Architectures for identity management

Identity management (IDM) is a pillar upon which all security goals are usually founded. Recent years have witnessed the emergence of a large number of new technologies for IDM systems such as Kerberos, Microsoft Passport, Shibboleth and Liberty Alliance. On the one hand, these systems offer organizations and service providers features which widely open new opportunities for doing business and facilitating work internally within organizations. On the other, they present new threats because of the additional risks arising from implicit trust to third parties. Hence, all these gains may have to be carefully balanced with the non-transparent risks to information privacy and integrity arising from implicit chains of trusts inherent in IDM systems. This paper presents a sample of two abstract, concise and generic architectures upon which some of the emerging IDM systems are based. On one hand, these architectures allow us to understand the features provided in each system and, therefore, being able to compare, contrast and evaluate these systems. On the other hand, since the trust relationship in these architectures are make explicit, this work provides the foundation for future investigation and analysis of security risks emerging from the trust relationships inherent in each of these architectures.