We describe a web based federated identity management system loosely based on the user centric Windows Card Space model. Unlike Card Space that relies on a fat desktop client (the identity selector) in which the user can only select a single card per session, our model uses a standard web browser with a simple plugin that connects to a trusted attribute aggregation web service (TAAS). TAAS supports the aggregation of attributes from multiple identity providers (IdPs) and allows the user to select multiple single attribute "cards" in a session, which more accurately reflects real life in which users may present several plastic cards and self-asserted attributes in a single session. Privacy protection, user consent, and ease of use are critical success factors. Consequently TAAS does not know who the user is, the user consents by selecting the attributes she wants to release, and she only needs to authenticate to a single IdP even though attributes may be aggregated from multiple IdPs. The system does not limit the authentication mechanisms that can be used, and it protects the user from phishing attacks by malicious SPs.
[1]
Richard O. Sinnott,et al.
Federated Authentication and Authorisation in the Social Science Domain
,
2011,
2011 Sixth International Conference on Availability, Reliability and Security.
[2]
Jeff Hodges,et al.
Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0
,
2001
.
[3]
David W. Chadwick,et al.
A conceptual model for attribute aggregation
,
2010,
Future Gener. Comput. Syst..
[4]
Ken Klingenstein,et al.
Federated Security: The Shibboleth Approach
,
2004
.
[5]
Ray A. Perlner,et al.
Electronic Authentication Guideline
,
2014
.