Policy Languages for Digital Identity Management in Federation Systems Elisa Bertino, Abhilasha Bhargav-Spantzel, Anna Cinzia Squicciarini CERIAS and Computer Science Department Purdue University West Lafayette, IN (bertino,bhargav,squiccia)@cs.purdue.edu Abstract— The goal of service provider federations is to sup- port a controlled method by which distributed organizations can provide services to qualified individuals and manage their identity attributes at an inter-organizational level. In order to make access control decisions the history of activities should be accounted for, therefore it is necessary to record information on interactions among the federation entities. To achieve these goals we propose a comprehensive assertion language able to support description of static and dynamic properties of the federation system. The assertions are a powerful means to describe the behavior of the entities interacting in the federation, and to define policies controlling access to services and privacy policies. We also propose a log-based approach for capturing the history of activities within the federationimplemented as a set of tables stored at databases at the various organizations in the federation. We illustrate how, by using different types of queries on such tables, security properties of the federation can be verified. I. .I NTRODUCTION Today a global information infrastructure connects remote parties worldwide through the use of large scale networks, relying on application level protocols and services, such as recent web service technology. Execution of activities in various domains, such as shopping, entertainment, business and scientific collaboration, and at various levels within those contexts, is increasingly based on the use of remote resources and services. The interaction between different remotely- located parties may be (and sometimes should be) based on little knowledge about each other. To support these rich experiences and collaborations, more convenient IT (Informa- tion Technology) infrastructures and systems are needed. We expect, for example, that personal preferences and profiles of users be readily available when shopping over the Web, without requiring the users to repeatedly enter them. In such a scenario, digital identity management (IdM) technology is fundamental in customizing user experience, protecting privacy, underpinning accountability in business transactions, and in complying with regulatory controls. Digital identity can be defined as the digital representation of the information known about a specific individual or organization. As such it encompasses, not only login names (often referred to as nyms), but many additional information, referred to as identity attributes, about users. An emerging approach to address issues, such as interoperability across different domains, related to identity management is based on the notion of federations [8], [12]. The goal of federations is to provide users with protected environments to federate identities by the proper management of identity attributes. Federations are usually composed by two main entities: iden- tity providers (IdPs), managing identities of individuals, and service providers (SPs), offering services to registered indi- viduals or users. IdP’s and SP’s can actually be implemented by same servers. Federations provide a controlled method by which federation members can provide more integrated and complete services to a qualified group of individuals within certain sets of business transactions. By controlling the scope of access to participating sites, by enabling secure, cross- domain transmission of users personal information, federations can make more difficult the perpetration of identity frauds, as well as their frequency, and the potential impact of these frauds. Federations require a number of different policies to be properly set and updated over time. In particular, relevant poli- cies are the security and privacy policies; they are crucial in order to assure that identity information are strongly protected across federations. A possible categorization of these policies is as follows. Resource Authorization Policies: A resource authorization policy, defines the conditions that a subject needs to satisfy in order to be authorized for the resource the policy is specified for. Resource authorization policies are actually similar to access control policies. However, we employ such terminology to stress the fact that such policies can be applied to obtain authorization to any form of resource. A resource can in fact be either a service by a SP or, more generally, any object accesses to which have to be controlled. In our framework we model resource authorization policies are specified through the use of assertions, that typically require attributes and/or certificates proving identities and/or properties of the requesting users. Resource authorization policies can also be prioritized. For example, some preliminary authorization policies by a given SP may check, before making other checks, if the user has a valid single sign-on identifier 1 (SSO id) for the federation. From the user’s perspective he/she could first validate the service provider federation certificate. The validation of the web SP certificates by the client is important in order to prevent phishing attacks [3]. Complex resource authorization policies are required for a fine grained access for the party’s resources. Services are the main kind of resources provided by the federation. For each service there could be different authorization policies allowing a subject to qualify for the service. The service that a subject receives may depend on the identity information the subject is willing to disclose to the SP. For example, if the requester supplies the SP information about his/her name, address and credit card number, the full version of the service may be provided, as compared to when the requester only gives information about his/her name and address and a thus a trial version of the service is given for a limited time of 30 days. For other types of resources, like attributes and certificates, similar policies can be defined and used during the negotiations. For example before giving the attribute credit 1 Single Sign-On is a mechanism whereby a single action of a user can permit an authorized user to access all computers and systems where they have access permission (authentication), without the need to enter multiple logon ids/operator ids and/or passwords.