Enhancing Consumer Privacy in the Liberty Alliance Identity Federation and Web Services Frameworks

  • Mansour Alsaleh
  • Carlisle Adams
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4258)


Internet usage has been growing significantly, and the issue of online privacy has become a correspondingly greater concern. Several recent surveys show that users’ concern about the privacy of their personal information reduces their use of electronic businesses and Internet services; furthermore, many users choose to provide false data in order to protect their real identities. Identity federation aims to assemble an identity virtually from a user’s personal information stored across several distinct identity management systems. Liberty Alliance is one of the most recognized projects in developing an open standard for federated network identity. While one of the key objectives of the Liberty Alliance is to enable consumers to protect the privacy and security of their network identity information, this paper identifies and analyzes possible privacy breaches within the Liberty identity Federation Framework and Liberty identity Web Services Framework. Proposals for improvement in both these frameworks are discussed.


Service Provider Privacy Concern Sales Employee Policy Decision Point Privacy Preference 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aarts, R., Björksten, M., Deadman, S., Duserick, B., Karhuluoma, N., et al.: Liberty architecture framework for supporting Privacy Preference Expression Languages (PPELs). Version 1.0, Liberty Alliance Project (November 2003), Available from: http://www.projectliberty.org/about/whitepapers.php
  2. 2.
    Ahn, G.-J., Lam, J.: Managing privacy preferences for federated identity management. In: Proceedings of the 2005 workshop on Digital identity management, Fairfax, VA, USA, November 2005, ACM Press, New York (2005)Google Scholar
  3. 3.
    Ahn, G.-J., Shin, D., Hong, S.-P.: Information Assurance in Federated Identity Management: Experimentations and Issues. In: Zhou, X., Su, S., Papazoglou, M.P., Orlowska, M.E., Jeffery, K.G. (eds.) WISE 2004. LNCS, vol. 3306, pp. 78–89. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Bhargav-Spantzel, A., Squicciarini, A.C., Bertino, E.: Establishing and protecting digital identity in federation systems. In: Proceedings of the 2005 workshop on Digital identity management, Fairfax, VA, USA, November 2005, ACM Press, New York (2005)Google Scholar
  5. 5.
    Brown, K.: Security Briefs: Step-by-Step Guide to InfoCard. MSDN Magazine, Microsoft (April 2006) (accessed April 25, 2006), Available from: http://msdn.microsoft.com/msdnmag/issues/06/05/SecurityBriefs/default.aspx
  6. 6.
    BusinessWeek online. “Business Week/Harris Poll: A Growing Threat”. (March 2000) (accessed January 16, 2006), Available from: http://businessweek.com/2000/00_12/b3673010.htm
  7. 7.
    Ellison, G., Madsen, P.: Liberty ID-WSF Security Mechanisms, version 2.0-03, Liberty Alliance Project, Available from: http://www.projectliberty.org/resources/specifications.php
  8. 8.
    Fox, S.: Trust and Privacy Online: Why Americans Want to Rewrite the Rules. Pew Internet & American Life Project (August 2000) (accessed February 17, 2006), Available from: http://www.pewinternet.org/pdfs/PIP_Trust_Privacy_Report.pdf
  9. 9.
    Gartner Group. Industry watchdog Gartner Group (2003), Available from: (accessed October 21, 2005), http://www.gartner.com
  10. 10.
    Groß, T.: Security analysis of the SAML Single Sign-on Browser/Artifact profile. In: Proceedings of the 19th Annual Computer Security Applications Conference, December 2003, IEEE, Los Alamitos (2003)Google Scholar
  11. 11.
    Hommel, W.: Using XACML for Privacy Control in SAML-Based Identity Federations. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 160–169. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Johnston, S.J.: Pondering Passport: Do You Trust Microsoft With Your Data? PCWorld. com (September 2001) (accessed January 10, 2006), Available from: http://pcworld.about.com/news/Sep242001id63244.htm
  13. 13.
    Kellomäki, S., Lockhart, R.: Liberty ID-SIS Personal Profile Service Specification. Version 1.1, Liberty Alliance Project (2003), Available from: http://www.projectliberty.org/resources/specifications.php
  14. 14.
    Landau, S.: Liberty ID-WSF Security & Privacy Overview. Version 1.0, Liberty Alliance Project (2003), Available from: http://www.projectliberty.org/resources/specifications.php
  15. 15.
    Liberty Alliance Project (accessed October 2005), Available from: http://www.projectliberty.org/
  16. 16.
    Liberty Alliance Project. Liberty Alliance Whitepaper: Identity Theft Primer (December 2005) (accessed January 2006), Available from: http://www.projectliberty.org/resources/id_Theft_Primer_Final.pdf
  17. 17.
    Madsen, P., Takahashi, Y.K.K.: Federated identity management for protecting users from ID theft. In: Proceedings of the 2005 workshop on Digital identity management, Fairfax, VA, USA, November 2005, ACM Press, New York (2005)Google Scholar
  18. 18.
    OASIS Security Services (SAML) TC. Security Assertion Markup Language (SAML). OASIS Standards (accessed December 2005), Available from: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
  19. 19.
    Pfitzmann, B.: Privacy in Enterprise Identity Federation - Policies for Liberty Single Signon. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 189–204. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Pfitzmann, B., Waidner, M.: Federated Identity-Management Protocols — Where User Authentication Protocols Go. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 153–174. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Pfitzmann, B., Waidner, M.: Privacy in browser-based attribute exchange. In: Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, Washington, ACM Press, New York (2002)Google Scholar
  22. 22.
    SourceID. Digital Identity Basics (accessed December 2005), Available from: http://www.sourceid.org/content/primer
  23. 23.
    Taylor, K., Murty, J.: Implementing role based access control for federated information systems on the web. In: Proceedings of the Australasian information security workshop conference on ACSW frontiers, Adelaide, Australia, 2003, vol. 21, ACM Press, New York (2003)Google Scholar
  24. 24.
    Varney, C., Hartson, H.: Privacy and Security Best Practices. Version 2.0, Liberty Alliance Project (November 2003), Available from: http://www.projectliberty.org/resources/specifications.php
  25. 25.
    Varney, C., Sheckler, V.: Deployment Guidelines for Policy Decision Makers. Version 2.9, Liberty Alliance Project (September 2005), Available from: http://www.projectliberty.org/about/whitepapers.php.
  26. 26.
    Wason, T.: Liberty ID-FF Architecture Overview. Version: 1.2-errata-v1.0, Liberty Alliance Project (2004), Available from: http://www.projectliberty.org/resources/specifications.php

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Mansour Alsaleh
    • 1
  • Carlisle Adams
    • 1
  1. 1.School of Information Technology and Engineering (SITE)University of Ottawa 

Personalised recommendations