Abstract
Existing approaches for management of digital identities within e-learning ecosystems imply defining different access parameters for each service or application. However, this can reduce system security and lead to insufficient usage of the services by end-users. This chapter investigates various approaches for identity management, particulary in a cloud computing environment. Several complex issues are discussed, such as cross-domain authentication, provisioning, multi-tenancy, delegation, and security. The main goal of the research is to provide a highly effective, scalable identity management for end-users in an educational private cloud. A federated identity concept was introduced as a solution that enables organizations to implement secure identity management and to share information on the identities of users in the cloud environment. As a proof of concept, the identity management system was implemented in the e-learning system of Faculty of Organizational Sciences, University of Belgrade.
TopIntroduction
The growing complexity of modern educational ecosystems requires new approaches in access control (Dong, Zheng, Yang, Haifei, & Qiao, 2009). Cloud computing environments are multi domain environments in which each domain can use different security, privacy, and trust requirements and potentially employ various mechanisms, interfaces, and semantics. Such domains could represent individually enabled services or other infrastructural or application components (Takabi, Joshi, & Ahn, 2010). In order to provide seamless user experience, technologies such as: cloud-based services, social Web, and rapidly expanding mobile platforms will depend on identity management.
Development and exploitation of the applications in cloud computing environment, both private and public, requires defining and implementation of efficient strategy and tools for user’s identities management. Identity Management (hereinafter: IDM) is key issue for cloud privacy and security. IDM in educational cloud is more complex than in traditional Web-based systems since the users hold multiple accounts with different educational services. The traditional model of application-centric access control, where each application keeps track of its collection of users and manages them, is not acceptable in educational cloud-based architectures.
This chapter describes existing open standards, such as: SAML2, OpenID, OAuth authentication and authorization, SCIM and XACML. These standards aim to solve problems related to maintaining interoperability and enabling easy identity management in cloud environment. Several complex questions, such as: cross-domain authentication, provisioning, multi-tenancy, delegation and security are discussed as well.
The main goal of the research is to provide a highly effective, scalable identity management for end-users in an educational private cloud. The research context of this chapter is focused on the e-learning processes in the private cloud within the Laboratory for e-business at Faculty of Organizational Sciences, University of Belgrade.
Key Terms in this Chapter
Identity as a Service (IDaaS): Refers to the management of identities in the cloud, apart from the applications and providers that use them and represents an extremely broad term that includes services for software, platform and infrastructure services in both the private and public cloud.
Identity Management (IDM): Describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.
System for Cross-Domain Identity Management (SCIM): Is a new standard that reduces the complexity of user management operations by providing REST-based protocol for carrying out cross-domain identity management operations. SCIM enables provisioning and deprovisioning between identity providers and service providers. This keeps users in sync and reduces administrative burdens.
Single Sign-On (SSO): Is a process whereby credentials are entered only once and allow access to many separate systems without having to re-authenticate for the duration of the session.
IDentity Provider (IDP): Is the application that takes authentication information (commonly a username and password) and translates that into identity information (name, email, affiliations, etc) which it provides to Service Providers based on defined policies.
Authorization: Is a process of granting or denying access rights for a resource to an authenticated end user.
Federated Identity Management (Identity Federation): Enables enterprises to exchange identity information securely across domains, providing browser-based Single sign-on.
Service Provider (SP): Is the software that provides some access control and communicates with the IDentity Provider for identity information.
Authentication: Is a process of proving the identity of a previously registered end user.
Security Assertion Markup Language (SAML): Is an XML standard that allows secure Web domains to exchange user authentication and authorization data.