Providing efficient SSO to cloud service access in AAA-based identity federations

• Defines a way to provide efficient SSO by extending the GSS-EAP mechanism.
• Implements the proposed solution demonstrating its feasibility.
• Provides a performance analysis comparing it with the standard GSS-EAP mechanism.

The inclusion of cloud services within existing identity federations has gained interest in the last years, as a way to simplify the access to them, reducing the user management costs, and increasing the utilization of the cloud resources. Whereas several federation technologies have been developed along the years for the Web world (e.g. SAML, Oauth, OpenID), non-web application services have been largely forgotten. The ABFAB IETF WG was created to define an architecture and a set of technologies for providing identity federation to non-Web application services, such as the cloud. ABFAB provides a way to use the existing EAP/AAA infrastructure to perform federated access control to any kind of application service, thanks to the definition of a new GSS-API mechanism called GSS-EAP. However, the ABFAB architecture does not define an efficient way of providing SSO. This paper defines a way to include such an SSO support into ABFAB, by introducing the required extensions to make use of the EAP Re-authentication Protocol (ERP), the IETF standard for providing fast re-authentication in EAP. Moreover, to demonstrate the feasibility of the proposed extensions, we have implemented a proof-of-concept based on Moonshot, the open-source implementation of ABFAB, and OpenStack as an example of cloud service. Finally, using this prototype we have completed a performance analysis that compares our proposal with the standard ABFAB operation. This analysis confirms the substantial reduction in terms of computational time and network traffic that can be achieved using ERP for providing efficient SSO to cloud service access in ABFAB-based identity federations.