Federation and Promotion of Heterogeneous Domains and Services

Service Oriented Architecture (SOA) implemented with web services technologies, provides standardised solutions to share services between various security domains. But access control to services is defined for each domain, and therefore the federation of security domains brings some flexibility to users of the services. To facilitate the authentication of users, a solution is a federated access control that relies on the identity federation, which allows users to authenticate once in one domain and to access the services of others according to its authorisation attributes. Since the access control requirements of services are specified using domain-specific authorisation attributes, the secure sharing of services in the federation becomes a real challenge. On the one hand, domains cannot abandon their access control models in favour of a global one; on the other hand, the redefinition of the access control requirements of services compromises the existing service consumers. In this paper, we propose the promotion of services as a method that consists in publishing the services of domains at the federation level by redefining their access control requirements with the federation’s authorisation attributes. Our promotion method relies on mappings between federation’s authorisation attributes and those of domains to preserve existing service consumers and to support domain autonomy. We formally describe interaction and access to promoted services using operational semantics.