Skip to main content
SpringerLink
Log in

Proven and Modern Approaches to Identity Management

  • Chapter
  • First Online:
Advances in Cybersecurity Management

Abstract

People around the world stay in contact with their families, friends, and colleagues by exchanging text and multimedia data online. This would not be possible without digital identities, which in turn necessitates Identity and Access Management (I&AM). Each natural person, legal entity, and device can have several digital identities with different associated information, such as the credentials used for authentication. During the past 15 years, Federated Identity Management (FIM) has gained traction as it enables the use of one organization’s identities to access other organizations’ services, e.g. in business-to-business cooperation. It turned out to be a double-edged sword, as it improves the user experience and reduces the attack vector of password reuse on the one hand, but it comes with data quality issues and a larger impact of compromised accounts on the other hand. More recently, the privacy-by-design approach of user-centric identity management, which puts each user in full control over its digital identity data, finds a new home in Self-Sovereign Identity (SSI) management based on distributed ledger technology, also known as blockchain. This chapter gives an insight into the exciting world of digital human identities, time-tested as well as recent approaches to their professional management from a security perspective, and discusses closely related governance and compliance topics such as data protection and levels of assurance.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 99.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Lee, S. (2003). An introduction to identity management.

    Google Scholar 

  2. Identity Defined Security Alliance. (2020). Identity security: A work in progress. Retrieved June 8, 2021, from https://www.idsalliance.org/identity-security-a-work-in-progress/

    Google Scholar 

  3. Haber, M. J., & Rolls, D. (2020). Identity attack vectors. New York: Apress.

    Book  Google Scholar 

  4. FIDO Alliance. (2020). FIDO alliance - open authentication standards more secure than passwords. Retrieved June 8, 2021, from https://fidoalliance.org

    Google Scholar 

  5. Srinivas, S., Balfanz, D., Tiffany, E., & Czeskis, A. (2017). Universal 2nd factor (U2F) overview - proposed standard 11. FIDO Specification, FIDO Alliance.

    Google Scholar 

  6. Machani, S., Philpott, R., Srinivas, S., Kemp, J., & Hodges, J. (2017). FIDO UAF architecture overview - proposed standard 02. FIDO Specification, FIDO Alliance.

    Google Scholar 

  7. FIDO Alliance. (2020). newblock FIDO2: WebAuthn & CTAP. Retrieved June 8, 2021, from https://fidoalliance.org/fido2/

  8. Balfanz, D., Czeskis, A., Hodges, J., Jones, J. C., Jones, M. B., Kumar, A., et al. (2019). Web authentication: An API for accessing public key credentials - level 1. W3C Specification, W3C.

    Google Scholar 

  9. Brand, C., Czeskis, A., Ehrensvärd, J., Jones, M. B., Kumar, A., Liao, A., et al. (2019). Client to authenticator protocol (CTAP) - Proposed standard. FIDO Specification, FIDO Alliance.

    Google Scholar 

  10. GÉANT. (2020). eduGAIN membership status. Retrieved June 8, 2021, from https://technical.edugain.org/status.php

  11. Engelbertz, N., Erinola, N., Herring, D., Somorovsky, J., Mladenov, V., & Schwenk, J. (2018). Security analysis of eIDAS - the cross-country authentication scheme in Europe. In Proceedings of the 12th USENIX Conference on Offensive Technologies, WOOT’18 (p. 15). Berkeley: USENIX Association.

    Google Scholar 

  12. Joinup. (2020). SSI eIDAS bridge. Retrieved June 8, 2021, from https://joinup.ec.europa.eu/collection/ssi-eidas-bridge

  13. Odette. (2009). ODETTE SESAM specification for building up federated single-sign-on (SSO) scenarios between companies in the automotive sector – Draft of 15.07.2009. Technical report, Odette.

    Google Scholar 

  14. Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). NIST special publication 800-63-3 – digital identity guideline. Technical report, National Institute of Standards and Technology, U.S. Department of Commerce.

    Google Scholar 

  15. Kantara Initiative. (2020). Identity assurance framework. Retrieved June 8, 2021, from https://kantarainitiative.org/identity-assurance-framework/

    Google Scholar 

  16. IAWG. (2020). Kantara identity assurance framework: KIAF-1050 – glossary and overview. Kantara Specification, Kantara Initiative.

    Google Scholar 

  17. Richer, J., & Johansson, L. (2018). Vectors of trust, internet requests for comments, RFC 8485., RFC Editor.

    Google Scholar 

  18. Johansson, L. (2012). An IANA registry for level of assurance (LoA) profiles. RFC 6711, RFC Editor.

    Google Scholar 

  19. ISO/IEC. (2013). ISO/IEC 29115:2013 – entity authentication assurance framework. Technical report, ISO/IEC.

    Google Scholar 

  20. Berbecaru, D., Lioy, A., & Cameroni, C. (2019). Electronic identification for universities: Building cross-border services based on the eIDAS infrastructure. Information, 10(6). https://www.mdpi.com/2078-2489/10/6/210. https://doi.org/10.3390/info10060210

  21. CEF Digital. (2019). eIDAS eID profile. Retrieved June 8, 2021, from https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS+eID+Profile/

    Google Scholar 

  22. Pöhn, D., & Hommel, W. (2020). An overview of limitations and approaches in identity management. In Proceedings of the 15th International Conference on Availability, Reliability and Security, ARES’20. New York: Association for Computing Machinery.

    Google Scholar 

  23. Ragouzis, N., Hughes, J., Philpott, R., & Maler, E. (2008). Security assertion markup language (SAML) V2.0 technical overview. Technical report, OASIS.

    Google Scholar 

  24. Cantor, S., Kemp, J., Philpott, R., & Maler, E. (2005). Assertions and protocols for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.

    Google Scholar 

  25. Cantor, S., Hirsch, F., Kemp, J., Philpott, R., & Maler, E. (2005). Bindings for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.

    Google Scholar 

  26. Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., et al. (2005). Profiles for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.

    Google Scholar 

  27. Cantor, S., Moreh, J., Philpott, R., & Maler, E. (2005). Metadata for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.

    Google Scholar 

  28. Kemp, J., Cantor, S., Mishra, P., Philpott, R., & Maler, E. (2005). Authentication context for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.

    Google Scholar 

  29. Shibboleth. (2015). Shibboleth. Retrieved June 8, 2021, from http://shibboleth.net/

  30. UNINETT. (2020). SimpleSAMLphp. Retrieved June 8, 2021, from http://simplesamlphp.org/

    Google Scholar 

  31. Hedberg, R. (2011). Configuration of pySAML2 entities. Documentation, Roland Hedberg.

    Google Scholar 

  32. Microsoft. (2017). Understanding Key AD FS Concepts. Retrieved June 8, 2021, from https://docs.microsoft.com/de-de/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts

  33. Hirsch, F., Philpott, R., & Maler, E. (2005). Security and privacy considerations for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.

    Google Scholar 

  34. Klingenstein, N., Hardjono, T., Bob Morgan, R. L., Madsen, P., & Cantor, S. (2010). SAML V2.0 identity assurance profiles version 1.0. Technical report, OASIS.

    Google Scholar 

  35. Hardt, D. (2012). The oauth 2.0 authorization framework. RFC 6749, RFC Editor.

    Google Scholar 

  36. Jones, M. B., & Hardt, D. (2012). The oauth 2.0 authorization framework: Bearer token usage. RFC 6750, RFC Editor.

    Google Scholar 

  37. OAuth. (2020). Code – OAuth. Retrieved June 8, 2021, from https://oauth.net/code/

  38. rcFederation. (2020). SAML, WS-Federation and OAuth tracer. Retrieved June 8, 2021, from https://www.rcfed.com/Browser/Tracer

  39. Parecki, A. (2018). IndieAuth. Specification, W3C.

    Google Scholar 

  40. Lodderstedt, T., McGloin, M., & Hunt, P. (2013). OAuth 2.0 threat model and security considerations. RFC 6819, RFC Editor.

    Google Scholar 

  41. Lodderstedt, T., Bradley, J., Labunets, A., & Fett, D. (2020). OAuth 2.0 security best current practice. Internet-Draft draft-ietf-oauth-security-topics-16, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-oauth-security-topics-16.txt

  42. Fett, D., Küsters, R., & Schmitz, G. (2016). A comprehensive formal security analysis of OAuth 2.0. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS’16 (pp. 1204–1215). New York: Association for Computing Machinery.

    Google Scholar 

  43. Fett, D. (2020). Mix-up, revisited. Retrieved June 8, 2021, from https://danielfett.de/2020/05/04/mix-up-revisited/

    Google Scholar 

  44. Hammer, E. (2012). OAuth 2.0 and the road to hell. Retrieved June 8, 2021, from https://web.archive.org/web/20130116102852/http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

  45. Hardt, D., Parecki, A., & Lodderstedt, T. (2020). The oauth 2.1 authorization framework. Internet-Draft draft-ietf-oauth-v2-1-00, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-1-00.txt.

  46. Richer, J. (2020). Grant negotiation and authorization protocol. Internet-Draft draft-ietf-gnap-core-protocol-00, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-gnap-core-protocol-00.txt.

  47. Richer, J. (2020). Grant negotiation and authorization protocol. Internet-Draft draft-richer-transactional-authz-14, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-richer-transactional-authz-14.txt.

  48. Hardt, D. (2020). The grant negotiation and authorization protocol. Internet-Draft draft-hardt-xauth-protocol-14, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-hardt-xauth-protocol-14.txt.

  49. Sakimura, N., Bradley, J., Jones, M. B., de Medeiros, B., & Mortimore, C. (2014). OpenID connect core 1.0. Technical report, OpenID Foundation.

    Google Scholar 

  50. de Medeiros, B., Scurtescu, M., Tarjan, P., & Jones, M. (2014). OAuth 2.0 multiple response type encoding practices. OpenID Specification.

    Google Scholar 

  51. Sakimura, N., Bradley, J., Jones, M. B., & Jay, E. (2014). OpenID connect discovery 1.0. OpenID Specification.

    Google Scholar 

  52. Jones, P. E., Salgueiro, G., Jones, M. B., & Smarr, J. (2013). Webfinger. RFC 7033, RFC Editor.

    Google Scholar 

  53. Hedberg, R., Jones, M. B., Solberg, A., Gulliksson, S., & Bradley, J. (2020). OpenID connect federation 1.0 - draft 12. Openid specification.

    Google Scholar 

  54. Mladenov, V., & Mainka, C. (2017). OpenID connect – security considerations. Technical report, Ruhr Universität Bochum.

    Google Scholar 

  55. Mainka, C., Mladenov, V., Schwenk, J., & Wich, T. (2017). SoK: Single sign-on security — An evaluation of OpenID connect. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 251–266).

    Google Scholar 

  56. Hedberg, R. (2020). otest. Retrieved June 8, 2021, from https://github.com/rohe/otest

  57. Hedberg, R. (2014). SAML2test. Retrieved June 8, 2021, from https://github.com/rohe/saml2test

    Google Scholar 

  58. Kobayashi, F., & Talburt, J. R. (2014). Decoupling identity resolution from the maintenance of identity information. In 2014 11th International Conference on Information Technology: New Generations (pp. 349–354).

    Google Scholar 

  59. Machulak, M. P., Maler, E. L., Catalano, D., & van Moorsel, A. (2010). User-managed access to web resources. In Proceedings of the 6th ACM Workshop on Digital Identity Management, DIM 10 (pp. 35–44). New York: Association for Computing Machinery.

    Chapter  Google Scholar 

  60. Maler, E. (2015). Extending the power of consent with user-managed access: A standard architecture for asynchronous, centralizable, internet-scalable consent. In 2015 IEEE Security and Privacy Workshops (pp. 175–179).

    Google Scholar 

  61. Maler, E., Machulak, M., & Richer, J. (2018). User-managed access (UMA) 2.0 grant for OAuth 2.0 authorization. Kantara Specification.

    Google Scholar 

  62. Schwartz, M. (2013). Recipe for a reverse proxy using SAML and UMA. Retrieved June 8, 2021, from https://www.gluu.org/blog/recipe-for-a-reverse-proxy-using-saml-and-uma/

    Google Scholar 

  63. Cruz-Piris, L., Rivera, D., Marsa-Maestre, I., De la Hoz, E., & Velasco, J. R. (2018). Access control mechanism for IoT environments based on modelling communication procedures as resources. Sensors, 18(3), 917.

    Article  Google Scholar 

  64. Maler, E., Machulak, M., & Richer, J. (2017). Federated authorization for user-managed access (UMA 2.0). Kantara Specification.

    Google Scholar 

  65. Kantara Initiative. (2020). UMA telecon 2020-05-14. Retrieved June 8, 2021, from https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-05-14

    Google Scholar 

  66. Toth, K., & Anderson-Priddy, A. (2019). Self-sovereign digital identity: A paradigm shift for identity. IEEE Security Privacy, 17(3), 17–27.

    Article  Google Scholar 

  67. Laborde, R., Oglaza, A., Wazan, S., Barrere, F., Benzekri, A., Chadwick, D. W. et al. (2020). A user-centric identity management framework based on the W3C verifiable credentials and the FIDO universal authentication framework. In 2020 IEEE 17th Annual Consumer Communications Networking Conference (CCNC) (pp. 1–8).

    Google Scholar 

  68. Friebe, S., Sobik, I., & Zitterbart, M. (2018). DecentID: Decentralized and privacy-preserving identity storage system using smart contracts. In 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing And Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE) (pp. 37–42).

    Google Scholar 

  69. Schanzenbach, M., & Banse, C. (2016). Managing and presenting user attributes over a decentralized secure name system. In Data Privacy Management and Security Assurance. 11th International Workshop, DPM 2016 and 5th International Workshop, QASA 2016 (pp. 213–220). Heraklion, Crete: European Symposium on Research in Computer Security.

    Google Scholar 

  70. Kraft, D. (2016). Namecoin + OpenID = NameID!. Retrieved June 8, 2021, from https://nameid.org

    Google Scholar 

  71. Schanzenbach, M., Bramm, G., & Schütte, J. (2018). reclaimID: Secure, self-sovereign identities using name systems and attribute-based encryption. In 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science And Engineering (TrustCom/BigDataSE) (pp. 946–957).

    Google Scholar 

  72. Tobin, A., & Reed, D. (2017). The inevitable rise of self-sovereign identity. Retrieved June 8, 2021, from https://sovrin.org/wp-content/uploads/2018/03/The-Inevitable-Rise-of-Self-Sovereign-Identity.pdf

    Google Scholar 

  73. Sovrin. (2020). Sovrin steward validator preparation guide. Retrieved June 8, 2021, from https://docs.google.com/document/d/18MNB7nEKerlcyZKof5AvGMy0 GP9T82c4SWaxZkPzya4/edit

  74. Grabatin, M., Hommel, W., & Steinke, M. (2019). Policy-based network and security management in federated service infrastructures with permissioned blockchains. In S. M. Thampi, S. Madria, G. Wang, D. B. Rawat, & J. M. Alcaraz Calero (Eds.), Security in Computing and Communications (pp. 145–156). Singapore: Springer.

    Chapter  Google Scholar 

  75. Identity Foundation. (2020). Self-issued OpenID connect provider DID profile v0.1. Identity Foundation Specification.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Universität der Bundeswehr München, Research Institute CODE, Munich, Germany

    Daniela Pöhn & Wolfgang Hommel

Authors
  1. Daniela Pöhn
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wolfgang Hommel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniela Pöhn .

Editor information

Editors and Affiliations

  1. University of Detroit Mercy, Detroit, MI, USA

    Kevin Daimi

  2. Ulster University, Newtownabbey, UK

    Cathryn Peoples

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Pöhn, D., Hommel, W. (2021). Proven and Modern Approaches to Identity Management. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-71381-2_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-71380-5

  • Online ISBN: 978-3-030-71381-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation