Email: {Thang.Tran, Christian. ..... Send HTML based form (8). Assertion .... transmits the received SAML assertion and HTML code of released search service to ...
Approaches for Optimizing the Performance of a Mobile SAML-based Emergency Response System Thang Tran and Christian Wietfeld Communication Networks Institute (CNI) Faculty of Electrical Engineering and Information Technology Dortmund University of Technology, Germany Email: {Thang.Tran, Christian.Wietfeld}@tu-dortmund.de
video sequences (made by drones or fire fighters) or manufacturer information about car’s body (car accidents) Today fire brigades have access to information summary sheets of the most important buildings and objects in their area of responsibility that is available in the fire-fighting vehicle. However, this results in insufficient information for the rescue workers during rescue operations. The time required for receiving essential and latest information in the field of fire defense is crucial. Therefore, a Role Based Single SignOn (RB-SSO) system [2] is developed for the fire fighters that will allow an efficient and precise information query of distributed information providers of public authorities. Consequently, the fire fighters save time and hence can keep track of their main activity (rescuing people). However, the performance analysis has shown that our first approach of SAML-based RB-SSO system currently requires further improvements of the communication procedures to obtain better performance and scalability [2]. •
Abstract—The fast access of essential and latest information from anytime and anywhere is crucial for the success of fire mission planning and is still a challenge, if requirements such as high performance, security and simplicity have to be met concurrently. However, the secure access to the distributed information of public authorities like building plans or medical patient data is currently mostly available via the traditional time-consuming post. Due to this problem a mobile integrated solution is developed, which allows a secure and holistic access to relevant information. The solution is based on the Security Assertion Markup Language (SAML) architecture which specifies an XML based standard for exchanging authentication and authorization data. Unfortunately, the performance of this approach is not applicable for time-critical mobile applications because of the SAML specific communication procedures. Thus, this paper presents two approaches for boosting the performance and shows the results of performance evaluation for the required validation. Moreover, an analytic model is introduced for identifying the SAML specific processing time.
•
Keywords-Federated Identity Protocols, Security Assertion Markup Language, Emergency Response, Mobile Application, Proxy, Single Sign-On
B. Technical Challenge and Approach I. I NTRODUCTION
Figure 1 shows the architecture and services of the RBSSO system. It should be noted that in this section only necessary services will be introduced which are required for understanding this work. Further details about the architecture and services of the RB-SSO system are given in [2]. The first challenge is the realization of a secure system for enabling interoperability of diverse information systems and databases (e.g. registry office, building authority) and as a second challenge the system has to achieve high performance. The RB-SSO is based on a Federated Identity Model [3][4], used for authentication and authorization, and demonstrates an approach to enable the communication between heterogeneous information systems. Additionally, RBSSO offers a technique called Single Sign-On (SSO) where the user only needs to be authenticated once to get access to all authorized information providers or services. Currently, three popular models exist for implementing the federated identity: SAML [5], OpenID [6] and Microsoft Cardspace [7]. Our system is based on SAML, which is the most mature and comprehensive technology with standardizations
A. Use Case and Problems For large organizations mobile simultaneous access to distributed public authority information systems is still a challenge, if requirements such as high performance, security, reliability and simplicity have to be met concurrently [1]. These requirements have been addressed in the German research project Mobile Information System for Process Optimization in Fire Brigades and Public Authorities (Mobis Pro) in cooperation with one of the largest fire brigades in Dortmund, Germany with 1,300 fire fighters and 30,000 rescue operations per year. In large rescue operations all participating rescue forces need detailed up to date information about the situation at the scene of emergency, for example • object, building and site plans • address lists from registration offices • list and location of hydrants • plans of (gas) pipelines • list of dangerous substances
978-1-4244-5564-5/09/$26.00 ©2009 IEEE
148
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
in 2002 (SAML 1.1) and 2005 (SAML 2.0) [8]. Example fields of application of SAML are the transmission and management of health documentation [9], in e-governments [10], e-commerce [11] or in education for e-learning [12]. To reduce the administrative overhead the user access rights within the IT-Federation are controlled by a Role Based Access Control (RBAC) Model [13].
the results of the performance analysis are introduced in section 4, followed by a conclusion in section 5. II. T HE L ONG -T ERM V ISION : S ECURE AND FAST I NFORMATION P ROVISIONING FOR EFFICIENT EMERGENCY RESPONSE PLANNING
Fire fighters do not have much time at the incident scene, therefore fast and efficient information retrieval has a significant influence on the success of fire brigades at rescue missions. Consequently, the SAML-based RB-SSO system represents the first technical approach to support the emergency response planning. An easy sample scenario is now illustrated for better understanding: It starts with an incoming call at the primary control unit of the fire department where the location name (e.g. street name and number) is disclosed. In the next step a specific number of fire fighters are sent out to the incident scene (e.g. burning chemical plant) as a result of this alarm. During the drive to the incident scene, one of the fire fighters (e.g. incident commander) starts a mobile application running on a laptop. Before the intelligent search service of RB-SSO system (see Fig. 1: Fast Search Service) can be used, the incident commander has to be authenticated. After a successful authentication, the incident commander enters the street name and number into the search field in order to receive information which is important for successfully planning the fire mission. Depending on the role based authorization process and search strategy using ontology [14], the incident commander receives the filtered and prepared information on this mobile client at the scene via a wireless communication system (e.g. UMTS, WiMAX, WLAN). Figure 2 depicts the specific deployment scenario using the RB-SSO system for information retrieval.
,7�)HGHUDWLRQ 0RELV�3UR�6HUYLFHV��,GHQWLW\�3URYLGHU
5ROH $GPLQLVWUDWLRQ 6HUYLFH
8VHU�0DQDJHPHQW� 6HUYLFH
5ROH�%DVHG�8VHU� ,QWHUIDFH
)DVW�6HDUFK� 6HUYLFH
/RJJLQJ�6HUYLFH
$XWKHQWLFDWLRQ 6HUYLFH
0RELOH�1RGH 6KLEEROHWK�662�0DQDJHPHQW 1RYHO�FRQWULEXWLRQV
$WWULEXWH�$XWKRULW\� 6HUYLFH
$WWULEXWH� 5HOHDVH� 3ROLFLHV
662�+DQGOH� 6HUYLFH
:LUH�FRQQHFWLRQ :LUHOHVV�FRQQHFWLRQ
6KLEEROHWK�6HUYLFH� 3URWHFWLRQ -DYD�6HUYOHW�&RQWDLQHU
'LUHFWRU\�6HUYLFH
8VHU�'DWD 5ROH�1DPHV
6KLEEROHWK�6HUYLFH�3URWHFWLRQ
5LJKWV
$VVHUWLRQ�&RQVXPHU� 6HUYLFH $WWULEXWH�5HTXHVWHU
&���0RGXOH
Figure 1.
$WWULEXWH $FFHSWDQFH 3ROLFLHV
3XEOLF�$XWKRULWLHV
Role based Single Sign-On Software Architecture
Relevant information about the incident scene is located on distributed information systems, which make it very inconvenient and annoying to search repeatedly and manually. For that reason an intelligent search service is offered by the RB-SSO system for efficient searching in all connected information systems of public authorities within the ITFederation (see Fig. 1: Fast Search Service). The major contributions of this paper are the new technical approaches considering time-critical mobile applications in fire defense for enhancing the performance of a SAMLbased emergency response system, whereby this system minimizes the current lack of detailed up to date information about the incident scene. Moreover, this work gives a recommendation for the choice of specific SAML Profiles in case of time-critical mobile applications or related deployment scenarios. The paper is structured as follows: Section 2 describes a specific deployment scenario where a fire fighter applies a mobile application for information retrieval about the incident scene. It should be noted that the performance analysis is based on this scenario. Then we illustrate two different approaches for optimizing the performance of a mobile SAML-based RB-SSO system and explain the communication processes in section 3. In order to validate these approaches, prototypes solutions are implemented, whereby
,7�)HGHUDWLRQ
5HJLVWU\�2IILFH
)LUH� 'HSDUWPHQW
H�J� 8076�� :L0$;
3ODFH�RI�$FWLRQ
UN HWZR ,3�1
)LUH )LJKWHU ,QWHOOLJHQW 6HDUFK�6HUYLFH
%XLOGLQJ�$XWKRULW\
,QFLGHQW 6FHQH
/DSWRS )LUH�(QJLQH
3EXOLF�$XWKRULW\
Figure 2. Scenario: Fire mission with secure cross-organizational information access by using a mobile client
III. SAML
BASED
A PPROACHES
In order to improve the performance of mobile applications, this section will describe two approaches, whereby the communication processes with their necessary entities
149
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
,7�)HGHUDWLRQ
are briefly described. In the following section a short introduction to Security Assertion Markup Language (SAML) is given before these approaches are presented.
H�J� 8076�� :L0$;
A. Brief description of SAML
5HJLVWU\�2IILFH �6HUYLFH�3URYLGHU
The Oasis Security Assertion Markup Language (SAML) Standard specifies a XML based framework for describing and exchanging security information between trusted partners (e.g. Public Authorities) in a closed IT-Federation [5]. For a SAML environment the following components are defined: Assertions, Protocols, Bindings and Profiles. SAML Assertions represent XML based messages which contain statements (e.g. authentication method, time of authentication, attributes as access rights) about a principal (e.g. fire fighter). SAML specifies a number of request/response protocols like the Assertion Query and Request Protocol for defining how to request assertions. The way in which SAML protocol messages are transmitted over underlying transport protocols is detailed by SAML Bindings. An example is the SAML SOAP Binding which specifies how SAML protocol messages are transmitted within SOAP messages over HTTP. Depending on the usage scenarios SAML profiles specifies how assertions, protocols and bindings are combined. For instance, the Web Browser SSO Profile defines the combination of specific components for achieving single sign-on with standard web browsers. In our fire-specific scenario the initial RB-SSO system is based on the previously mentioned profile and consists of four main entities: • The User is a person (e.g. fire fighter) who has a certain identity for interacting with a web-based application. • The User-Agent (UA) is a web browser or an application running on a laptop used by the user. • The Service Provider (SP) represents a protected web-based application/service and delivers nonauthenticated users to a trusted third party (Identity Provider) for authentication, thus the SP is also referred to as the Relying Party. In our scenario SP represents the public authorities (e.g. building authority, registry office) • The Identity Provider (IDP) represents a server which authenticates users, manages user data and their access rights. Furthermore, the IDP sends access rights (attributes) to the SP that requests the attributes via a secure channel. Figure 3 depicts the IT-Federation with the entities which are implemented for the performance evaluation and validation. The initial RB-SSO system is based on the Web Browser SSO Profile with Redirect/Post-Binding and represents the basis for the following approaches.
)LUH 'HSDUWPHQW
UN HWZR ,3�1
)LUH�)LJKWHU �8VHU
%XLOGLQJ�$XWKRULW\ �6HUYLFH�3URYLGHU
,QWHOOLJHQW� 6HDUFK�6HUYLFH �6HUYLFH�3URYLGHU
0RELOH�&OLHQW� �8VHU�$JHQW
7UXVWDEOH�3XEOLF�$XWKRULW\ �,GHQWLW\�3URYLGHU
Figure 3.
IT-Federation with SAML-Entities
of the RB-SSO system using the Redirect/Post-Binding. All connections are secured by SAML recommended security mechanisms (e.g. Transport Layer Security (TLS) [15], Public Key Infrastructure (PKI) [16]). Beside these mechanisms further security methods have to be considered in order to fulfil the security requirements (e.g. availability, reliability, audit) depending on the application and deployment scenario. The first step starts with a user that tries to access the Search Service for the first time, but does not have a valid logon session (e.g. security content) (message 1). Consequently, the SP forwards the user to the SSO-Service of the IDP via HTTP-Redirect for authentication (messages 2 & 3), whereby the UA processes the redirect response and creates an HTTP GET request to the SSO-Service. The HTTP header includes the URI of SSO-Service at the IDP and an AuthnRequest message which contains the requested authentication policy requirements. If the user does not meet the requested authentication policy requirements, the SSOService interacts with the UA to challenge the user to offer valid credentials (messages 4 & 5). The RB-SSO system currently applies user/password authentication, but a smart card authentication is intended. In the case of valid credentials the SSO-Service creates a SAML assertion containing the user’s security content and attributes (e.g. access rights). The digitally signed SAML assertion using XML Signature is then placed within a SAML response message and is transmitted transparently using a POST binding to the UA which issues an HTTP POST request to forward the SAML assertion to the Assertion Consumer Service (ACS) of the corresponding SP. In order to detect and protect against attacks such as man-in-the-middle attack, SAML specifies and recommends that the relying party (SP) and asserting party (IDP) should have a pre-existing trust relationship
B. Redirect/Post- and Redirect/Artifact-Bindings The Web Browser SSO Profile can be combined with Redirect/Post- and Redirect/Artifact-Binding. Figure 4 illustrates the sequentially numbered communication processes
150
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
$FFHVV VHUYLFH �� �� +773�5HGLUHFW WR ,'3�662 +773�5HGLUHFW WR ,'3� 662
$XWKHQWLFDWLRQ
,GHQWLW\�3URYLGHU �7UXVWDEOH�3XEOLF�$XWKRULW\
6HUYLFH�3URYLGHU �6HDUFK�6HUYLFH
��
�� &KDOOHQJH IRU FUHGHQWLDOV
6LQJOH 6LJQ�2Q 6HUYLFH
8VHU ORJLQ ��
$FFHVV VHUYLFH �� �� +773�5HGLUHFW WR ,'3�662 +773�5HGLUHFW WR ,'3� 662
6HQG ILOWHUHG VHDUFK UHVXOW
W
6HQG DUWLIDFW WR $&6 �� 6HQG DUWLIDFW WR $&6 �� 6HQG +70/ EDVHG IRUP ��� 6HQG VHDUFK SDUDPHWH
6HQG�DVVHUWLRQ�WR� $&6�RI�SXEOLF� DXWKRULW\����
$VVHUWLRQ &RQVXPHU 6HUYLFH� �$&6
UV ���
6HUYLFH�3URYLGHU �%XLOGLQJ�$XWKRULW\�� 5HJLVWU\�2IILFH �
6LQJOH� 6LJQ�2Q� 6HUYLFH
5HVROYH $UWLIDFW ��
5HOHDVH 6HUYLFH ��
$UWLIDFW� 5HVROXWLRQ 6HUYLFH
$GGLWLRQDO SURFHVVHV FRPSDUHG�WR� 5HGLUHFW�3RVW� %LQGLQJ 6HQG�DVVHUWLRQ�WR� $&6�RI�SXEOLF� DXWKRULW\���� $XWKRUL]DWLRQ����
6HQG�VHDUFK� UHVXOWV���� 6HDUFK 6HUYLFH
V ���
W
��
8VHU ORJLQ ��
$XWKRUL]DWLRQ����
6HDUFK 6HUYLFH
,GHQWLW\�3URYLGHU �7UXVWDEOH�3XEOLF�$XWKRULW\
�� &KDOOHQJH IRU FUHGHQWLDOV
$XWKRUL]DWLRQ
$XWKRUL]DWLRQ
�� 6HQG DVVHUWLRQ WR $&6 6HQG DVVHUWLRQ 7R $&6 $VVHUWLRQ �� &RQVXPHU 6HUYLFH� 6HQG +70/ EDVHG IRUP �� �$&6 6HQG VHDUFK SDUDPHWH UV ��
6HUYLFH�3URYLGHU �%XLOGLQJ�$XWKRULW\�� 5HJLVWU\�2IILFH �
6HUYLFH�3URYLGHU �6HDUFK�6HUYLFH
8VHU�$JHQW �:HE�%URZVHU
$XWKHQWLFDWLRQ
8VHU�$JHQW �:HE�%URZVHU
W 6HQG ILOWHUHG VHDUFK UHVXOW
Figure 4. Communication Procedures of Web Browser SSO Profile with Redirect/Post-Bindings
6HQG�VHDUFK� UHVXOWV���� �
V ���
W
W
W
Figure 5. Communication Procedures of Web Browser SSO Profile with Redirect/Artifact-Bindings
which is based on a Public Key Infrastructure. Due to the valid assertion and attributes the ACS allows access and releases the search service to the UA. The user is now authorized (messages 6 & 7). In the case of a fire mission, the fire fighter (user) receives a HTML based form from the search service and enters the street name and number of the incident scene. This form is sent back to the search service (messages 8 & 9). In the next step the search service initiates the search requests at the corresponding information systems (public authorities). The ACS of the building authority and registry office receive in addition to the search parameters (street name and number) the valid SAML assertion of the user as proof of authentication and authorization. The SAML assertion of the user is sent by the search service using POST binding (message 10), whereby the communication between search service and information systems of public authority are secured by TLS with mutual authentication. Based on the attributes and search parameters the SPs determine which data is sent back to the search service (messages 11 & 12). Depending on the role based authorization process and search strategy at the search service, the user receives the filtered and prepared information on the UA at the scene (message 13). The Web Browser SSO Profile with Redirect/ArtifactBinding can be used instead of Redirect/Post-Binding. The overall communication process with Redirect/ArtifactBinding requires two more processes when compared with Redirect/Post-Binding. However, the use of Redirect/PostBinding transmits whole SAML assertions to the UA and
therefore a major data volume in our scenario, which has a detrimental effect on the performance if wireless connections with low data rate are used at the incident scene. We assume that use of artifact improves the performance of our RB-SSO system, since the SSO service of IDP only creates an artifact containing reference to the storage location of the SAML assertion and thus lowers the load on the wireless communication path to the UA. Figure 5 demonstrates the overall communication processes if RB-SSO uses Redirect/ArtifactBinding which requires two additional processes. It also shows that IDP needs an Artifact Resolution Service (ARS) for resolving of artifacts. After the successful authentication, the SSO-Service generates a SAML response message containing an artifact of a SAML assertion instead of a whole SAML assertion. Using Redirect/Artifact-Binding allows sending the SAML response message to the UA, which then forwards the message to the ACS (see Fig. 5: messages 4, 5, 6 & 7). In order to request the whole SAML assertion, the ACS of SPs use the synchronous SOAP binding to transmit a SAML ArtifactResolve message including the artifact to the IDP’s ARS endpoint (see Fig. 5: message 8 & 9). In our case, the ACS and ARS are always connected via a wired connection with high data rate. C. RB-SSO-Proxy Approach Both SAML bindings mentioned previously apply HTTPRedirect in certain steps of the communication processes.
151
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
HTTP-Redirect is a method where a service forwards the UA to another service. In the case of the RB-SSO system procedures this method is used specifically in authentication: At the beginning the SP recognizes that the UA does not have a valid logon session and then redirects the UA to the IDP for authentication. After successful authentication the IDP redirects the UA back to the corresponding SP. These processes are always passed transparently to the user device, which usually has limited resources and thus affects adversely the performance of the communication processes within the RB-SSO system, especially when used in conjunction with a wireless communication channel with a lower data rate. In order to minimize the drawback of HTTP-Redirect, there are some relative approaches like the enhanced client or proxy (ECP) from SAML [5]. However, this profile refers to WAP-Gateways and there exists no performance evaluation. Another alternative approach is the virtual authentication proxy which enables communication with multiple IDPs during the authentication process [18]. But has not resulted in a complete implementation yet. 6HUYLFH�3URYLGHU ,GHQWLW\�3URYLGHU �6HDUFK�6HUYLFH �7UXVWDEOH�3XEOLF�$XWKRULW\
5%�662�3UR[\
8VHU�$JHQW �:HE�%URZVHU
authentication between UA and proxy using certificates can secure the authenticity, integrity and confidentiality. Moreover, the usage of virtual private network can increase the security level of the RB-SSO system due to the sensitive data in the public authorities. Furthermore, a logging service is required, which traces the authentication, authorization procedures and user transactions on the appropriate information systems, in order to guarantee data privacy and security [17]. In need of lawful proof, this service is indispensable. The whole communication processes between UA, Proxy, SP and IDP are described in Figure 6, whereby each process with HTTP-Redirect is intercepted by the proxy. In this case, the total procedures consist of mostly server to server interactions, which therefore minimize mobile communication to the UA. The proxy only handles information from the HTTPHeader. Depending on the cookie which is saved in the SetCookie field of the HTTP-Header, the proxy knows the kind of SAML process. The cookie shibstate characterizes a response message of SP in order to redirect the user to SSOservice for authentication. For credential challenge the SSOservice sends the HTML based entry form together with the cookie idp authn lc to the proxy which forwards the form to the user. After successful authentication the proxy transmits the received SAML assertion and HTML code of released search service to the UA, whereby this session is identified by the cookie JSESSIONID and only valid for a certain amount of time.
1HZ�(QWLW\
$FFHVV 6HUYLFH ��
$XWKHQWLFDWLRQ
2 �� 5HGLUHFW WR ,'3�66 5HGLUHFW WR ,'3�662 ��
�� &KDOOHQJH IRU FUHGHQWLDOV
$XWKRUL]DWLRQ
6HQG $VVHUWLRQ WR $&6 6HQG $VVHUWLRQ WR $&6 ��
�� 6HQG +70/ EDVHG IRUP
6HQG VHDUFK SDUDPHWHUV
IV. P ERFORMANCE A NALYSIS
6LQJOH� 6LJQ�2Q 6HUYLFH
8VHU ORJLQ ��
This section describes the test setup and results. The performance evaluation is done on the average response time which considers the process time for information retrieval including authentication and authorization procedures.
��
$VVHUWLRQ &RQVXPHU 6HUYLFH
��
A. Test Setup
6HUYLFH�3URYLGHU �%XLOGLQJ�$XWKRULW\�� 5HJLVWU\�2IILFH �
In order to validate the proposed approaches a test bed has been set up as a standalone system which has no internet access during the performance measurements, which is depicted in Figure 7. All used entities (e.g. servers, laptop) are connected to a WLAN Router with no other active WLAN Routers in our lab during the measurements. In the test bed we chose 54Mbit/s WLAN as mobile communication channel and as reference 100Mbit/s Ethernet (see Fig.7: Blackbox). In this test setup the identity provider, RBSSO Proxy, search service, building authority and registry office represent the IT-Federation (see Fig.7). The RBSSO Proxy und identity provider are installed on the same server. To determine the performance of the authentication and authorization procedures, the average response time is measured by using JMeter [19] running on a laptop as a traffic emulator, which emulates the number of users with parallel and identical invocations (information retrieval). Table I gives an overview of the specification of each entity. The simulation process works as follows: It starts with one
6HQG�DVVHUWLRQ�WR� $&6�RI�SXEOLF� DXWKRULW\����
$XWKRUL]DWLRQ����
6HDUFK 6HUYLFH UHVX 6HQG ILOWHUHG VHDUFK
W
W
Figure 6.
6HQG�VHDUFK� UHVXOWV���� �
OWV ���
W
W
Communication Procedures with RB-SSO Proxy
To lower the load on the wireless communication channel between the mobile Client (UA) and RB-SSO system as much as possible, a RB-SSO-specific proxy managed by the trusted point IDP has been developed. Since the proxy acts for the UA in the authentication and information retrieval processes, the security concepts of the system have to be carefully considered. For instance, a TLS based mutual
152
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
ϭϬϬϬϬ
client and then the number of clients is increased in steps of 2 up to 20 clients. Each of the clients performs parallel and identical invocations. Each step is repeated fifteen times (15 samples). It should be mentioned that before a user can perform information retrieval they have to be successfully authenticated at the IDP. The focus of the performance analysis is the measurement of average response time of the SAML procedures, where the response delay is caused by hardware, software and the amount of data as well.
�ƵƚŚŽƌŝnjĂƚŝŽŶ�;^ĞĂƌĐŚ�^ĞƌǀŝĐĞͿ�ǁŝƚŚ�ZĞĚŝƌĞĐƚͬWŽƐƚ
�ǀĞƌĂŐĞ�ZĞƐƉŽŶƐĞ�dŝŵĞ�;ŵƐͿ
�ƵƚŚŽƌŝnjĂƚŝŽŶ�;�ƵŝůĚŝŶŐ��ƵƚŚŽƌŝƚLJ�ͬZĞŐŝƐƚƌLJ�KĨĨŝĐĞͿ�ǁŝƚŚ�ZĞĚŝƌĞĐƚͬWŽƐƚ �ƵƚŚŽƌŝnjĂƚŝŽŶ�;^ĞĂƌĐŚ�^ĞƌǀŝĐĞͿ�ǁŝƚŚ�ZĞĚŝƌĞĐƚͬ�ƌƚŝĨĂĐƚ �ƵƚŚŽƌŝnjĂƚŝŽŶ�;�ƵŝůĚŝŶŐ��ƵƚŚŽƌŝƚLJ�ͬZĞŐŝƐƚƌLJ�KĨĨŝĐĞͿ�ǁŝƚŚ�ZĞĚŝƌĞĐƚͬ�ƌƚŝĨĂĐƚ
ϭϬϬϬ
ϭϬϬ
,7�)HGHUDWLRQ ,QFLGHQW�6FHQH
5%�662 3UR[\
7UDIILF�(PXODWRU %ODFNER[� ����0%LW�(WKHUQHW�� ��0ELW�V�:/$1
)LUHILJKWHU
ϭϬ ϭ
,GHQWLW\� 3URYLGHU 6HDUFK 6HUYLFH
ϰ
ϲ
ϴ
ϭϬ
ϭϮ
ϭϰ
ϭϲ
ϭϴ
ϮϬ
EƵŵďĞƌ�ŽĨ�ƉĂƌĂůůĞů�ĂŶĚ�ŝĚĞŶƚŝĐĂů ŝŶǀŽĐĂƚŝŽŶƐ� ;EƵŵďĞƌ�ŽĨ��ůŝĞŶƚƐͿ 5HJLVWU\ 2IILFH
Figure 8. Average response time in authorization process using Redirect/Post- and Redirect/Artifact-Binding via 54bit/s WLAN
%XLOGLQJ� $XWKRULW\
Figure 7. retrieval
Ϯ
Test bed for measurement of response time for information
comparison between both bindings, on the one hand the processing time of authorization of Redirect/Artifact is similar via Ethernet as well as WLAN (see Fig. 9). On the other hand the authorization process of Redirect/Post is faster via Ethernet than using WLAN. The reason for that behavior of Redirect/Artifact is because of the direct communication between IDP and SP during the authorization process for transmission of SAML assertion, whereas at Redirect/Post the IDP always sends the whole SAML assertion over the UA to the SP (see Fig. 4). The UA is always connected over a given mobile communication channel (e.g. WLAN), which has therefore an influence on the performance of the RBSSO system by using Redirect/Post. These results indicate
Table I S PECIFICATIONS OF T ESTBED Network Entity Identity Provider/Proxy Service Provider Laptop (JMeter) WLAN Router Ethernet
Specifications Intel Core2Duo (2,66 GHz), 2GB (RAM) Intel Core2Duo (2,66 GHz), 2GB (RAM) Intel Core2Duo (1,66 GHz) 1GB (RAM) Cisco WRT54GL, 54MBit/s 100Mbit/s
B. Performance of Redirect/Post and Redirect/Artifact In [2] the performance analysis showed that the authorization procedures need a lot of time in comparison to other processes due to the SAML specific communication sequences and resulting overhead. Hence, a closer look is taken at the average response time of authorization from the user’s point of view. Figure 8 illustrates the average response time of authorization at SPs (search service, building authority, registry office) in terms of the number of simultaneous clients via WLAN, whereby the measurements are based on the communication processes described in Figures 4 and 5. The average response time of authorization at the building authority and registry office are similar. It is shown that the response time of authorization by using Redirect/Artifact-Binding is much less than the usage of Redirect/Post-Binding. The performance improvement using Redirect/Artifact is more clearly visible with an increasing number of simultaneous clients shown in Figure 9. In this case, the average response times of Redirect/Post and Redirect/Artifact with 20 clients are 3084 ms and 1586 ms, respectively. That means using ArtifactBinding performs about 48 % better than Post-Binding. In
�ǀĞƌĂŐĞ�ZĞƐƉŽŶƐƐĞ�dŝŵĞ�;ŵƐͿ
ϭϮϬϬ ϭϬϬϬ
�ƵƚŚŽƌŝnjĂƚŝŽŶ�;�ƵŝůĚŝŶŐ��ƵƚŚŽƌŝƚLJ͕�ZĞŐŝƐƚƌLJ�KĨĨŝĐĞͿ�ǀŝĂ�ϭϬϬDďŝƚͬƐ��ƚŚĞƌŶĞƚ �ƵƚŚŽƌŝnjĂƚŝŽŶ�;�ƵŝůĚŝŶŐ��ƵƚŚŽƌŝƚLJ͕�ZĞŐŝƐƚƌLJ�KĨĨŝĐĞͿ�ǀŝĂ�ϱϰ�DďŝƚͬƐ�t>�E
ϴϬϬ ϲϬϬ ϰϬϬ ϮϬϬ Ϭ
Figure 9. Average response time in authorization process via 100Mbit/s Ethernet and 54Mbit/s WLAN
that Redirect/Artifact-Binding performs overall better, since the load of the mobile communication channel is lowered due to the specific procedures of this binding. This is
153
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
������
particularly advantageous for communication channels with low data rate. C. Performance of RB-SSO-Proxy
� � ��� � �� ��
d dŽƚĂů��ǀĞ ĞƌĂŐĞ�ZĞƐƐƉŽŶƐĞ�dŝŝŵĞ�;ŵƐͿ
The overall response time using RB-SSO-Proxy with both bindings is compared to the measurement results from the proxy less approach (see Fig. 10), whereby the total response time consists of processing time of the authentication and authorization. The measurements are based on the communication procedures shown in Figure 6. In order to determine the total response time, the simulation process of each client starts with an authentication followed by the authorization process for accessing the search service. In the next step the traffic emulator sends the search parameters to the search service, which initiates the information query at public authorities (building authority, registry office). The time for transmission of search results to the UA is not measured, since it is not part of SAML procedures. ϱϬϬ ϰϱϬ ϰϬϬ ϯϱϬ
tŝƚŚŽƵƚ�WƌŽdžLJ
� � ���� Figure 11.
Schematic illustration of analytic model
#Clients = x indicates the number of clients executing identical invocations in parallel to the RB-SSO system. ttotal represents the total processing time including authentication, authorization and other processes. A function tlink (x) is defined to characterize the mobile communication channel depending on the number of requesting clients. Incoming requests from clients are normally put in the queue of a server before requests are processed. The queuing of requests delays the process time and is specified by x·tdelay . Moreover, the parameters tIDP and tSP represent the average processing period of requests at the IDP and SP, whereby the overall time depends on e.g. authentication and authorization procedures. Other processing times of servers such as decoding and encoding of messages, processing time within Hardware are assigned to tOther . Depending on these parameters we get the following analytic model:
tŝƚŚ�WƌŽdžLJ
ϯϵ͕ϱϯ�й /ŵƉƌŽǀĞŵĞŶƚ
ϭϱϬ ϭϬϬ ϱϬ Ϭ ZĞĚŝƌĞĐƚͬWŽƐƚͲ�ŝŶĚŝŶŐƐ Ő
&RQVWDQW�3URFHVV� 7LPH
� � �� �� �������
ϯϬϬ ϮϬϬ
5LVLQJ�7LPH�'HOD\
� � ���� ��� ��
ϭϭ͕ϳϱ й /ŵƉƌŽǀĞŵĞŶƚ
ϮϱϬ
/LQN�&KDUDFWHULVWLF
ttotal = tlink (x) + (x · tdelay ) + tIdP + tSP + tOther (1)
ZĞĚŝƌĞĐƚͬ�ƌƚŝĨĂĐƚͲ�ŝŶĚŝŶŐƐ Ő
It has to be noted that the parameters are experimentally obtained values from individual tests with different bindings. The constant process time tIDP + tSP + tOther is based on the assumption that an one-time authentication and authorization procedure of one client requires a roughly constant duration. The queuing of messages is started at the beginning of a critical number of client requests regardless of the number of threads running on the server and therefore formally described by x · tdelay , which has an additive influence on the constant process time due to the sequential work flow of the server. The connection between UA and server (e.g. IDP, SP) can be affected by the latency and other characteristics of communication channels, which are reflected in the function tlink (x). Table II shows the values, where: (2) tISO = tIDP + tSP + tOther
Figure 10. Performance comparison between RB-SSO system with and without Proxy via 54 Mbit/s WLAN.
The results show that the RB-SSO system with both bindings delivers better response times when using this proxy. Here, the combination of Redirect/Post-Binding with proxy achieves a performance improvement of 11.75 %. Unlike to Redirect/Artifact-Binding with proxy there is a gain of 39.53 % and performs better, even if the RB-SSOProxy is used. These facts are explained by the avoidance of HTTP-Redirect by means of proxy, as the redirects are directly forwarded to the proxy instead of to the UA. It should be noted that even a simulation with only one client is sufficient to show the improvement of this approach. D. Analytic Model for Total Response Time The total response time for information retrieval about the incident scene from RB-SSO system is composed of individual times. Figure 11 illustrates the schematic structure of the analytical model to determine the total response time, whereby the model consists of the following parameters:
tCD = x · tdelay
(3)
Figure 12 shows the curve of the real measurements in comparison to the curve of the analytical model for
154
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
Table II PARAMETERS OF ANALYTIC MODEL IN [ms]. x REPRESENTS NUMBER OF CLIENTS EXECUTING IDENTICAL AND PARALLEL INVOCATIONS . tCD 20 20 20 20
dŽƚĂů �ǀĞƌĂŐĞ�ZĞƐƉŽ ŽŶƐĞ�dŝŵĞ�;ŵƐͿ
tISO 200 200 70 70
Values in [ms] Redirect/POST (Ethernet) Redirect/POST (WLAN) Redirect/Artifact (Ethernet) Redirect/Artifact (WLAN)
ϭϬϬϬϬϬ
tlink (x) 2x2 (6x2 ) + 240 x2 (3x2 ) + 130
Redirect/Post-Binding. Each measured value contains the sequential processing time of authentication, authorization at search service, information query of search service, authorization at building authority and registry office. The time for the download process of the data is not included in ttotal , since it is not part of SAML procedures. The analytic
dŽƚĂů �ǀĞƌĂŐĞ�ZĞƐƉ ƉŽŶƐĞ�dŝŵĞ�;ŵƐͿ
ϭϬϬϬϬϬ
ZĞĚŝƌĞĐƚͬ�ƌƚŝĨĂĐƚ�ǀŝĂ�ϭϬϬDďŝƚͬƐ��ƚŚĞƌŶĞƚ ZĞĚŝƌĞĐƚͬ�ƌƚŝĨĂĐƚ�ǀŝĂ�ϱϰDďŝƚͬƐ�ǀŝĂ�t>�E �ŶĂůLJƚŝĐ�DŽĚĞů�ŽĨ�ZĞĚŝƌĞĐƚͬ�ƌƚŝĨĂĐƚ�ǀŝĂ�ϭϬϬDďŝƚͬƐ��ƚŚĞƌŶĞƚ
ϭϬϬϬϬ
�ŶĂůLJƚŝĐ�DŽĚĞů�ŽĨ�ZĞĚŝƌĞĐƚͬ�ƌƚŝĨĂĐƚ�ǀŝĂ�ϱϰDďŝƚͬƐ�t>�E
ϭϬϬϬ
ϭϬϬ
ϭϬ ϭ
Ϯ
ϰ
ϲ
ϴ
ϭϬ
ϭϮ
ϭϰ
ϭϲ
ϭϴ
ϮϬ
EƵŵďĞƌ�ŽĨ�ƉĂƌĂůůĞů�ĂŶĚ�ŝĚĞŶƚŝĐĂů ŝŶǀŽĐĂƚŝŽŶƐ� ;EƵŵďĞƌ�ŽĨ��ůŝĞŶƚƐͿ
Figure 13. Comparison between curves of real system and analytic model (Profile with Artifact-Method)
ZĞĚŝƌĞĐƚͬWŽƐƚ�ǀŝĂ�ϭϬϬDďŝƚͬƐ��ƚŚĞƌŶĞƚ ZĞĚŝƌĞĐƚͬWŽƐƚ�ǀŝĂ�ϱϰDďŝƚͬƐ�t>�E �ŶĂůLJƚŝĐ�DŽĚĞů�ŽĨ�ZĞĚŝƌĞĐƚͬWŽƐƚ�ǀŝĂ�ϭϬϬDďŝƚͬƐ��ƚŚĞƌŶĞƚ �ŶĂůLJƚŝĐ�DŽĚĞů�ŽĨ�ZĞĚŝƌĞĐƚͬWŽƐƚ�ǀŝĂ�ϱϰDďŝƚͬƐ�t>�E
ϭϬϬϬϬ
and use of a mobile communication channel with low performance characteristics (see e.g. equation 5: tlink (x) = ((6x2 ) + 240)). V. C ONCLUSION
ϭϬϬϬ
Ϯ
ϰ
ϲ
ϴ
ϭϬ
ϭϮ
ϭϰ
ϭϲ
ϭϴ
ϮϬ
EƵŵďĞƌ�ŽĨ�ƉĂƌĂůůĞů�ĂŶĚ�ŝĚĞŶƚŝĐĂů ŝŶǀŽĐĂƚŝŽŶƐ� ;EƵŵďĞƌ�ŽĨ��ůŝĞŶƚƐͿ
Figure 12. Comparison between curves of real system and analytic model (Profile with Post-Method)
model for Web Browser SSO Profile with Redirect/Post via Ethernet and WLAN is given by: ttotal ttotal
wlan
eth
= 200 + (x · 20) + (2x2 )
= 200 + (x · 20) + ((6x2 ) + 240)
(4) (5)
For the Web Browser Profile with Redirect/Artifact following analytical model is used: ttotal ttotal
wlan
eth
= 70 + (x · 20) + (x2 ) 2
= 70 + (x · 20) + ((3x ) + 130)
F UTURE W ORK
In this paper, we proposed two different SAML based approaches for the realization of our RB-SSO system to obtain better performance and scalability. These approaches should lower the load on the mobile communication channel between the incident scene and the emergency response system. In order to validate the approaches we developed prototypes on which we did performance analysis. The results show that using Web Browser SSO Profile with Redirect/Artifact-Binding in combination with our RB-SSOProxy improves the performance up to 39.53 %. The next steps should include evaluating the reliability of our proposed approaches with artifacts and specific proxy solution for a large number of users (availability requirement). Furthermore, a priorization concept has to be developed to minimize the mobile communication channel load at the incident scene during data downloads. In order to access relevant information anytime and anywhere, a mobility support using NEMO Protocol has to be integrated in our system. At present we are in the process of integrating our RB-SSO system into the vertical handover communication testbed and analyzing the effect of vertical handovers on the average response time, survivability and reliability of the system in case of communication disruption.
ϭϬϬ ϭ
AND
(6) (7)
This model is plotted together with the curve of the real measurements shown in Figure 13. To sum up, both analytical models of Redirect/Post and Redirect/Artifact closely resemble the corresponding curves of the real measurements. The use of the analytical model identifies and describes the essential processes of the RB-SSO system which have an impact on the total response time. For example, using the analytical model it is clear that the total response time increases because of the rising number of client requests
ACKNOWLEDGMENT The authors would like to thank Ms. Funda Yilmaz for her work concerning the implementation and the recording of the measurement readings. Our work has been conducted within the Mobis Pro project (Mobile Information System for Process Optimization in Fire Brigades and Public Authorities),
155
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
which is part of the SimoBIT program and funded by the German Federal Ministry of Economics and Technology (01MB07042).
[14] J. Kim, S. Kwon, Y. Park: Enhanced Search Method for Ontology Classification, IEEE International Workshop on Semantic Computing and Applications IWSCA ’08, pages: 12-18, July 2008.
R EFERENCES
[15] IETF, The Transport Layer Security (TLS) Protocol Version 1.2, http://www.ietf.org
[1] German Research Project, http://www.mobis-pro.de, 2009.
[16] J. R. Vacca: Public Key Infrastructure: Building Trusted Applications and Web Services, ISBN-13: 978-0849308222, Auerbach Pubn, May 2004.
[2] K. Daniel, T. Tran, C. Wietfeld: Interoperable Role-Based Single Sign-On-Access to Distributed Public Authority Information Systems, 2008 IEEE Technologies for Homeland Security Conference, Boston, MA, USA, May 2008.
[17] T. Tran, K. Daniel, C. Wietfeld: Secure and Reliable Communication Infrastructure for a Distributed IT-Federation, Mobile Response, LNCS 5424, pp. 138-147, ISBN: 978-3-642-004391, Springer-Verlag, Berlin Heidelberg, February 2009.
[3] R. Bhatti, E. Bertino, A. Ghafoor: An integrated approach to federated identity and privilege management in open systems, Communications of the ACM, pages: 81-87, New York, NY, USA, 2007.
[18] Y. Takeda, S. Kondo, Y. Kitayama, M. Torato, T. Motegi: Avoidance of performance bottlenecks caused by http redirect in identity management protocols, In DIM 06: Proceedings of the second ACM workshop on Digital identity management, pages 25-32, New York, NY, USA, 2006.
[4] B. Pfitzmann, M. Waidner: Federated Identity-Management Protocols, Security Protocols, LNCS 3364, pp. 153-174, ISBN: 978-3-540-28389-8, Springer-Verlag, Berlin Heidelberg, September 2005.
[19] J. A. Project, Apache JMeter, Apache Project Homepage: http://jakarta.apache.org/jmeter
[5] N. Ragouzis, J.Hughes, R. Philpott, E. Maler, P. Madsen, T. Scavo: Security assertion markup language (saml) v2.0 technical overview, Security Services Technical Committee of OASIS, 2008. http://www.oasis-open.org. [6] D. Recordon, D. Reed: Openid 2.0: a platform for user-centric identity management, In DIM ’06: Proceedings of the second ACM workshop on Digital identity management, pages 11-16, New York, NY, USA, 2006. ACM. [7] K. Bhargavan, C. Fournet, A. D. Gordon, N. Swamy: Verified implementations of the information card federated identitymanagement protocol, In ASIACCS ’08: Proceedings of the 2008 ACM symposium on Information, computer and communications security, pages 123-135, New York, NY, USA, 2008. ACM. [8] E. Maler, D. Reed: The venn of identity: Options and issues in federated identity management, IEEE Security and Privacy, 6(2):16-23, 2008. [9] D. Brechlerova, M. Candik: New trends in security of electronic health documentation, , 42nd Annual IEEE International Carnahan Conference on Security Technology (ICCST 2008), pages 13-16, 2008. [10] R. McKenzie, M. Crompton, and C. Wallis: Use cases for identity management in e-government. Security and Privacy, IEEE, 6(2):51-57, March-April 2008. [11] L. DeLooze: Providing web service security in a federated environment. IEEE Secu- rity and Privacy, 5(1):73-75, 2007. [12] C. Shang, Z. Yang, Q. Liu, C. Zha: SAML Based Unified Access Control Model for Inter-platform Educational Resources, International Conference on Computer Science and Software Engineering, Wuhan, Hubei, December 2008. [13] R. Sandhu, E. Coyne, H. Feinstein, C. Youman: Role-Based Access Control Models, Computer, 29(2):38-47, 1996.
156
Authorized licensed use limited to: IEEE Xplore. Downloaded on May 01,2010 at 01:59:25 UTC from IEEE Xplore. Restrictions apply.
