User-Controlled Automated Identity Delegation

The growing number of IT services in distributed systems increases the need to allow users to keep track of which personal data is retained by which service. User-centric federated identity management (FIM) tackles this goal by enabling users to approve each data dissemination between the providers of identity-related information, so-called identity providers (IdPs), and the consumers of this information, the service providers. To prevent a single IdP from gaining a comprehensive set of user information, user-centric FIM motivates the use of multiple IdPs even though this distribution of responsibilities might result in information redundancy and therefore raises consistency issues. User-centric FIM systems do not cope with information consistency sufficiently, mainly because these systems require that each dissemination of user attributes is manually approved by the user. We propose an approach, named User-Controlled Automated Identity Delegation, that allows a controlled data dissemination based on an automated user approval by introducing an additional party called Identity Delegate. The Identity Delegate is designed in consideration of the following central ideas: (i) user centricity - all data dissemination is still under user control, (ii) privacy - the delegate cannot read or gather personal data, (iii) efficiency - the effort to integrate and operate the delegate within an existing FIM system is kept low. We cover the experience made with an implementation based on Windows CardSpace.