Achieving Privacy in a Federated Identity Management System
Source: Sun Microsystems
Federated identity management allows a user to efficiently authenticate and use identity information from data distributed across multiple domains. The sharing of data across domains blurs security boundaries and potentially creates privacy risks. The paper examines privacy risks and fundamental privacy protections of federated identity-management systems. The protections include minimal disclosure and providing PII only on a "Need-to-know" basis. The paper then looks at the Liberty Alliance system and analyzes previous privacy critiques of that system. The paper shows how law and policy provide privacy protections in federated identity-management systems, and that privacy threats are best handled using a combination of technology and law/policy tools.