Patent Application
20100100926
1. Technical Field
The present invention relates to identity verification and more particularly to systems and methods for selecting an identity management provider in accordance with policy constraints using an interactive interface.
2. Description of the Related Art
Identity management systems are used to store digital information on subjects. Such systems describe each subject via a set of (identity) attributes such as, e.g., given name, first name, nationality, address, date of birth etc., but also other credentials of the user such as access rights or job qualification. When requiring access to a given service (provided by a relying party as a web service or a web site's page), identity information is extracted from the identity management's identity provider(s), signed (and thus certified) by the identity provider(s), and presented to the relying party which either accepts or rejects the credentials presented in the form of some security token.
Access to the trusted identity provider (also referred to as a secure token service since it generates the secure access token) is granted upon presentation of some authentication token such as, e.g., a user credential and password, or an X509 certificate based authenticator, or a Kerberos ticket.
In a simplistic scheme, the relying party can require which set of identity attributes should be provided and certified by the identity provider. For example, the Microsoft® Information Card system (a.k.a., CardSpace) knows a limited set of identity attributes for which the trusted identity provider supplies the value(s), creates an authenticated credential (in the form of, e.g., a SAML token) containing these values and forwards these to the relying party.
An end user selects the identity provider to generate the security token by choosing from a set of digital cards presented by an identity management user interface. The selected card identifies the identity provider and only cards for identity providers able to supply the required identity attributes can be selected by the user.
A Microsoft® Information Card system uses a simple scheme to express which attributes must be supplied and certified by the identity provider: it uses a set of well-known identity attributes for which the values are extracted from the identity provider and certified by using a cryptographic signing scheme. The advantage of such a system is that the end-user has a simple paradigm (i.e., card selection) to indirectly select an identity provider. Furthermore, the maintenance of the attribute values required by the relying party and stored by the identity provider is delegated to the identity provider. Thus, data maintenance requirements become simplified. Each information card may also restrict the set of identity attributes to a subset of all available identity attributes and thus control the release of personal information to the relying party. Finally, the same identity provider can be used for multiple relying parties, thus providing a single sign on to multiple relying parties.
The above model can be extended by federating the identity providers. For example, a set of identity attributes can be provided by one or multiple federated identity (id) providers. Identity mixer technology extends this paradigm by using a more complex policy language. That is, the relying party can formulate access requirements not only as a set of certified attribute values, but as conditional predicates on a set of attributes.
One embodiment of the present invention may include a mechanism to automatically generate mappings from policy claim attributes onto identity provider attributes using a set of computable, semantics preserving transformations. At the user level, however, the user should be presented with the set of cards which eventually satisfy the policy claims of the relying party. For each card, the system indicates which attributes are supplied by the identity party associated with the card. The present embodiments provide an easy-to-use, expressive, and sufficiently powerful user-interface for the selection of cards.
A system and method for verifying an attribute includes providing a compound policy by a relying party. The compound policy has one or more claims and/or sub-claims expressing conditions on attributes and constants. Identity providers are associated with aspects of the compound policy by mapping attributes of the compound policy with attributes of the identity providers. A selection of at least one identity provider that satisfies the compound policy is enabled. At least one attribute of the user is verified by at least one identity provider in accordance with the selection.
A system for verifying an attribute includes an identity selector configured on a computer device having a display. The identity selector includes a graphical user interface configured to display a compound policy from a relying party, the compound policy having one or more claims and sub-claims, the graphical user interface including a plurality of regions, each region being designated to represent identity providers which satisfy claims of the compound policy and represent the identity providers in the graphical user interface by placing a representation of the identity provider in the regions where the claims of the compound policy are satisfied. A mapper is configured to associate identity providers with aspects of the compound policy to map attributes of the compound policy with attributes of the identity providers to provide the representation of the identity providers in the regions of the graphical user interface. A selection mechanism is configured to permit a selection of the at least one identity provider that satisfies the compound policy.
These and other features and advantages will become apparent from the following detailed description of illustrative embodiments thereof, which is to be read in connection with the accompanying drawings.
The disclosure will provide details in the following description of preferred embodiments with reference to the following figures wherein:
In accordance with the present principles, a user is presented with a relying party's policy. The policy includes a set of claims and each claim can be comprised of one or multiple sub-claims. Claims and sub-claims can be displayed as a rendering of an AND-OR (conjunctive normal form (CNF)) statement on the claim and sub-claims attributes and constants. The user uses an interactive interface, such as a mouse or other tracking device, to select “OR” sub-claims which are to be considered (at least one OR term is enabled for the AND-OR statement to be solvable).
Depending on the set of selected OR sub-claims; the set of cards which can be used to satisfy the policy is displayed. This can be represented as a one-dimensional list of card combinations. An alternative is to stack the possible combinations into a deck of cards through which the user can page. However, the solution set of cards is controlled by the enabled/disabled set of OR-sub-claims. When hovering with the cursor over a card representation in the above set of cards, a pop-up element indicates which identity attributes are used to satisfy the policy claim(s). (The set of available attributes are queried from the identity provider.) Thus, the end-user is enabled to see which information items are used by the identity provider to assert the claims required by the relying party's policy.
Embodiments of the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment including both hardware and software elements. In a preferred embodiment, the present invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc.
Furthermore, the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that may include, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD.
A data processing system suitable for storing and/or executing program code may include at least one processor coupled directly or indirectly to memory elements through a system bus. The memory elements can include local memory employed during actual execution of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code to reduce the number of times code is retrieved from bulk storage during execution. Input/output or I/O devices (including but not limited to keyboards, displays, pointing devices, etc.) may be coupled to the system either directly or through intervening I/O controllers.
Network adapters may also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks. Modems, cable modem and Ethernet cards are just a few of the currently available types of network adapters.
Referring now to the drawings in which like numerals represent the same or similar elements and initially to
The relying party 50 emits an access policy 54 in the form of a conjunctive normal form “AND-OR” expression. Each term is of the form “attribute relational-operator constant” or “attribute relational-operator attribute” where an attribute is a policy language defined attribute value, such as first name, given name, age, etc. The constant value is a constant from the corresponding attribute domain, e.g. number, date, or string literals. Relational operators may include, e.g., “=”, “>”, “>=”, “!−” etc.
An AND-OR expression (conjunctive normal form) can be formulated to express complex conditions on the set of user attributes, such as (“Country of residence==Switzerland” and “age>30”) or, as another example, ((salary>100,000) or (employer==IBM)) and (gender==male). These attributes are called policy attributes, as they are the attributes used in the access policies supplied from the relying party 50.
It is now possible to extend the information card paradigm by selecting a set of cards, each of which relates to an identity provider which supplies a sub-set of the overall required attributes. A cryptographic proof system can be used to build-up combined certificates by using multiple identity providers. Multiple combinations of cards may be used to satisfy the policy claims. The identity providers provide proof that the policy claims are satisfied by the identity's actual attributes. Depending on the used cryptographic approach, this can be achieved via a zero-knowledge proof in which the actual value of the attribute is not divulged or a more traditional cryptographically secured assertion on the value of the identity attributes (in which case the attribute is visible to the relying party).
For example, a claim 1 may be satisfied by an identity provider related to cards A and B, a claim 2 can be satisfied by an identity provider of cards C, D, and A. To satisfy both claims, we can either use cards {A}, {A, C}, {A, D} or {B, A}, {B, C} and {B, D}. The exact matching depends on which attributes can be supplied by which identity providers that are related to the diverse cards. An attribute presented in a policy claim preferably does not correspond 1-to-1 to an identity provider attribute. For example, consider the required claim “age>33”. In general, identity providers supply date-of-birth. Thus, the required claims must be translated from policy attribute space into identity provider attribute space, for example by stating “current year−year(date-of-birth)>33”.
The policy claims are forwarded by the relying party 50 to an identity selector application 24 running on the user's computing equipment, which may be embodied by a fixed or mobile computer, a personal digital assistance (PDA), a cell-phone or other computing device with sufficiently powerful graphic user interface (GUI) features. Features of selector 24 include a screen of sufficient size and a pointing device (e.g., mouse, scroll-ball, touch-screen, etc.).
A mapper 28 is employed to map policy attributes of the policy 54 with identity attributes 42 of one or more identity providers 40. The mapping associates the attributes such that the policy rendered by the identity selector can be employed to determine which identity provider satisfies the claims and conditions of the policy 54. The user 20 may employ the selector 24 to graphically select alternatives (“OR” alternatives).
The mapper 28 automatically generates mappings from policy claim attributes onto identity provider attributes using, e.g., a set of computable, semantics preserving transformations. At the user level, however, the user is presented with the set of cards which eventually satisfy the policy claims of the relying party. For each card, the system indicates which attributes are supplied by the identity party associated with the card. The present embodiments provide an easy-to-use, expressive, and sufficiently powerful user-interface for the selection of cards.
Referring to
An identity selector (not shown) establishes a relationship between the attributes present in the policy claims 102, 104, 106 and attributes provided by a potential set of identity providers. A mapping is thus created from policy attributes to identity provider attributes. Such mapping can be a one-to-one correspondence or take the form of some computable function which is equivalent to the policy claim expression. For example, if the policy claim requires “age>33” and identity providers only provide an attribute “date-of-birth”, it is possible to rewrite the policy claim expression to “(current year−year(date-of-birth))>33”. A set of known such transformations can be built into the identity selector based on a set of well known identity provider and policy claims attributes. A more flexible rewriting scheme is contemplated based on the use of ontologies establishing semantic equivalencies between attributes in the relying party claims and the identity provider space.
For the selected set of OR sub-claims 108 a set of cards for each sub-claim is displayed. This can be done as a flat list of card-sets, as a stack of card-sets or as some other arrangement indicating card associated with each sub-claim. When the set of selected “OR” sub-claims 108 is modified by the user via a pointing device, the displayed set of cards is updated interactively. For example, in
Referring to
With reference to
Referring to
In block 204, identity providers or verifiers are associated with aspects of the compound policy by mapping attributes of the compound policy with attributes of the identity providers. In one embodiment, the graphical user interface includes a plurality of regions, and each region is designated to represent identity providers which satisfy claims and/or sub-claims of the compound policy. The identity providers are represented in the graphical user interface by, e.g., cards. The representations (e.g., cards) of the identity providers are placed in the regions where the claims/subclaims of the compound policy are satisfied.
In block 206, a selection of at least one identity provider that satisfies the compound policy is enabled. This may include providing a pointing mechanism for a user to point to in the graphical user interface to select identity providers that should be employed to verify an identity of attribute of the user to a relying party. In block 208, the compound policy may include alternative conditions (“OR”s). These alternative conditions may provide opportunities for user selections of the alternative conditions. This selection from among the alternative conditions causes the representations of the identity providers to be altered in accordance with new conditions of the compound policy in block 210. This may include the appearance or disappearance of cards or stacks of cards representing the identity providers in the GUI.
In block 212, verification of at least an attribute of the user by the at least one identity provider in accordance with the selection is performed. This process may include requesting verification of the at least one attribute of the user from the at least one identity provider in block 214, verifying the at least one attribute of the user in block 216, and providing proof of the verification to the relying party in block 218. The proof preferably includes a zero-knowledge proof in which an actual value of an attribute is not divulged.
Having described preferred embodiments of a system and method for interactive selection of identity information satisfying policy constraints (which are intended to be illustrative and not limiting), it is noted that modifications and variations can be made by persons skilled in the art in light of the above teachings. It is therefore to be understood that changes may be made in the particular embodiments disclosed which are within the scope and spirit of the invention as outlined by the appended claims. Having thus described aspects of the invention, with the details and particularity required by the patent laws, what is claimed and desired protected by Letters Patent is set forth in the appended claims.
