Using SAML for Attribution, Delegation and Least Privilege

• Main Authors: Coimbatore S. Chandersekaran, William R. Simpson
• Format: Article
• Language: English
• Published: International Institute of Informatics and Cybernetics 2011-02-01
• Series: Journal of Systemics, Cybernetics and Informatics
• Subjects: Information Sharing; Enterprise; Information Security; Attribution; delegation; Least Privilege
• Online Access: http://www.iiisci.org/Journal/CV$/sci/pdfs/NK193KX.pdf

Delegation, Attribution and Least Privilege are an implicit part of information sharing. In operating systems like Windows there is no security enforcement for code running in kernel mode and therefore such code always runs with maximum privileges. The principle of least privilege therefore demands the use of a user mode solutions when given the choice between a kernel mode and user mode solution if the two solutions provide the same results. Discussions in this paper will be restricted to OSI model levels five and above. This paper describes the SAML delegation framework in the context of a large enclave-based architecture currently being implemented by the US Air Force. Benefits of the framework include increased flexibility to handle a number of different delegation business scenarios, decreased complexity of the solution, and greater accountability with only a modest amount of additional infrastructure required.