Whom to Trust? Generating WS-Security Policies Based on Assurance Information

As input for authorization decisions as well as to offer personalized services, service providers often require information about their users´ identity attributes. In open identity management systems, these identity attributes are not necessarily managed by the service providers themselves, but by independent identity providers. Users might be required to aggregate identity attributes from multiple identity providers in order to meet a service´s needs. On the other hand service providers might also have certain requirements concerning their confidence in these attributes and face the problem of choosing one among multiple identity providers that can possibly assert the same attributes, but with different trust qualities. In this paper, we present an architecture to generate service policies using assurance information about available identity providers. Our logic-based attribute assurance library, called Identity Trust, allows the configuration of a knowledge base reflecting a service provider´s knowledge about remote identity providers. Service providers can state their trust requirements concerning technical and organizational details of identity providers and their ability to assert identity attributes. A reasoning engine finds suitable (combinations of) identity providers, which serve as input for our policy framework that generates corresponding policies using the WS-Security policy format.