Automated trust negotiation in identity federations using OWL-based abduction of missing credentials

Creating ontologies and access control policies have one thing in common - a lot of work is spent on creating precise definitions like “who is a full time student” and answering difficult questions like “Are unpaid teachers employees?”. Thus ontologies written in OWL and SWRL are a good match for access control policies. However the research in this area always assumed that the semantic information about a user is readily available. But such assumption can be satisfied only in a centralized system, not in decentralized systems enabled by the recent formation of identity federations, in which organizations can authenticate users from other organizations, and make authorization decisions about access to their resources based on user information provided by the other organizations. For security and privacy reasons, all available information about a user cannot be released to everyone, but only on a strictly need-to-know basis. In today´s federated systems, the user information is selected and released at once in the moment of user authentication, but it may be inadequate if the user information is used for processing using rich ontology-based access control policies. This paper proposes a novel method for releasing semantic information between organizations in an identity federation, based on automated trust negotiation between the releasing Identity Provider and the consuming Service Provider. In the negotiation, the Service Provider gradually asks for more and more information about the user, until an authorization decision can be made. The paper also proposes an algorithm for detecting which information needed for a decision is missing in an OWL2 ontology.