隨著資訊科技的快速發展，組織使用愈來愈多的資訊系統與服務。然而，重複登入的不方便性、多組帳號密碼的困擾與資安風險也隨著資訊系統數量的增加而增加。因此，單一登入(Single Sign-On)與聯合身分與存取管理系統(Federated Identity and Access Management)就被提出來解決這類問題。單一登入系統讓使用者只需登入一次，就可以存取組織內的多個系統。而在跨組織環境中，聯合身份與存取管理系統提供了類似的功能。除此之外，聯合身分與存取管理系統同時強調其驗證與授權的機制。系統管理者可以透過一個單一的介面來管理不同系統之使用權限。

在決定使用者權限時，現今的聯合身分與存取管理系統著重其效率而可能犧牲了資料一致性。舉例來說，一種在聯合身分與存取管理系統中決定使用者權限的直觀作法為直接地詢問身分提供者(Identity Provider)有關使用者的屬性。當服務提供者(Service Provider)需要決定使用者權限時，便向身分提供者要求使用者之屬性。身分提供者收到服務提供者要求時，便告知服務提供者使用者之屬性資料。而當資料一致性被考量時，服務提供者在每次要決定使用者權限時就都必須要詢問身分提供者相關的使用者屬性。這樣的作法似乎不是很有效率。

另一類方法則是以屬性憑證(Attribute Certificates)來達成。身份提供者將使用者屬性儲存於使用者憑證中，當服務提供者收到憑證時，便可以直接地利用儲存於屬性憑證中的屬性來決定權限，降低了反覆詢問身份提供者屬性資料的成本。但是，為了要確保憑證是最新的，服務提供者又要透過諸如憑證註銷清單(Certificate Revocation List)或線上憑證狀態通訊協定(Online Certificate Status Protocol)等方式來查詢屬性憑證的狀態。尤其是當使用者屬性資料容易異動時，頻繁的憑證狀態查詢與憑證重新簽署，同樣會導致系統的效率不佳。

除了上述的效率議題之外，目前的聯合身分與存取管理系統也忽略了系統的差異性。因為聯合身分與存取管理系統將會被應用在不同的系統與應用程式之上，使用者的存取模式將會是多樣化而且不定的。因此，傳統上用來達成資料一致性的單一策略將是不足夠的。

因為上述原因，我們提出了SAFIAM (Self-Adaptive framework for Federated Identity and Access Management systems)。為了要同時維持效率與資料一致性，SAFIAM將權限資料分散儲存在服務提供者中，再透過一個有效率的方法來達成這些權限資料間的強一致性。除此之外，考慮到存取模式的多樣性，SAFIAM將會監控使用者的存取模式，並自動地選擇最有效率的一致性策略。

With the rapid development of information technology, organizations utilize more and more information services. However, the inconvenience of repeated log-in and the cost of managing services also increase with the growth of information services. Therefore, people proposed Single Sign-On (SSO) to enable users to access multiple services with single identity. Moreover, Federated Identity and Access Management (FIAM) systems extend SSO to provide fine-granularity access control and cross-organizational solution.

Current FIAM systems emphasize the performance when deciding user privileges. However, these solutions may sacrifice the data consistency to performance. For example, an intuitive solution to to decide privileges in FIAM systems is to ask Identity Providers (IdPs) about related attributes. When Service Providers (SPs) wish to decide privileges, they send attribute requests to IdPs. When IdPs received the requests, the IdPs response the attributes wrapped in secure packages. While the data consistency is considered, the SPs must request for attributes each time when they wish to decide user privileges. This solution may be not so efficient.

Another solution is based on Attribute Certificates (ACs). The IdPs embed the attributes in the user certificates. When the SPs received the certificates from users, they can decide the privileges according to the attributes embedded in the certificates. This solution reduces the cost of repeated inquiry about attributes. However, to ensure the certificates are up-to-date, the SPs must query the status of ACs through Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP). Frequent status inquiry about certificates and certificates reissue may also lead to inefficiency.

In addition to the above issues, current FIAM solutions may not consider a specific property, system diversity, of FIAM systems. Since FIAM may be applied to different systems and applications, the access patterns may be various and changeable. Therefore, traditional way to achieve data consistency may be not enough.

For the above reasons, we proposed Self-Adaptive framework for Federated Identity and Access Management systems (SAFIAM). To take both efficiency and data consistency into consideration, SAFIAM distributes privilege data to SPs and preserves their data consistency in an efficient way. Moreover, to consider about the variety of access patterns, SAFIAM monitors the access patterns and choose the most efficient strategy to achieve data consistency.

[1] A. Anderson. SAML 2.0 Profile of XACML 2.0 Version 2, Febru-
ary 2005. OASIS Standard, Retrieved from http://docs.oasis-
open.org/xacml/2.0/access control-xacml-2.0-saml-profile-spec-os.pdf.
[2] Siddharth Bajaj, Giovanni Della-Libera, Brendan Dixon, Mike Dusche,
Maryann Hondo, Matt Hur, Chris Kaler, Hal Lockhart, Hiroshi Maruyama,
Anthony Nadalin, Nataraj Nagaratnam, Andrew Nash, Hemma Prafullchan-
dra, and John Shewchuk. Web Services Federation Language (WS-Federation),
July 2003. Specification Version 1.0.
[3] Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von
Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Kea-
hey. Identity Federation and Attribute-based Authorization through the Globus
Toolkit, Shibboleth, Gridshib, and MyProxy. In Proceedings of the 5th Annual
PKI R&D Workshop, 2006.
[4] Vittorio Bertocci, Garrett Serack, and Caleb Baker. Understanding Windows
CardSpace: An Introduction to the Concepts and Challenges of Digital Identi-
ties. Addison-Wesley Professional, 2008.
[5] Axel Buecker, Werner Filip, Heather Hinton, Heinz Peter Hippen-
stiel, Mark Hollin, Ray Neucom, Shane Weeden, and John West-
man. Federated Identity Management and Web Services Security with
IBM Tivoli Security Solutions. IBM, oct 2005. Retrieved from
http://www.redbooks.ibm.com/redbooks/pdfs/sg246394.pdf.
[6] S. Carmody. Shibboleth Overview and Requirement. Shibboleth Working
Group Overview and Requirements Document, 2001. Shibboleth Working
Group, Retrieved from http://shibboleth.internet2.edu/docs/draft-internet2-
shibboleth-requirements-01.html.
[7] J. Daiziel and E. Vullings. MAMS and Middleware: The Easily Solved Authen-
tication, Authorisation, Identity, Single-Sign-On, Federation, Trust, Security,
Digital Rights and Automated Access Policy Cluster of Problems. In EDU-
CAUSE 2005, 2005.
[8] Stephen Farrell and Russell Housley. An Internet Attribute Certificate Profile
for Authorization. RFC 3281, April 2002.
[9] Jeff Hodges, Tom Wason, John Kemp, and Peter Thompson. Liberty
ID-FF Architecture Overview, 2005. Draft of Liberty Alliance Project.
Retrieved from http://www.projectliberty.org/specs/ draft-liberty-idff-arch-
overview- 1.2-errata-v1.0.pdf.
[10] R. Housley, W. Polk, W. Ford, and D. Solo. Internet X.509 Public Key Infras-
tructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280,
April 2002.
[11] ITU-T. Information technology - Open Systems Interconnection - The Direc-
tory: Public-key and attribute certificate frameworks. Technical report, Inter-
national Organization for Standardization and International Electrotechnical Committee, 2005. International Standard 9594-8/ ITU-T Recommendation
X.509.
[12] J. Kohl and C. Neuman. RFC 1510: The Kerberos Network Authentication
Service (V5), September 1993.
[13] A. Lakshminarayanan and Jianying Zhou. FlexiCert: Merging X.509 Identity
Certificates and Attribute Certificates. In DEXA ’03: Proceedings of the 14th
International Workshop on Database and Expert Systems Applications, page
489, Washington, DC, USA, 2003. IEEE Computer Society.
[14] T. Moss. eXtensible Access Control Markup Language (XACML) Ver-
sion 2.0, 2005. OASIS Standard, OASIS, Retrieved from http://docs.oasis-
open.org/xacml/2.0/access control-xacml-2.0-core-spec-os.pdf.
[15] Rajeev Motwani and Prabhakar Raghavan. Randomized Algorithms. Cambridge
University Press, 1995.
[16] Michael Myers, Rich Ankney, Ambarish Malpani, Slava Galperin, and Carlisle
Adams. X.509 Internet Public Key Infrastructure Online Certificate Status
Protocol - OCSP. RFC 2560, June 1999.
[17] Rolf Oppliger. Microsoft .NET Passport and Identity Management. Information
Security Technical Report, 9:26–34, January–March 2004.
[18] Joon S. Park and Ravi S. Sandhu. RBAC on the Web by Smart Certificates.
In ACM Workshop on Role-Based Access Control, pages 1–9, 1999.
[19] John Paschoud. Shibboleth and SAML: At last, a viable global standard for
resource access management. New Review of Information Networking, 10:147–
160, 2004.
[20] Nick Ragouzis, John Hughes, Rob Philpott, and Eve Maler. Security
Assertion Markup Language (SAML) V2.0 Technical Overview, Oc-
tober 2006. OASIS Working Draft, Retrieved from http://www.oasis-
open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-
02.pdf.
[21] David Recordon and Drummond Reed. OpenID 2.0: A Platform for Iser-centric
Identity Management. In DIM ’06: Proceedings of the second ACM workshop on
Digital identity management, pages 11–16, New York, NY, USA, 2006. ACM.
[22] C. Rigney, A. Rubens, W. Simpson, and S. Willens. RFC 2138: Remote Au-
thentication Dial In User Service (RADIUS), April 1997.
[23] E. Rissanen, H. Lockhart, and T. Moses. XACML v3.0 Administrative Policy
Version 1.0, 2007. OASIS Working Draft, OASIS.
[24] Pablo Rodriguez and Sandeep Sibal. SPREAD: Scalable Platform for Reliable
and Efficient Automated Distribution. In Proceedings of the 9th international
World Wide Web conference on Computer networks : the international journal
of computer and telecommunications netowrking, pages 33–49, Amsterdam, The
Netherlands, The Netherlands, 2000. North-Holland Publishing Co.
[25] Richard Sinn. Software Security Technologies: A Programmatic Approach.
Thomas Course Technology, 2008.
[26] Andrew S. Tanenbaum and Marrten van Steen. Distributed Systems: Principles
and Paradigms. Prentice-Hall, Inc., 2002.
[27] Mary R. Thompson, Abdelilah Essiari, and Srilekha Mudumbai. Certificate-
based Authorization Policy in a PKI Environment. ACM Trans. Inf. Syst.
Secur., 6(4):566–588, 2003.
[28] Peter Triantafillou and Carl Neilson. Achieving Strong Consistency in a Dis-
tributed File System. Software Engineering, 23(1):35–55, 1997.
[29] Harald Vogt. Efficient Object Identification with Passive RFID Tags. In Perva-
sive ’02: Proceedings of the First International Conference on Pervasive Com-
puting, pages 98–113, London, UK, 2002. Springer-Verlag.