Security Analysis of Web-based Identity Federation

While security of cross-domain single sign-on is a thoroughly researched subject, the closely related web identity federation has not been recognized as a distinct problem requiring analysis in its own right. In this paper, we describe a generic approach for analyzing security of web protocols through a framework for reasoning about user actions. We then use this framework to analyze security of important web identity federation protocols. We show that a secure single sign-on protocol does not necessarily ensure safety of linking identities across domains. Our analysis discovers limitations in current web identity management standards that can allow an attacker to create fraudulent identity associations across domains. We propose changes to the workflow and suggest measures for ensuring integrity of cross-domain associations in standard based implementations. Keywords-Security Protocols; Identity Management; Federated Identity; Web Security.