Trusted Attribute Aggregation Service (TAAS)

Introduction

Almost all users today have multiple identity and entitlement attributes issued by multiple attribute authorities (AAs). Traditionally only the attributes available from a single AA would be available at any one time. This means that service providers (SPs) and identity providers (IdPs) are often forced to duplicate information and issue attributes for which they are not the authoritative source or weaken their authorisation policies accordingly. This duplication of user data across SPs and AAs provides a greater array of targets for attackers and means that a larger set of user information can be viewed if the system is breached. The TAAS framework utilises standardised protocols and a browser plugin to allow users to link accounts at multiple AAs and then request individual attributes as and when a SP requires them. Users are only required to authenticate to a single IdP before choosing attributes from multiple IdPs in order to satisfy the SP's requirements. The attributes are then aggregated in a cryptographically secure manner and returned to the SP for verification and authorisation.

TAAS is described in the paper:

David W. Chadwick, George Inman. "The Trusted Attribute Aggregation Service (TAAS) - Providing an attribute aggregation layer for federated identity management" in Proc. The Eight International Conference on Availability, Reliability and Security (ARES 2013), Regensberg, Sept 2013

and the slides presented at the conference are here

Running the Demo

In order to run the TAAS demo, you will need to install the Firefox plugin below. Store the file, then with firefox running, simply click on the plugin and Firefox will install it automatically. (You may get an error message during running the demo to say that the plugin is not installed, but this message can be safely ignored).

TAAS Firefox Plugin(0.9.6) - Includes support for Firefox 11

Please note: TAAS Plugins prior to 0.9.3 are no longer compatible with the TAAS SP infrastructure and should be updated to the latest version available.

In order to run the demo, you will need to enter the URL of our TAAS service into the plugin when it asks you for this (this feature stops phishing attacks, since you decide where to go to). Here is the address to enter:

https://idp.tas3.kent.ac.uk/taas/CICServlet.

Alternatively you can pre-bookmark the page as a TAAS bookmark in your browser, before starting the demo.

To run the demo, go to one of the following test SP's and when asked to login, use the following details:

Username Password
Guest password

These details work for all of the IDPs for all the demos so you can choose any one to login:

https://issrg-beta.cs.kent.ac.uk/taas/borough/.

https://issrg-beta.cs.kent.ac.uk/taas/etomes/.

https://issrg-beta.cs.kent.ac.uk/taas/ACM/.

Downloading the source code

The source for the TAAS project can be downloaded from our SVN

The source for the database service that provides account linking for TAAS can be found here

Acknowledgement. This work was funded as part of the EC TAS3 project.