Federated electronic identity systems are increasingly used in commercial and public services to let users share their identity across providers. We discuss authorization (prior to authentication) issues in the eIDAS federated European electronic identity infrastructure. In this scenario, each European country runs a national eIDAS node, which transfers personal attributes upon successful authentication of a person in his home country. Service Providers in foreign countries use these attributes to take (local) authorization decisions for the requested service. Our work addresses those scenarios where authorization is required prior to authentication (authorise-then-authenticate), that is when a service provider has to implement access control decisions before the person has been authenticated. This scenario applies for example in an user-centric network access service. We propose two models to perform authorise-then-authenticate in eIDAS, one working at application level and one at transport level, and we sketch a possible implementation scenario.
Authorize-then-Authenticate: Supporting Authorization Decisions Prior to Authentication in an Electronic Identity Infrastructure / Berbecaru, Diana; Lioy, Antonio; Cameroni, Cesare. - 868:(2020), pp. 313-322. (Intervento presentato al convegno International Symposium on Intelligent and Distributed Computing (IDC 2019) tenutosi a Saint-Petersburg (RUS) nel 7- 9 Oct. 2019) [10.1007/978-3-030-32258-8_37].
Authorize-then-Authenticate: Supporting Authorization Decisions Prior to Authentication in an Electronic Identity Infrastructure
Diana Berbecaru;Antonio Lioy;Cesare Cameroni
2020
Abstract
Federated electronic identity systems are increasingly used in commercial and public services to let users share their identity across providers. We discuss authorization (prior to authentication) issues in the eIDAS federated European electronic identity infrastructure. In this scenario, each European country runs a national eIDAS node, which transfers personal attributes upon successful authentication of a person in his home country. Service Providers in foreign countries use these attributes to take (local) authorization decisions for the requested service. Our work addresses those scenarios where authorization is required prior to authentication (authorise-then-authenticate), that is when a service provider has to implement access control decisions before the person has been authenticated. This scenario applies for example in an user-centric network access service. We propose two models to perform authorise-then-authenticate in eIDAS, one working at application level and one at transport level, and we sketch a possible implementation scenario.File | Dimensione | Formato | |
---|---|---|---|
Berbecaru2020_Chapter_Authorize-then-AuthenticateSup.pdf
accesso riservato
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Non Pubblico - Accesso privato/ristretto
Dimensione
813.38 kB
Formato
Adobe PDF
|
813.38 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2761352