A Multi-Layered Identity and Access Management Solution for Establishment of Scalable Federated IdentityDoctoral thesis
Date of Examination:2023-11-29
Date of issue:2023-12-22
Advisor:Prof. Dr. Ramin Yahyapour
Referee:Prof. Dr. Ramin Yahyapour
Referee:Prof. Dr. Jens Grabowski
Files in this item
This file will be freely accessible after 2024-11-28.
EnglishFederated identity management (FIM) systems are defined as a group of organizations (entities) that have agreed to establish trust relationships and share identity information to enable seamless access to resources across organizational boundaries. In FIM, service providers (SPs) authorize user requests to access their services by assessing user information and assertions issued by external identity providers (IdPs). Methods of authentication and identification and security strategies used for data transmissions between SPs and IdPs are examples of assurance information that SPs rely on for authorization. In this context, the level of assurance (LoA) measures the level of confidence that can be placed in a user’s digital identity. It represents the degree to which identity has been verified and its associated risk. Implementing LoA solutions in federated environments is often complex and challenging for SPs since each organization maintains its own identity and access management (IAM) practice and authorization policies. There have been various proposals from international standardization bodies and federation operators for LoA solutions in the form of blueprints, assurance frameworks, or IAM modules for providing, evaluating, and exchanging user assurance information. However, there is no universal agreement on what these standards should be or how they should be implemented. SPs often find it challenging to adopt and implement the current solutions because of the high cost of deployment, complexity, limited authority to define customizable requirements and lack of compatibility between standards and frameworks in different administrative domains. This research proposes an assurance framework that can be added as a module to an organization’s IAM solution to address the LoA challenges. This framework aims to give service owners the flexibility to define their LoA requirements based on their service’s specific needs and risk assessments. Using the proposed framework, service owners can also define custom mapping functions to be compatible with other assurance solutions, such as defining alternative identity assurance elements if the assurance information about a request does not meet their requirements. In designing the LoA framework, we have incorporated the concept of account linkage to enhance performance by leveraging assurance information from multiple accounts owned by an individual. In parallel to the proposed LoA solution, this research introduces a model working as a recommender system to automate the process of linking user accounts within organizations that are part of federated environment(s). The model was initially developed as a component of the proposed LoA solution, but due to the importance of the account-linking topic, it has been refined into a stand-alone module that can seamlessly integrate with any organizational IAM solution. Linking accounts within a federated domain improves the user experience by allowing them to access services through their different accounts, such as Facebook and Google, and better manage their resources and information. It can also reduce data duplication, as users often duplicate their data to be accessible through different accounts. The account-linking recommender system in this research was developed using a large dataset collected from over 50,000 users over a period of one year. The evaluation of the model’s proof of concept implementation confirmed its high performance and suitability for use in production environments.
Keywords: Level of Assurance; Accounts Linking; Federated Identity Management; Variational Autoencoder; Transformers