The high adoption in daily lives of services offered by the Web 2.0 has opened a wide field for the proliferation of new Web-based services and applications. Social networks, as the main exponent of this new generation of services, require security systems to ensure end user authentication and access control to shared information. Another feature that is becoming increasingly important in these scenarios is the delegation of controlled access between the different API (Application Programming Interfaces) to integrate services and information. The safe use of these Web services requires end user security credentials and different authentication and authorization technologies. This chapter provides an introduction to the most relevant protocols and standards in the area of Web service security, which are able to provide authentication and authorization mechanisms.
TopIntroduction
Today, end users make use of a wide variety of Internet services. For each, a registration process is required in order to define an end user’s service profile. This implies the management of new usernames and passwords, and a large amount of, usually, private information.
The Cambridge Dictionary Cambridge University Press (Cambridge University Press, 2012) defines identity as “who a person is, or the qualities of a person or group which make them different from others”. The reality is that anyone who wants to make use of an Internet service usually needs to share some private information with the service provider, be it a real need (in the case of address and billing information) or a requirement of the business model (for example, in the case of being asked for gender and age). These users need tools to make the management of their multiple identities in the network easier. An identity management system ought to provide end users with these mechanisms, from the management of simple service accounts, to offering value-added functions such as ensuring privacy, advanced access control or Single Sign On (SSO).
When organizations wish to share their resources among their registered end users, the concept of identity federations appears. Identity federations define how, making use of trust relationships, end users of any of the involved organizations are able to request access to the services offered by the rest. Some identity management systems like Higgins (The Eclipse Foundation, 2012) and Shibboleth (“Shibboleth Project,” 2012) provide end users the ability to homogenize the use of authentication credentials (typically username and password) to deal with identity federations.
When an end user wants to access a Web service, the service provider needs to confirm that she is a valid end user (and usually identified as such) on its system. To carry out the authentication process, the service provider usually makes use of an identity management system, which is responsible for retrieving the end user’s required information and verifying the authenticity of her identity. Examples of those authentication mechanisms are HTTP Basic and Digest (Franks et al., 1999), Forms Based (Oracle Group, 2010), digital certificates (TLS) (Tim Dierks, 2008), etc. If the authentication is successful, it generates an authentication proof, also called authentication token, to the service provider. With this token, the service provider will be sure that the end user has been authenticated in the system and can access the protected resource. Another relevant concept is the Single Sign-On (SSO) (Määttänen, 2002). SSO allows end users to access different service providers within an identity federation, with authentication only required the first time they access during a session lifetime. This mechanism provides significant advantages, such as saving re-authentication time and improving the user experience.
The access control system of a service provider may require, beside end user authentication, an authorization process. Authorization makes use of additional information in order to decide whether the end user meets the requirements imposed by the service or not. By definition, authorization is the process that determines to what resources of a service provider the end user has permission to access. Furthermore, access control (Damiani, Vimercati, & Samarati, 2005) is the process of gathering information and taking decisions about service delivery. For this, the service provider must contact the identity management system and request end user attributes. In this case, the amount of information gathered depends on the data the end user has added to her identity profile, and the available attributes disclosure policies.
This section has introduced the existence of different types of entities: A service provider is an organization willing to offer Internet services, including Web, email, multimedia data, e-commerce or network access; providers dealing with end user’s identity are known identity providers, which can be classified depending on the specific role they perform. For example, an authentication provider is responsible for demonstrating that an end user is really who she claims to be, offering an authentication token as proof of the successful authentication. Beside, the attribute provider is the responsible for dealing with additional end user information (attributes).