Federated electronic identity systems are increasingly used in commercial and public services to let users share their identity across providers. We discuss authorization (prior to authentication) issues in the eIDAS federated European electronic identity infrastructure. In this scenario, each European country runs a national eIDAS node, which transfers personal attributes upon successful authentication of a person in his home country. Service Providers in foreign countries use these attributes to take (local) authorization decisions for the requested service. Our work addresses those scenarios where authorization is required prior to authentication (authorise-then-authenticate), that is when a service provider has to implement access control decisions before the person has been authenticated. This scenario applies for example in an user-centric network access service. We propose two models to perform authorise-then-authenticate in eIDAS, one working at application level and one at transport level, and we sketch a possible implementation scenario.

Authorize-then-Authenticate: Supporting Authorization Decisions Prior to Authentication in an Electronic Identity Infrastructure / Berbecaru, Diana; Lioy, Antonio; Cameroni, Cesare. - 868:(2020), pp. 313-322. (Intervento presentato al convegno International Symposium on Intelligent and Distributed Computing (IDC 2019) tenutosi a Saint-Petersburg (RUS) nel 7- 9 Oct. 2019) [10.1007/978-3-030-32258-8_37].

Authorize-then-Authenticate: Supporting Authorization Decisions Prior to Authentication in an Electronic Identity Infrastructure

Diana Berbecaru;Antonio Lioy;Cesare Cameroni
2020

Abstract

Federated electronic identity systems are increasingly used in commercial and public services to let users share their identity across providers. We discuss authorization (prior to authentication) issues in the eIDAS federated European electronic identity infrastructure. In this scenario, each European country runs a national eIDAS node, which transfers personal attributes upon successful authentication of a person in his home country. Service Providers in foreign countries use these attributes to take (local) authorization decisions for the requested service. Our work addresses those scenarios where authorization is required prior to authentication (authorise-then-authenticate), that is when a service provider has to implement access control decisions before the person has been authenticated. This scenario applies for example in an user-centric network access service. We propose two models to perform authorise-then-authenticate in eIDAS, one working at application level and one at transport level, and we sketch a possible implementation scenario.
2020
978-3-030-32257-1
978-3-030-32258-8
File in questo prodotto:
File Dimensione Formato  
Berbecaru2020_Chapter_Authorize-then-AuthenticateSup.pdf

accesso riservato

Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Non Pubblico - Accesso privato/ristretto
Dimensione 813.38 kB
Formato Adobe PDF
813.38 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2761352