Patterns of Federated Identity Management Systems as Architectural Reconfigurations Research supported by the British-Italian Partnership Programme – British Council PP09/29. Electronic Communications of the EASST Volume 31 (2010) Proceedings of the Second International Workshop on Visual Formalisms for Patterns (VFfP 2010) Patterns of Federated Identity Management Systems as Architectural Reconfigurations1 Hyder Ali Nizamani and Emilio Tuosto 14 pages Guest Editors: Paolo Bottoni, Esther Guerra, Juan de Lara Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 1 Research supported by the British-Italian Partnership Programme – British Council PP09/29. http://www.easst.org/eceasst/ ECEASST Patterns of Federated Identity Management Systems as Architectural Reconfigurations† Hyder Ali Nizamani1 and Emilio Tuosto2 1 han3@le.ac.uk, 2 et52@mcs.le.ac.uk Department of Computer Science University of Leicester, UK Abstract: This paper proposes a formal model of Federated Identity Management systems (FIMs) in terms of architectural design rewriting. FIMs allow cross-domain user authentication to enable access control across the organisations under the con- cept known as Circle of Trust (CoT). Patterns of FIMs emerged as recurring CoT scenarios due to the fact that each of the pattern has different security and trust requirements. This paper proposes a formal model for FIMs to characterise their patterns as architectural styles. More precisely, an architectural style is given to precisely pinpoint all possible legal configurations of the CoT in terms of the pat- terns. The proposed model is specified through style-consistent (graphical) designs in terms of architectural design rewriting (ADR). Keywords: Modelling, Federation, Identity Management, Circle of Trust, Patterns, Architectural Style, Reconfigurations. 1 Introduction We give a definition of patterns emerging for federated identity management systems (FIMs) in a formal model of graph transformation. In particular, we show how patterns can be formally specified as architectural styles along with a representation of FIMs in a formal framework can suitably express transformations of their patterns. The fundamental goal of FIMs is to share identity related information for cross-domain user authentication through some protocols and standards [15, 13, 11]. Typically, federations are created and managed by establishing legal (i.e., business, administrative, etc.) relationships by a set of contracts that specifies obligations and rights together with the policies each organisation has to follow [12]. These federated organisations form a Circle of Trust (CoT) that can be defined as a group of Service Providers (SPs) and Identity Providers (IDPs). Roughly upon requests to the services, the SP uses identity related information to enforce access control. Nowadays, FIMs implementations may be found in various domains (i.e., finance, education, healthcare, etc.) and such systems are considered relatively static due to the nature of the CoT. However, a dynamic approach may be realised that enables organisations leaving or joining the CoTs to take some economic benefits in today’s emerging dynamic and scalable systems (e.g., Clouds and Web 2.0). In this way, one can take advantages of service-oriented computing (SoC) that can provide not only functional but some non-functional requirements (i.e., security) as † Research supported by the British-Italian Partnership Programme – British Council PP09/29. 1 / 14 Volume 31 (2010) mailto:han3@le.ac.uk mailto:et52@mcs.le.ac.uk Patterns of FIMs as Architectural Reconfigurations services. For instance, FIMs can be used to deal with access control in a cloud. Consequently, architectural modeling of these systems becomes necessary; for instance, in current distributed systems the possibility to tackle (dynamic) changes is paramount. Remarkably, this reflects at the architectural level and requires what is known as architectural reconfiguration. Architectural styles may provide a suitable mechanism for guiding the reconfigurations in a way that any change in the architecture does not violate the style. At the best of our knowledge, only informal FIMs models have been given; in [12, 7] some interesting FIMs patterns are presented in terms of security and trust requirements. This paper focuses on modeling architectural aspects of FIMs that are validated against the patterns given in [12] and introduces an architectural style for the purpose. Architectural aspects of FIMs are formalised using Architectural Design Rewriting (ADR) that is a graphical formal- ism introduced in [4, 5] to formally specify architectural aspects of systems. The architectural styles corresponding to the patterns in [12] are formally characterised by a type graph and a few ADR productions. The type graph specifies the architectural elements of FIMs by describing components (edges) and their legal interconnections (nodes) while ADR productions formalise refinement. In fact, a selected FIMs pattern is generated by some design productions that guar- antee a valid CoT by construction; for instance, as shown later, the constraint that a legal CoT configuration must have at least one IDP and one SP is formalised by suitable productions. In other words, architectural styles can model well-formedness conditions of FIMs as well as the patterns induced by the security and trust requirements studied in [4, 5]. The main motivations for using ADR are (i) that it is a mathematically precise framework, (ii) that ADR allows style-based design and, more importantly, (iii) that ADR features style- preserving reconfigurations of software architectures. Noteworthy, style-preserving reconfigura- tions are not naturally supported by other architectural description languages (cf. [6]). In ADR instead, style-preserving reconfigurations can be enforced by imposing simple conditions on the format of reconfiguration rules. More precisely, an ADR reconfiguration rule has the form r : t → t′ (1) where t and t′ are typed terms of an algebra induced by the graph rewriting mechanisms of ADR (i.e., productions); an ADR reconfiguration system is a set of rules where t and t′ have the same type for each rule (1). Remarkably, style-preserving reconfigurations are paramount for FIMs as violations of well-formedness may hinder their correctness (security and trust requirements). Structure of the paper § 2 briefly describes the concept of FIMs, some of their patterns, and basic definitions of ADR. The ADR model of FIMs is in § 3. Architectural configurations of the selected FIM patterns are in § 4 and their reconfigurations are addressed in § 5. Related work is given in § 6. Finally, the summary and the future research directions are briefly described in § 7. 2 Background This section gives an overview of FIMs and the basic definitions of ADR. Proc. VFfP 2010 2 / 14 ECEASST 2.1 Federated Identity Management FIMs forms an interesting class of distributed systems that allow group of organisations to “fed- erate” to share services (or resources). Typically, sharing distributed resources requires an access control system to authenticate users. FIMs make users’ authentication information available in a global context so that organisations can be part of different federations and have more business relationships with different group of organisations. The roles involved in FIMs are • users (whose identity is to be federated), • identity providers (IDP), and • service providers (SP) where IDP vouch authentication statements for users (e.g., by issuing certificate) and SP dispense services. Example 1 A university can be part of a federation of digital libraries, in which case the uni- versity is the IDP, each library is an SP, and students and staff are users. � The notion of Circle of Trust (CoT) is key to FIMs and permits to establish complex contracts that describe common policies and obligations. In [1], a CoT is defined as a framework that specifies a common set of cooperation policies together with collaboration interfaces within a certain group of organisations having trusted relationships. Users provide verified identities in order to access resources shared by member organisations of the CoT. FIMs allow users from different organisations to be authenticated when accessing remote resources in their CoT [16]. In FIMs, a CoT can be described as a federation of identity and service provider organisations. FIMs are becoming ubiquitous and can be found in many different application contexts, in- cluding eCommerce, education, eHealth, eGovernment. Example 2 (cf. [10]) A financial institution needs its users (employees, customers, etc.) to access services offered by a third party provider. The financial institution is the IDP managing the authentication information of its users to the third party SP. The financial institution (IDP) authenticates its users to grant them access to SP’s resources. � In FIMs, an SP relies on the authentication information sent by the IDP when users request access to services so to support Single Sign-on (SSO), namely allowing users to authenticate only at their IDP without re-authenticating themselves to access services offered by SPs in the CoT. In [7], architectural (and behavioural) aspects of FIMs are informally represented as a pattern for a CoT where a single IDP is federated to multiple SPs. Other patterns are informally described in [12]: (i) Bilateral Federation, (ii) Multiple IDPs Federation, (iii) Multiple SPs Federation, and (iv) Arbitrary Federation. The differences among those patterns are described in [12] in connection with trust relationships; each pattern has implication on trust management and what security threats the corresponding FIMs are exposed to (e.g., privacy of user identities, business data, access control, authentication). More precisely, patterns (i-iv) are ordered according to the 3 / 14 Volume 31 (2010) Patterns of FIMs as Architectural Reconfigurations security threats they are subject to, pattern (i) being the “most robust”. We now briefly comment on the security threats hindering each pattern (see [12] for details). In (i), a single IDP is federated to a single SP and they agree to deal with the private data according to common policies. Since the access to services is mediated by the IDP, the latter is aware of users’ activities (e.g., how often users communicate with the SP). The IDP may exploit this kind of information to acquire knowledge on users’ behaviour and this is regarded as a threat to users’ privacy. Also, SP receives information related to users’ identity from the IDP hence the SP might disclose (i.e., to other SPs) such information without the consent of the IDP or the user. In (ii), a single SP is federated to multiple IDPs; users may be registered at several IDPs and they notify the SP about which IDPs will be used for authentication. The additional threat with respect to pattern (i) is that some or all IDPs might decide to cross-check the information about the accesses to the SP. In (iii), a single IDP is federated to multiple SPs; a typical situation in this case is that delega- tion of user authentication is necessary. For instance, a service in the federation may be delegated (by an IDP or by another SP) to provide users’ credentials if it needs to invoke other services in the federation. The additional threats with respect to pattern (ii) include unauthorised delegation of authentication and “collusion” of SPs to accumulate identity information. The first threat may happen when users invoke a complex service that needs to make further invocations to other SPs in the federation. The second threat is quite serious as it would allow SPs to correlate their information and accumulate data on users. Pattern (iv) is the most vulnerable as it allows the free combination of patterns (i-iii) and is exposed to all their threats. 2.2 Architectural Design Rewriting The Architectural Design Rewriting (ADR) approach [4, 5] permits to design hierarchical and reconfigurable software architectures. The main features of ADR include a rule-based approach, hierarchical design, and an algebraic presentation. We borrow the main definitions of ADR from [4] (where more details can be found). Software architectures are modeled in ADR as hypergraphs whose edges represent compo- nents and nodes (vertices) represent interconnections between the components. Definition 1 ([4]) A (hyper)graph is a tuple G = 〈V,E,t〉 where V is the set of nodes, E is the set of edges and t : E →V∗ is the tentacle function. Example 3 An ADR graph on the sets {},•} (of nodes) and {N,T} (of edges) can be graphi- cally represented as } Noo • Too (2) The tentacle function is represented by the lines connecting edges ordered clockwise starting from the arrow-headed tentacle; the tentacle function of (2) maps N to [},},•] and T to [•]. � The vocabulary of an architecture is given by a distinguished graph, the type graph, over which graphs are typed; edges are partitioned in terminal (not refinable) and non-terminal ones (refinable). In Example 3 the doubly-lined box N is non-terminal while T is a terminal. Proc. VFfP 2010 4 / 14 ECEASST Definition 2 ([4]) A graph G is typed over a graph H when G is homomorphic to H, namely when there are fV : VG →VH and fE : EG → EH preserving the tentacle functions, i.e. f∗V ◦tG = tH ◦ fE , where f∗V is the homomorphic extension of fV to V ∗ G. Architectures are modeled using designs which represent architectural components with their interconnections. Architectures can be composed using design productions. Definition 3 ([4]) A design is a graph with interface, i.e. a triple d = 〈Ld,Rd,id〉, where Ld is a (typed) graph consisting only of a nonterminal and by distinct nodes attached to its tentacles; Rd is a (typed) graph without nonterminal edges; and id : VLd →VRd is a total function. A (design) production p is a tuple 〈Lp, Rp,ip,l〉 where Lp is a (typed) graph consisting only of a nonterminal labeled by say Ap and by distinct nodes attached to its tentacles; Rp is a (typed) graph with both terminal and non-terminal edges; ip : VLp → VRp is a type preserving function; and l is a bijection mapping the non-terminal edges of Rp on an initial segment [1,2,...,np] of positive numbers. Given a production p as above, call Lp the left-hand-side (LHS) of p and Rp the right-hand-side (RHS) of p. Productions allow top-down design by refinement, bottom-up typing of the actual architecture and well-formed composition of the architectures. The set of design productions together with the type graph represent the architectural style. Example 4 Productions have a convenient graphical representation which we illustrate with an example. The graphs G1 and G2 below can be typed over the graph (2) in the obvious way graph G1 } c1 C0oo }c2 • p1 graph G2 } a C1 oo II II } b C2oo uu uu } c • d Ignoring the labelling function, the production with LHS G1 and RHS G2 (together with the homomorphisms) can be drawn as C0 :N } c1 } a C1 :N oo b } C2 :Noo c} c2 } d • p1• (3) where the outermost dotted box corresponds to G1, the inner graph is G2 (with the explicit typing given by the homomorphism), and the dotted lines map the nodes of G1 to those of G2. � If non-terminal edges are considered as ’types’ (of architectures), ADR productions have a convenient “functional” reading illustrated continuing Example 4. Example 5 Production (3) can be thought of as a function p : N ×N → N taking two archi- tectures of ’type’ N and returning a new architecture of type N so that productions become constructors of a sorted algebra of architectures whose terms yield configurations. For instance, if x and y are architecture of type N, the term p(p(x,y),x) is an architecture of type N. � 5 / 14 Volume 31 (2010) Patterns of FIMs as Architectural Reconfigurations In ADR, the design rules can be given an algebraic formulation where a term describes a par- ticular style-proof (as p(p(x,y),x) in Example 5). Style-preserving reconfigurations are operated at the level of style-proofs by exploiting term rewriting over style-proof terms. A graph transfor- mation rule can be represented as a rewrite rule L −→ R; if L and R are terms of the same type the rule is style-preserving [5]. Let us define a reconfiguration rule to add components (at abstract level) to the architectures of type N given by the production in Example 5 and a production q : N → N that takes a config- uration of type N and returns another configuration of type N. To illustrate this, assume x and y are architectures of type N and consider the reconfiguration rule add(y) : q(x)−→ p(q(x),y) where a sub-term q(x) of type N on the LHS of the rule is replaced by term p(q(x),y) of the same type on the RHS. Now, we demonstrate how to apply such a rule to reconfigure an architecture of type N. For instance, the reconfiguration p(q(x1),y1)−→ p(p(q(x1),y2),y1) is obtained by applying the rule add to the subterm q(x1) on the LHS so to yield the term on the RHS where y2 is attached in the new configuration by means of the constructor p. 3 Modeling FIM systems in ADR We define FIMs architectures in terms of ADR productions on the type graph depicted in (4) which yields the vocabulary for the architectural elements of FIMs CoT �� • } federation chain } P0 // P1 // IPs �� SPs oo IDP oo SP oo ◦ federation access F OO ◦ • provider access (4) The graph (4) yields the types of components and nodes represent the kind of ports used to connect them. More precisely, federation chain nodes } are used to form chains of edges of type F or CoT; federation access nodes ◦ connect IDP and SP providers with a federation F; provider access nodes • connect providers. Formally, the type graph (4) and is defined as VH ={},◦,•} EH ={CoT,F,P0,P1,IPs,SPs,IDP,SP} tH :   CoT 7−→ [},},•] F 7−→ [},},◦] P0,P1,IPs,SPs,IDP,SP 7−→ [◦,•] The non-terminal edges in (4) can be refined into complex graphs using the corresponding design productions (described later) that define legal configurations of FIMs. The non-terminal edge CoT will be refined into providers (i.e., IDP and SP) connected to each other and to their Proc. VFfP 2010 6 / 14 ECEASST chain : CoT×CoT → CoT ct0 :CoT } c1 } a C1 :CoT oo b } C2 :CoToo d} c2 } c • p1• (a) CoT Chain fed : P1 ×P0 → CoT ct0 :CoT c1 } a } f :F oo b } c2 } c ◦ pi :P0oo d• p1• ps :P1 ggOOOO ttt (b) CoT in a federation Figure 1: A CoT and a chain of CoT federation in FIMs. These providers can be obtained by refining non-terminal edges; for exam- ple, by refining non-terminal edges of type P0 and IPs configurations with identity providers can be obtained, while configurations with service providers are obtained by refining non-terminal edges of type P1 and SPs. The terminal edges F, IDP, and SP are the types for a federation, an identity provider, and a service provider respectively. Figure 1 shows productions chain and fed that refine non-terminal edge CoT into a federa- tion of providers and chain of CoTs. Notice that LHS and RHS of productions are typed over the graph (4). Production chain catenates CoTs C1 and C2 by connecting them on node b as illustrated in Figure 1(a). Also, node c is used to connect C1 and C2 to providers and exported together with a and d to possibly extend the chain. Production fed generates configurations of CoT by connecting several providers (obtained by refining pi and ps) to each other and to a fed- eration f as illustrated in Figure 1(b). Providers pi and ps interact with federation f through node c of type ◦; nodes c1 and c2 allow f to connect to other CoT and node p1 to connect to other providers. Observe that c1, c2, and p1 are the nodes of the LHS of fed corresponding to the nodes of the RHS as specified by the dotted lines and ’exported’ in the interface of fed; also, p1 allows providers generated by ps and pi to connect to providers in other CoTs. Figure 2 shows the productions to generate configurations of identity providers for P0 in pro- duction fed. Production pips generates a configuration consisting of an IPs and an IDP. Pro- duction ips generates configuration with many IPs (obtained by refining ip1 and ip2). Finally, productions ip and noip yield non refinable configurations; ip generates a single identity provider i while noip generates an empty configuration. The productions for generating service providers are similar to those in Figure 2 and they are reported in Appendix A. We illustrate how the legal configurations of FIMs in (5) can be derived using the productions given above, by refining G1 into G2 G1 = } C1 :CoToo } • G2 = } f :Foo DDD D } ps :P1 �� i:IDP // ◦ • (5) 7 / 14 Volume 31 (2010) Patterns of FIMs as Architectural Reconfigurations pips : IPs → P0 ips : IPs×IPs → IPs ip :→ IPs noip :→ IPs p 0 :P 0 ◦ f 1 ◦ a p i :I P s oo b • p 1 • i: ID P ff N N N N u u u ip :I P s ◦ f 1 ◦ a ip 1 :I P s oo b • p 1 • ip 2 :I P s ffM M M M u u u ip s: IP s ◦ f 1 ◦ a i: ID P oo b • p 1 • ip s: IP s ◦ f 1 ◦ a b • p 1 • Figure 2: The Productions for Identity Providers (G1 and G2 are typed over (4) in the obvious way). The initial sequence of reductions is G1 fed→ } f :Foo } ◦ pi :P0oo • ps :P1 bbFFFF {{{{ pips → } f :Foo } ◦ i:IDPoo • pi :IPs bb ps :P1 \\ JJJJ noip → } f :Foo DDD D } ps :P1 �� i:IDP // ◦ • Namely, in the first step, fed is applied to generate the federation f ; then the edge pi is refined by applying pips yielding a provider pi of type IPs and a provider i of type IDP. Finally, config- uration G2 is obtained by applying noip which cancels the non-terminal pi. Any configuration x refining P1 yields a term-like representation of G2 as fed(pips(noip),x) which highlights the hierarchical structure of the FIMs configuration G2. In this way, the FIMs patterns can be gener- ated and are illustrated in the next section. 4 Architectural configurations of the FIM patterns We show how to generate the architectural configurations of the FIM patterns described in § 2.1. It is worth remarking that a configuration in ADR is generated by applying productions. More- over, ADR configurations can be given a representation as a term of a suitable algebra. Such terms formalise FIMs patterns whose configuration is specified in the graphs corresponding to terms. To illustrate this, we apply the productions for FIMs and the approach given in § 3 to some simple examples. Let us begin with the pattern (i). The configuration with a single IDP and a single SP is gener- ated by applying production fed first then followed by a refinement of the non-terminal edges P0 and P1 (introduced by fed). In the second step indeed, productions pips generates the configura- tion for P0 consisting of a terminal IDP and a non-terminal IPs (and, similarly, productions psps generates the configuration for P1 that consists of a terminal SP and a non-terminal SPs). Observe that the obtained graph contains non-terminal edges IPs and SPs (introduced by applying pips and psps, respectively); these (spurious) non-terminal edges are cancelled using the productions noip and nosp. As a result, we obtain the configuration of the pattern (i) which is graphically Proc. VFfP 2010 8 / 14 ECEASST c1 } :F oo c2 } ◦ f1 :IDP <