010.
https://docs.google.com/fileview?id=0B54YW0mcQI63OGU5ZjI1ZjQt
ZTc2Ni00MGE3LTk2NjgtNjU1YjMyNTYyNGE1&hl=en&pli=1
... To facilitate such collaborations, organisations felt the necessity to expand their service bases not only to an ever-growing number of users within the organisation but also to users from their business partners. This need gave rise to a novel model of Identity Management known as the Federated Identity Management (FIM, in short) [1], [2]. The FIM offers a flexible and secure way to establish Identity Federation (also known as Federated Identities or Federation of Identities) among organisations from different security domains. ...
... In the ITU-T X.1250 recommendation, a federation is defined simply as " An association of users, service providers and identity providers " [18]. In other words, a federation with respect to the Identity Management is a business model in which a group of two or more trusted parties legally bind themselves with a business and/or technical contract [1], [2]. It allows a user to access restricted resources seamlessly and securely from other partners from different Identity Domains. ...
... It allows a user to access restricted resources seamlessly and securely from other partners from different Identity Domains. An identity domain is the virtual boundary, context or environment in which a digital identifier is valid [2]. Single Sign On (SSO) is the capability that allows users to log in to one system and then access other related but autonomous systems without further logins. ...
Article
Full-text available
Security Assertion Markup Language (SAML, in short) is one of the most widely used technologies to enable Identity Federations among different organisations. Despite its several advantages, one of the key disadvantages of SAML is that it does not allow creating a federation in a dynamic fashion to enable service provisioning (or de-provisioning) in real time. A few approaches have been proposed to rectify this problem. However, most of them require elaborate changes of the SAML and do not provide mechanisms to manage federations dynamically. This paper presents a better approach based on an already drafted SAML Profile and thus requires no change of the SAML, rather it depends on the specific implementation of SAML. Our proposed approach covers all aspects regarding the management of dynamic Identity Federation. It will allow users to create federations dynamically using SAML between two prior unknown organisations and will allow them to manage such federations as long as it is required. Implicit in each identity federation is the issue of trust. Therefore, the trust issues involved in the management of dynamic federations are analysed in details. Moreover, a proof of concept is discussed to elaborate the practicality of our approach for managing dynamic federations. Finally, a few use-cases are outlined to illustrate how federations created dynamically can be used to access online services.
... The FIM is based on the concept of Identity Federation. An identity federation is a business model in which a group of two or more trusted parties legally bind themselves with a business and technical contract to allow a user to access restricted resources seamlessly and securely from other partners from different Identity Domains [1], [17]. An identity domain is the virtual boundary, context or environment in which a digital identifier is valid [17]. ...
... An identity federation is a business model in which a group of two or more trusted parties legally bind themselves with a business and technical contract to allow a user to access restricted resources seamlessly and securely from other partners from different Identity Domains [1], [17]. An identity domain is the virtual boundary, context or environment in which a digital identifier is valid [17]. Single Sign On (SSO) is the capability that allows users to log in to a system in one identity domain and then access other related but autonomous systems in other domains without further logins. ...
Conference Paper
Full-text available
In this paper we explore two issues: Federated Identity Management and Context-Aware Services. In the last decade or so we have seen these two technologies gaining considerable popularities as they offer a number of benefits to the user and other stakeholders. However, there are a few outstanding security and privacy issues that need to be resolved to harness the full potential of such services. We believe that these problems can be reduced significantly by integrating the federated identity architecture into the context-aware services. With this aim, we have developed a framework for Context-Aware Federated Services based on the Security Assertion Markup Lan-guage (SAML) and eXtensible Access Control Markup Language (XACML) standards. We have illustrated the applicability of our approach by showcasing some use-cases, analysed the security, privacy and trust issues involved in the framework and the advantages it offers.
... In the ITU-T X.1250 recommendation, a federation is defined simply as " An association of users, service providers and identity providers " [5]. In other words, a federation with respect to Identity Management is a business model in which a group of two or more trusted parties legally bind themselves with a business and technical contract [6], [7]. It allows a user to access restricted resources seamlessly and securely from other partners from different Identity Domains. ...
... It allows a user to access restricted resources seamlessly and securely from other partners from different Identity Domains. An identity domain is the virtual boundary, context or environment in which a digital identifier is valid [7]. Single Sign On (SSO) is the capability that allows users to log in one system and then access other related but autonomous systems, from the same or different identity domains, without further logins. ...
Conference Paper
Full-text available
This paper analyses the prospect of having a Portable Personal Identity Provider (PPIdP, in short) in the mobile phone. The ubiquitous presence of powerful mobile phones equipped with high speed networks can be utilised to make the mobile phone act as a portable and personal Identity Provider (IdP, in short) on behalf of their users. Such an IdP would be helpful for the user in the sense that it will provide a central location to manage different user attributes which are generally scattered among different service providers in the traditional setting of online services. In addition, the user needs to trust the provider to store those attributes securely which may not be always honoured and crucial user attributes may be abused. Creating a Personal Identity Federation using a personal IdP can tackle many of these stated problems. Moreover, such an IdP may provide additional advantages. We have developed such a Mobile IdP for the Android platform based on the Security Assertion Markup Language (SAML) and OpenID as a proof of concept using the Jetty Web Server. In this paper, we discuss the functionalities of our developed IdP and the technical challenges we have faced. Moreover, we analyse the security, privacy and trust issues involved in having such an IdP and the advantages it offers.
... Users need to register with that single IdP and they can access services from federated SPs using a single credential, thus significantly reducing the probability of password fatigue. Towards this aim, a proposal for a country-wide identity federation for Bangladesh was put forward by the authors in [34]. Sadly, it was difficult to adopt this approach previously as there was no central identity database in Bangladesh. ...
Conference Paper
Full-text available
The Government of Bangladesh is aggressively transforming its public service landscape by transforming public services into online services via a number of websites. The motivation is that this would be a catalyst for a transformative change in every aspect of citizen life. Some web services must be protected from any unauthorised usages and passwords remain the most widely used credential mechanism for this purpose. However, if passwords are not adopted properly, they can be a cause for security breach. That is why it is important to study different aspects of password security on different websites. In this paper, we present a study of password security among 36 different Bangladeshi government websites against six carefully-chosen password security heuristics. This study is the first of its kind in this domain and offers interesting insights. For example, many websites have not adopted proper security measures with respect to security. There is no password construction guideline adopted by many websites, thus creating a barrier for users to select a strong password. Some of them allow supposedly weak passwords and still do not utilise a secure HTTPS channel to transmit information over the Internet.
... Users need to register with that single IdP and they can access services from federated SPs using a single credential, thus significantly reducing the probability of password fatigue. Towards this aim, a proposal for a country-wide identity federation for Bangladesh was put forward by the authors in [34]. Sadly, it was difficult to adopt this approach previously as there was no central identity database in Bangladesh. ...
Preprint
Full-text available
The Government of Bangladesh is aggressively transforming its public service landscape by transforming public services into online services via a number of websites. The motivation is that this would be a catalyst for a transformative change in every aspect of citizen life. Some web services must be protected from any unauthorised usages and passwords remain the most widely used credential mechanism for this purpose. However, if passwords are not adopted properly, they can be a cause for security breach. That is why it is important to study different aspects of password security on different websites. In this paper, we present a study of password security among 36 different Bangladeshi government websites against six carefully chosen password security heuristics. This study is the first of its kind in this domain and offers interesting insights. For example, many websites have not adopted proper security measures with respect to security. There is no password construction guideline adopted by many websites, thus creating a barrier for users to select a strong password. Some of them allow supposedly weak passwords and still do not utilise a secure HTTPS channel to transmit information over the Internet.
... A federation with respect to Identity Management is a business model in which a group of two or more trusted organisations legally bind themselves with a business and technical contract (D. W. Chadwick, 2009, Ferdous et al., 2012. It allows a user to access restricted resources seamlessly and securely from other partners residing in different (identity/security) domains. ...
Chapter
The existing model of Federated Identity Management (FIM) allows a user to provide attributes only from a single Identity Provider (IdP) per service session. However, this does not cater to the fact that the user attributes are scattered and stored across multiple IdPs. An attribute aggregation mechanism would allow a user to aggregate attributes from multiple providers and pass them to a Service Provider (SP) in a single service session which would enable the SP to offer innovative service scenarios. Unfortunately, there exist only a handful of mechanisms for aggregating attributes and most of them either require complex user interactions or are based on unrealistic assumptions. In this paper, we present a novel approach called the Hybrid Model for aggregating attributes from multiple IdPs using one of the most popular FIM technologies: Security Assertion Markup Language (SAML). We present a thorough analysis of different requirements imposed by our proposed approach and discuss how we have developed a proof of concept using our model and what design choices we have made to meet the majority of these requirements. We also illustrate two use-cases to elaborate the applicability of our approach and analyse the advantages it offers and the limitations it currently has.
... In the ITU-T X.1250 recommendation, a federation is defined simply as "An association of users, service providers and identity providers" [78]. In other words, a federation with respect to the Identity Management is a business model in which a group of two or more trusted parties legally bind themselves with a business and technical contract [81,91]. It allows a user to access restricted resources seamlessly and securely from other partners in different Identity Domains using the SSO mechanism. ...
... The FIM model is based on the concept of Identity Federation (also known as Federated Identities or Federation of Identities). A federation with respect to the Identity Management is a business model in which a group of two or more trusted parties legally bind themselves with a business and technical contract [6] [14]. The IdPs and SPs who bind themselves in such a way form the so-called Circle of Trust (CoT) which make them a part of the same federation. ...
Conference Paper
Full-text available
This paper presents a comparative analysis of different at-tribute aggregation models against a set of requirements in the settings of the Federated Identity Management (FIM). There are several attribute aggregation models currently available which allow the user to collate attributes from multiple identity providers (IdP in short) in a single service. These models impose different novel requirements which have never been analysed before and there lacks a thorough analysis of these models that will compare them side-by-side against a set of requirements. We aim to �ll in these gaps in this work. We have formulated a set of trust, functional, security and privacy requirements that are needed for each model and shown the interlink between these requirements. These requirements have been used to compare the models side-by-side in tabular forms which would allow the readers to instantly identify the requirements for each model, the advantages it offers and the weaknesses it has.
Article
Full-text available
In the last decade or so, we have experienced a tremendous proliferation and popularity of different Social Networks (SNs), resulting more and more user attributes being stored in such SNs. These attributes represent a valuable asset and many innovative online services are offered in exchange of such attributes. This particular phenomenon has allured these social networks to act as Identity Providers (IdPs). However, the current setting unnecessarily imposes a restriction: a user can only release attributes from one single IdP in a single session, thereby, limiting the user to aggregate attributes from multiple IdPs within the same session. In addition, our analysis suggests that the manner by which attributes are released from these SNs is extremely privacy-invasive and a user has very limited control to exercise her privacy during this process. In this article, we present Social Anchor, a system for attribute aggregation from social networks in a privacy-friendly fashion. Our proposed Social Anchor system effectively addresses both of these serious issues. Apart from the proposal, we have implemented Social Anchor following a set of security and privacy requirements. We have also examined the associated trust issues using a formal trust analysis model. Besides, we have presented a formal analysis of its protocols using a state-of-the-art formal analysis tool called AVISPA to ensure the security of Social Anchor. Finally, we have provided a performance analysis of Social Anchor.
Conference Paper
Full-text available
With the absence of physical evidence, the concept of trust plays a crucial role in the proliferation and popularisation of online services. In fact, trust is the inherent quality that binds together all involved entities and provides the underlying confidence that allows them to interact in an online setting. The concept of Federated Identity Management (FIM) has been introduced with the aim of allowing users to access online services in a secure and privacy-friendly way and has gained considerable popularities in recent years. Being a technology targeted for online services, FIM is also bound by a set of trust requirements. Even though there have been numerous studies on the mathematical representation, modelling and analysis of trust issues in online services, a comprehensive study focusing on the mathematical modelling and analysis of trust issues in FIM is still absent. In this paper we aim to address this issue by presenting a mathematical framework to model trust issues in FIM. We show how our framework can help to represent complex trust issues in a convenient way and how it can be used to analyse and calculate trust among different entities qualitatively as well as quantitatively. © IFIP International Federation for Information Processing 2015.
Chapter
Full-text available
This paper addresses the topic of federated identity management. It discusses in detail the following topics: what is digital identity, what is identity management, what is federated identity management, Kim Cameron’s 7 Laws of Identity, how can we protect the user’s privacy in a federated environment, levels of assurance, some past and present federated identity management systems, and some current research in FIM.
Conference Paper
Full-text available
Chapter
The more real business and interaction with public authorities is performed in digital form, the more important the handling of identities over open networks becomes. The rise in identity theft as a result of the misuse of global but unprotected identifiers like credit card numbers is one strong indicator of this. Setting up individual passwords between a person and every organization he or she interacts with also offers very limited security in practice. Federated identity management addresses this critical issue. Classic proposals like Kerberos and PKIs never gained wide acceptance because of two problems: actual deployment to end users and privacy. We describe modern approaches that solve these problems. The first approach is browser-based protocols, where the user only needs a standard browser without special settings. We discuss the specific protocol types and security challenges of this protocol class, as well as what level of privacy can and cannot be achieved within this class. The second approach, private credentials, solves the problems that none of the prior solutions could solve, but requires the user to install some local software. Private credentials allow the user to reveal only the minimum information necessary to conduct transactions. In particular, it enables unlinkable transactions even for certified attributes. We sketch the cryptographic solutions and describe how optional properties such as revocability can be achieved, in particular in the idemix system.
Conference Paper
Digital identities represent who we are when engaging in online activities and transactions. The rapid growth in the number of online services leads to in an increasing number of different identities that each user needs to manage. As a result, many people feel overloaded with identities and suffer from password fatigue. This is a serious problem and makes people unable properly control and protect their digital identities against identity theft. This paper discusses the usability and privacy in online identity management solutions, and proposed a general approach for making users better able to control and manage their digital identities, as well as for creating more secure identity management solutions. More specifically, we propose a user-centric approach based on hardware and software technology on the user-side with the aim of assisting users when accessing online services.
Shibboleth Architecture Protocols and Profiles. Working Draft 05
  • Shibboleth Project
  • November
Shibboleth Project. Shibboleth Architecture Protocols and Profiles. Working Draft 05, 23 November, 2004. Internet2/MACE, 2004
Architecture Overview Version:1.2-errata-v1.0 http
  • Id-Ff Liberty
Benefits of Federated Identity to Government
  • Liberty Alliance Whitepaper
Accessed on http://en.wikipedia.org/wiki/Information_security [20] SAML Open Source Initiatives. http://saml.xml.org/wiki/saml-open- source-implementations
Top Sites in Bangladesh by Alexa. Accessed on 08 July, 2011. http://www.alexa.com/topsites/countries/BD [16] Top 20 popular Bangladeshi websites. Accessed on 08 July, 2011. http://banglacomputing.net/top20sites.php [17] National Web Portal of Bangladesh. http://www.bangladesh.gov.bd/index.php?option=com_frontpage&Itemi d=1 [18] List of Universities in University Grant Commission. Accessed on 08 July, 2011. www.ugc.gov.bd [19] Wikipedia entry on Information Security. Accessed on June 25, 2011. http://en.wikipedia.org/wiki/Information_security [20] SAML Open Source Initiatives. http://saml.xml.org/wiki/saml-open- source-implementations [21] http://www.digid.nl/english/ [22] http://www.e.govt.nz/ [23] http://www.gateway.gov.uk/ [24] https://www.borger.dk/Sider/default.aspx [25] http://www.gov.hk/en/residents/ [26] http://eid.belgium.be/ [27] http://www.norway.no/minside/ [28] http://www.buergerkarte.at/ [29] http://www.ukfederation.org.uk/ [30] http://www.switch.ch/aai/ [31] http://www.feide.no/ [32] http://shibboleth.edu.cn/ [33] http://wiki.rnp.br/pages/viewpage.action;jsessionid=B195EB224503DE CD433A70C5A2DCB37E?pageId=41190088 [34] http://www.incommonfederation.org/ [35] Bangladesh Enterprise Institute (BEI) report: Realizing the Vision of Digital Bangladesh through e-Government. July 2010. www.beibd.org/downloadreports/view/48/download [36] Report from the Prime Minister's office: Digital Bangladesh for Poverty Reduction and Good Governance, June 2010. https://docs.google.com/fileview?id=0B54YW0mcQI63OGU5ZjI1ZjQt ZTc2Ni00MGE3LTk2NjgtNjU1YjMyNTYyNGE1&hl=en&pli=1