第二十三屆全國資訊安全會議(CISC 2013) Cryptology and Information Security Conference 2013
SAML-Based Access Control with Location Attributes System
Wei-Shen Lai1 Chen-Yu Lee2 Po-Hsin Chu3 1 Department of Information Management, Chien Kuo Technology University1 2 Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan2, 3
[email protected] [email protected] Abstract There are many web services on Internet. In general used cases, users need to be authenticated and authorized by a server before a server providing services. There may be many levels of authorities for accounts in a system and they are necessary to provide a scheme to manage the authorities of accounts for management purposes. In this paper, we propose a method to solve this problem by using Security Assertion Markup Language (SAML), which is announced and supported by W3C alliance, as an open standard base on XML. By using SAML, people can give account different authorities that are decided by the attributes from user’s location (or other relative information). Also people would get benefits of SAML for Single sign on by building a loosely-coupled system. Keywords : Local-based access control, Security assertion markup language, Single sign on
resources accessing from multiple service providers with only one authentication. In SSO, there are two roles that should be defined: Identity Provider and Service Provider. The former manages the accounts and authentication of users; and the later provides services to the authenticated users.
2.2 Security Assertion Markup Language
Security Assertion Markup Language (SAML) is proposed by OASIS and it exchanges XML-based authorization and authentication messages. SAML assertions carry the information in XML statements about a principal that an asserting party claims to be true. SAML defines many security assertions including (1) Authentication Assertion (2) Attribute Assertion (3) Decision Assertion, and (4) Authorization Assertion. Identity federation mechanism provides account linking between two sites with privacy protection in SAML. It uses pseudonyms. The pseudonyms, which are generated by Identity Provider to communicate between sites, will link user’s identities in different sites and communicate though the passing of pseudonyms and the attachments of digital signatures that prove the messages are sent from Identity Provider. Figure 1 shows the workflow of SAML protocol.
1. Introduction Internet offers many kinds of web services to people and access rights management of accounts in web services is an important issue. SAML (Security Assertion Markup Language) is a standard XML-based framework for user communicating authentication and attributing information. It allows the service entities to define their own assertion (which includes identity, attributes) to other entities. In the paper, we apply standard SAML to provide a location-based access control (LBAC) system in which we use SAML assertion to transfer the messages between different services. The paper is organized as follows. The related works are introduced in section 2. In section 3, our scheme is proposed and the system architecture is described in section4. Furthermore, we apply our scheme to a location-based access control on medical information management system in section 5. Finally we have a conclusion.
Figure 1 The workflow of SAML protocol.
2. Related Works
3. Proposed Scheme
2.1 Single Sign On (SSO)
Access control of accounts is an important issue in a web service system design. It is necessary to limit the rights of accounts according to the
Single sign on (SSO) is a method of access control that enables a user to gain the rights of
304
第二十三屆全國資訊安全會議(CISC 2013) Cryptology and Information Security Conference 2013 management policies in some situations. The paper The flow chart starts when Event Trigger proposed an access control scheme that decides the actives the event. Event Trigger will send a message access rights of accounts based on the specific factors, to Event Manager when event occurs. When Event such as geographical location in the paper. We take Manager receives the event, the Event Identity SAML mechanism as a core in our system with the Provider will generate a pseudonym and save it to the advantages such as Single sign on. The access rights database in Event Manager. The pseudonym is used of user accounts are decided by the service provider to link the event with the user info. At the same time, relation to the assertions that include the pseudonym, Event Manager will send a SAML assertion, which location attributes from user, assertion available contains the pseudonym, trigger time, and other times and digital signature. The location attribute information to the Service Provider. Service provider could be GPS coordinates, signals from sensor or IP receives this information, decides the assertion is address, due to the implementation. available or not due to these information provided in the assertion. If it is available, the service provider will add the pseudonym to the corresponding service 3.1 Event Manager information. Event Manager is a service provider as well as The user who uses the same account to login an identity provider. It receives events from Event from different location will have different result. In Trigger when each event occurs and generates a home network, the user has the access right to access pseudonym to databases. It handles all the requests the service provided by service provider without from users and responses users when events occur. providing a pseudonym. In distinct network, the When Event Manager receives the Event Occur access right is limited by the pseudonym, due to the message from Event Trigger, the Event Identity location attribute provided by the Event Manager. Provider in Event Manager will generate a The user from distinct network can only use the pseudonym for the event and store it to the service corresponds to the pseudonym. corresponding entry in the decided database by the parameters sent by Event Trigger. While the user receives the event and requests the resource, Event Manager redirects the user to Service Provider with SAML assertion.
3.2 Event Trigger
Event Trigger could be humanity from home network, or a program receiving the parameters from sensors to trigger the event. The task of Event Trigger is to parse the parameters from the environment we want to monitor and to decide whether the event should be trigger or not. If it does, then Event Trigger will send a message to Event Manager for further processing.
Figure 2 System architecture
3.3 Service Provider
Service provider receives the assertion which includes the pseudonym and attributes (such as location) of the user from Event Manager. Service Provider is responsible for the decision whether the user have the rights to access the resources. However, the user will be redirect back to Event Manager if the access checking is failed.
4.1 Interaction between user and system
Figure 3 is the flow chart between users and Event Manager, Service Provider. Before accessing the service provider, user login from Event Manager. The polling action starts when user login Event Manager successfully. When the event occur, Event Manager will redirect user to service provider site with SAML assertion, and service provider will decide the access right for user due to the assertion provided by Event Manager. Below is the decision flow at Service Provider site.
4. System architecture Figure 2 is the system architecture. There are different areas in this system architecture. The one with the same area in Event Manager is called Home Network. The others we call them Distinct Network. Users from home network do not need a pseudonym to access the Service Provider since they are at the same area. Users from other network should need a pseudonym for service providers to access the resource they need.
305
第二十三屆全國資訊安全會議(CISC 2013) Cryptology and Information Security Conference 2013 on account management and there’s nothing different from user’s view. In this paper we use SAML assertion to transform the message. The benefit of using SAML in this system is with the standard of SAML, it’s easy to transfer message through different site and easy to recognized through the digital signature in the assertion. Another benefit of this system is a message integrating between two or more unions. It is easy to build the communication due to the currency of SAML which is based on XML standard. Figure 3 Interaction steps between SP and Event We treat the location information (which could Manager be a signal from wireless sensor or GPS) as a parameter in this paper. This information is provided from user’s environment and must not be modified by 5. Location-based access control on users. In practice, it could be carried out by placing medical information management the sensors in hospital buildings. If the user’s location system is around the hospital and the handset device receives the signal from sensors, it’s recognized as a user from A medical information management system home network. stores the anamnesis of patients and it should be able to accept the query and modification from the References corresponding doctors. To protect the privacy of patients, it is necessary [1] Extensible Markup Language (XML) to control the access of the users (doctors). When the http://www.w3.org/TR/xml/ doctor is in hospital, it is necessary to have the full [2] OASIS, Authentication context for the OASIS access rights to read the anamnesis of the patients. Security Assertion Markup Language V 2.0, 2005 When the doctor leaves the hospital, we ask to limit the doctor’s right to access the patient’s anamnesis [3] OASIS, Conformance requirements for the due to the privacy protection. But it’s necessary for a OASIS Security Assertion Markup Language doctor to read the patient’s case history when there’s V2.0, 2005 an emergency situation occurs, even the doctor is not [4] OASIS, Glossary for the OASIS Security in hospital. By this reason, when the emergency Assertion Markup Language V2.0, 2005 situation occurs, the Event Trigger (a nurse, in this [5] OASIS, Profiles for the OASIS Security case) will generate an event, and the doctor can Assertion Markup Language V2.0, 2005 access the specific patient’s anamnesis through the [6] OASIS, Binding for the OASIS Security pseudonym given by Event manager, even he’s not in Assertion Markup Language V2.0, 2005 hospital. [7] OASIS, Assertion and Protocols for the OASIS 5.1 System implementation Security Assertion Markup Language V2.0, 2005 Our system environment is implemented under [8] OASIS, Metadata for the OASIS Security Apache Tomcat with MySQL 5.0. Users access the Assertion Markup Language V2.0, 2005 system through browsers. It uses IP address as the [9] OASIS, Security Assertion Markup Language attribute value of location information. If the user V2.0 Technical Overview, 2005 connects the system from inter IP, it means the user [10] XML Encryption Syntax and Processing under home network; otherwise if the user connects http://www.w3.org/TR/xmlenc-core/ from other IP address, it means the user connecting from distinct network. The main function of Event Trigger is to trigger an event by selecting the doctor and patient. After inserting the correct account and password of Event Trigger, the event with the selected doctor name and patient name will be send to Event Manager.
6. Conclusion Access control is an important issue in a web service system. The location based access control provides the system designer a flexible mechanism
306
