Affiliations: Dipartimento di Informatica, Università degli Studi di Salerno, Fisciano, Italy. E-mail: [email protected] | Dipartimento di Ingegneria Elettrica e Tecnologie dell'Informazione, Università degli Studi di Napoli “Federico II”, Napoli, Italy. E-mail: [email protected]
Note: [] Corresponding author: Luigi Catuogno, Dipartimento di Informatica, Università degli Studi di Salerno, I-84084 Fisciano (SA), Italy. E-mail: [email protected]
Abstract: User authentication schemes have been a key research topic in the field of data security for decades. Such schemes are evaluated according to at least two parameters: security and usability. Since a number of secure and usable authentication schemes are available, each institution can select the scheme that is considered to be most appropriate for its security policy. Such a per-site system selection has the following feature: each site has to authorize each user that tries to access its resources. In a world in which users mobility is growing, the feature we have just described forces a huge overhead; both from the site's viewpoint and the users' viewpoint, since each user needs to store different credentials for each site she accesses to. Federated authentication allows users to use their home authentication credentials for gaining access to other institutions services while moving among different institutions. Different federated authentication systems have been designed and implemented. Despite simplified users mobility, one key problem in this area is that, often, different authentication systems do not cooperate or provide a limited interoperability. In this paper we discuss the problem of achieving full interoperability among Federated Identity Management Systems and present, as proof-of-concept, a solution to allow full communication between two federated authentication systems, Shibboleth a de facto standard in this context, and PAPI (Point of Access to Providers of Information). Such a solution leverages an intermediate bridge which joins both federations and features protocols translation during cross-federation Authentication/Authorization (AA) sessions.
