Trust Requirements in Identity Federation Topologies

Kylau, Uwe; Thomas, Ivonne; Menzel, Michael; Meinel, Christoph in Proceedings of the 23rd International Conference on Advanced Information Networking and Applications (AINA 2009) Seite 137-145 . Bradford, UK , IEEE Computer Society , 2009 .

Federated Identity Management describes a model to enable users to use their digital identities in collaborating companies regardless of organizational borders. The essential pre-requisite to share the user authentication across different security domains is the establishment of trust between the collaborating partners. Usually, this is done by setting up complex contracts, that describe common policies, obligations and procedures to be followed by each collaboration member. The result is a federation, or Circle of Trust, in which each member is willing to trust on assertions made by someone else. Naturally, federations are no isolated structures and members of one federation might also be part of another one - a constellation possible with current federation technologies. However, whether and how the trust relationships of federations can be used to allow access even across multiple federations is a question which has not been answered yet. In this paper, we investigate trust requirements for identity federation topologies. Starting from the classical structure of a Circle of Trust, we go beyond this and identify more complex patterns such as overlapping federations. For each pattern, we identify risks for identity and service providers as well as the necessary trust requirements that must be met to allow such constellations.
