CERIAS Tech Report 2004-32 TOWARDS IMPROVED FEDERATED IDENTITY AND PRIVILEGE MANAGEMENT IN OPEN SYSTEMS

Federated identity and privilege management are the cornerstones of access management on the Web. The increasing trend of business integration across enterprises and Web-based collaboration has led to tremendous growth of the identity and privilege management research and products in the recent past. However, despite the existence of available mechanisms, there are drawbacks in almost all well-known schemes that make them inadequate for use in large scale open system. Additionally, the migration of these mechanisms to the Web environment is happening at dissimilar pace, resulting in a wide gap in integrating privilege management with existing federated identity mechanisms to provide a comprehensive access management solution. In this paper, we discuss these issues in detail, namely the shortcomings of federated identity mechanisms, and their integration with privilege management mechanisms. In response, we provide an integrated approach to Web-based access management that combines a decentralized federated identity mechanism with a privilege management framework. Our solution allows name-binding to be avoided; doing so is essential to scalability and privacy in open systems. The solution has been prototyped and preliminarily tested to determine its feasibility. 1. Introduction The highly-networked enterprise environment is characterized by strategic partnerships to seize better business opportunities on the Internet. The desire to capitalize on such opportunities has driven the demand for mechanisms that allow web-based collaboration between enterprises. The access management to enterprise resources in such collaborative environments is absolutely critical for their security. The major industrial players in security also opine that " today's collaborative and interconnected e-business landscape requires a secure and effective way for enterprises to share trusted user identities " 1 and entitlements. However, if not done properly, imprecise access management could adversely affect the level of uninterrupted interoperability needed to seamlessly integrate enterprise units and business processes. The ability to federate identity across organizations while maintaining access rights and privileges is thus a major challenge [1]. The solution is federated identity and privilege management, which now stands as the key to seamless and secure enterprise integration and collaboration on the Web. The federated identity and privilege management mechanisms of today are, however, not without their shortcomings which need to be overcome in order to ensure that these mechanisms scale well. Among them is the use of (i) a centralized approach to providing federated identity, and (ii) identity or capability-based credentials. The centralized approach to federated identity has been subject to much scrutiny in recent …