New Directions and Challenges within Identity and Access Management

Abstract

Identity and access management is a core building block for the majority of web services. Cloud-based services, social webs, mobile apps, but also IoT-related services rely on identity management to provide a seamless and secure user experience. Transmitting and sharing sensitive information with other organizations always poses a security and privacy risk to all participating entities. One solution to tackle this problem is the principle of federated identity management (FIM). FIM is used to authenticate and authorize users across multiple organizations and platforms in order to obtain access to resources and services. The benefits of FIM are, for example, consistent data, reduced amount of sensitive information needed to be shared, as well as less passwords for the user to remember. Both predominant standards, Secure Assertion Markup Language (SAML) 2.0 and Open Authentication (OAuth) 2.0 with the authentication layer OpenID Connect, are in wide-spread practical use for at least a decade. However, these protocols were developed with different requirements in mind than nowadays present. This led to several extensions to tackle real-world problems, making it cumbersome to comply with every flavor. Also, Request for Comments (RFC) 8252 suggests that a native app opens a system browser for user authentication; consequently, new protocols are currently developed. For example, within Internet Engineering Task Force (IETF), Kantara Initiative, and OpenID Foundation, which (should) have three main goals in common: • Reducing the complexity in contrast to SAML 2.0 and OAuth 2.0. • Decreasing the amount of extensions and varieties found in the wild. Both help developers to comply with the standards and, consequently, increase the security. • Including edge and future use cases, making the protocols even more useful. This article gives insights into current developments and possible future paths.