2007-02: Diameter WebAuth: An AAA-based Identity Management Framework for Web Applications

Abstract:
Every day countless users are accessing various personal and personalized information on the Internet, especially theWorld WideWeb. In order to provide each user proper access, web applications need to be able to establish the user’s identity. Identity management is a concept to unify and facilitate such user identification. The objective of this thesis is to introduce and explore identity management in web applications. It focuses on the application and transfer of existing approaches from the networking field into the realm of web applications.

After a short introduction of the topic and the basic concepts, the second chapter of the thesis analyzes and evaluates existing approaches to identity management. It covers
three web-based approaches: OpenID, the Liberty Alliance project and Microsoft CardSpace. Representative for network-based authorization and authentication protocols,
the Kerberos protocol and the Diameter protocol are considered. A comparison of those different approaches shows that all approaches, despite different focusses, provide
basic identity management functions. While the web-based approaches are rather recent, the network-based approaches, however, are well established and proven. The thesis assumes, that if Kerberos or Diameter can be adapted to a web-based environment, they would be valid options as basis for an identity management system for web applications. Diameter seems to be the more suitable choice for such an adaptation since it doesn’t require support in the end use client.

As a result of the findings in the previous chapter, in the next chapter a new proposal for network-based identity management in web applications is developed. It is called
Diameter WebAuth and is implemented as a Diameter application. Diameter WebAuth includes commands to authenticate and authorize users, charge them, and query additional identity information about them. As web-based authentication mechanisms the specification includes HTTP basic and digest authentication. A Diameter WebAuth
client can be seamlessly integrated into a Diameter credit-conroll infrastructure or use a Diameter WebAuth server for basic credit-control operations. Furthermore, the identity
information commands are suitable to support arbitrary identity information schemes. Also, specific privacy and security considerations are made.

Following the design of the proposal, a Diameter WebAuth framework was implemented as a proof-of-concept and to showcase the approach. A Diameter WebAuth
server, a Diameter WebAuth client and a web application are implemented to substantiate the proposal. There is also a small test suite available to test and verify the
implementation.

Subsequently, the next chapter evaluates the work done previously in the thesis: The implementation of the Diameter WebAuth application is verified using a dedicated test
suite; and the design of the Diameter WebAuth framework is validated on the basis of specified use cases using the MyBlog web application. It was shown how a web application can use Diameter WebAuth to authenticate and authorize its users. Furthermore, the credit-control facilities are demonstrated by means of a merchandise sale included in the MyBlog application. Throughout the application, identity information are used to personalize the content. Finally, the Diameter WebAuth framework is compared to other approaches for identity management in web applications. It is concluded, that Diameter WebAuth is compareable regarding the features to other approaches to identity management. In addition, the proposal includes end user authentication specifications and accounting facilities. Opposite to approaches like OpenID or the Liberty Alliance project, Diameter WebAuth, therefore, can be employed in authentication backend systems as well.

The thesis concludes that the proposed Diameter WebAuth is an AAA-based identity management framework that has been developed with the same requirements that are
made to web-based solutions. It closes the gap between network authentication and application authentication by effectively bringing network-based access control concepts
to the application layer. WebAuth is based on the well established and mature Diameter protocol. It, therefore, benefits from the propagation of Diameter setups and
the general experience with the protocol in terms of deployability implementability and maintainability.

Vollständige Arbeit: niklas_neumann.pdf