Performance analysis of a cross-layer SSO mechanism for a roaming infrastructure

Over the last decade, several international initiatives have tried to provide different solutions to a common issue: resource sharing among several institutions. Some have been mainly designed for Web resources or computing resources, like Grid Computing environments, or even for network access for roaming users. A common aspect in most of those approaches is the management of identities, that is, the representation of the information related to specific individuals or other entities and its use for authentication and authorization purposes. However, since the different solutions are focused on different application scenarios (Web, Grid, and network) it has been really difficult to create a unified point of view (cross-layer) for identity management and, therefore, mechanisms like Single Sign On (SSO) across different layers are considered to be a main gap in current efforts. In this article, we present an architecture based on an existing solution for roaming in educational environments (eduroam). The architecture is able to provide what has been called a unified SSO mechanism, that is, once the users have been authenticated during the network access, they are enabled to obtain protected resources at higher layers (like Web resources) without further re-authentication. Additionally, we include a performance analysis to illustrate the feasibility of this architecture, which has been tested in a real production environment like eduroam.