User-centric SAML?

2010/03/11

Let me first introduce user-centric identity (people who know this can skip to the second paragraph). Not so long ago OpenID en InfoCard where introduced as user centric identity standards, contrary to ‘old fashioned’ identity provider centric standard like SAML. Without going into details, user centricity boils down to providing user controlled privacy, i.e., providing informed consent. And I of course do not mean some legal disclaimer that you have to agree to as a user to be able to use some service. The idea to provide actual information on what information would be shared between an identity provider and a relying party, and asking the user for consent before sharing this. InfoCard inherently provides this, and does this with a piece of software on the client. OpenID provides this though a webpage.

We did a project for SURFnet, the Dutch NREN, to study if and if so how we could make their SURFfederatie (identity federation for higher education and research) provide user controlled privacy. The SURFfederation support different protocols, but is mainly SAML WebSSO based. We analyzed different options, focusing on providing user controlled privacy through InfoCards and doing this through SAML. The latter option is less used, but there are precedents, like uApprove (for Shibboleth) and the Consent module for SimpleSAMLphp. Ignoring lots of details, SAML WebSSO works roughly the same as OpenID (by redirecting the browser from relying party to the identity provider, and back), and user controlled privacy can be implemented in a similar fashion for SAML WebSSO as for OpenID.

The choice between InfoCards and what I’ll call user-centric SAML is not a trivial one, both have advantages and disadvantages. And besides, it was not clear if the users (students and employees of universities etc) even want to be bothered with user controlled privacy. We figured that the best way forward researcher user centricity was to simple ask users what they want. We considered doing this through some large-scale survey, but decided that a small-scale but in-depth user study would provide more useful results. My colleague Ruud Janssen, an experienced user researcher, did this user study. Using mockups he asked users if they wanted control, and if so, if they prefer user-centric SAML or InfoCards. Although the number were too small to be statistically significant, there was a surprisingly clear consensus on what the users preferred: user controlled privacy through user-centric SAML. This thus also is what we recommended to SURFnet.

Although I expected that they would like the card-like user interface that InfoCard offers, the user we interviewed did not. We think this is mostly because they were unfamiliar with it, and therefore did not really trust it.

The research outcomes were written down in two reports: the first report discusses the state-of-the-art, design guidelines for user-centric SAML and architectural analysis on using InfoCard vs user-centric SAML. The second report contains the outcomes of the user study. My apologies to non-Dutch speakers: both reports are in Dutch, as requested by our client.

We are continuing the research on user controlled privacy this year, focusing on the user interaction (prototyping, further user studies) and the architectural consequences of user-centric SAML for the SURFfederatie.

1 Comment | Uncategorized | Tagged: , , , , , | Permalink
Posted by Maarten Wegdam

paper on ePassports and InfoCard

2009/09/26
passport

passport

We’ve been working on ePassports for a while now, using the chips embedded in passports for online authentication. For a couple of years now passports have an embedded chip with information on the passport holder (social security number, name, birth date etc), standardized by the International Civil Aviation Organization. This chip is primarily used to facilitate automated inspection at border control, but can potentially be used for online authentication as well. Without going into technical details here, this means that a ePassport can be considered a state-of-the-art smartcard (contrary to apparantly Canadian driver licences)  that is issued via a trusted process, and which can be used to authenticate for e-government as well as for non-government services.

Our work basically had two dimensions:

  1. Figure out what the consequences of using ePassports for online authentication were – this boils down to the privacy sensitive information on the holder that is stored in the chip. Details vary per country, but since the ePassport was not designed with online usage in mind, you basically have to share all the data, which includes things like social security numbers. This is a major concern, which basically means you have to have a very-trusted-third-party to filter out attributes (minimal disclosure).
  2. How to use this in combination with Information Cards – We did an experiment where a InfoCard-based identity provider would use the ePassport to authenticate the user, as well as pass the government-certified attributes to relying parties. Of course: with user consent!  The good news is it works, the bad is that IMHO it’s a bit complicated to explain to the average user, especially to create the InfoCard.

Last week my colleague Dirk-Jan van Dijk (who did most of the development) presented a paper on the SecureComm conference on our ePassport & Infocard work. Since SecureComm has post-proceedings, I cannot link to the final version of the paper just yet, but just send me an email to get a final-except-maybe-layout-stuff version.

The lead for this work is with my colleague and ePassport guru Martijn Oostdijk. Martijn will give a presentation on our work on at RSA Conference Europe 2009 (next month). Martijn also made a nice overview of articles in the Dutch press on our work, including an English translation of an article in the business newspaper Financieel Dagblad. This work was partly sponsored by the NLnet Foundation, the software is open source.

UPDATE on 26 october 2009:  The paper can now be downloaded from http://dx.doi.org/10.1007/978-3-642-05284-2_17, or from my homepage at the University of Twente.

Leave a Comment » | Uncategorized | Tagged: , , , | Permalink
Posted by Maarten Wegdam