In a federated identity management scenario, the identity provider (IdP) brokers identity attributes between users and service providers (SPs). These attributes are not encrypted end-to-end during the exchange, which allows the IdP to learn their content. The lack of confidentiality violates the user’s right for privacy. Proxy Re-Encryption (PRE) can be used to provide end-to-end confidentiality for the user’s identity attributes, but this technology is currently not supported by Identity and Access Management (IAM) protocols such as OpenID Connect or SAML 2.0.
This report presents our enhancement of current IAM systems with PRE and assesses its potential. The goal of the enhancement is to enable end-to-end encryption for the user’s identity attributes in a way that an IdP can still broker between users and SPs, but without learning the content of attributes. At the same time, the enhancement is designed to be non-invasive, such that it can be applied to the existing IAM landscape with minimal integration effort, and user-centric, such that users stay in control of their data.
In this report, we offer the following contributions: First, we evaluate a set of Open Source implementations of OpenID Connect and SAML 2.0 and find a suitable candidate for the enhancement. Preferred properties are a clear and concise project structure, extensibility and little external dependencies. Then, we propose a design in collaboration with CREDENTIAL’s D4.3. This design solves the gaps that arise from deploying PRE during the identity attribute exchange in IAM protocols. We implement the proposed design as a proof of concept within two IAM systems, namely MITREid Connect and Shibboleth. This report explains in detail, how we extended both the IdP- and SP web app of the selected IAM system, such that they can deal with the encryption, re-encryption, and decryption of identity attributes. For both IAM systems, we show that we can provide end-to-end encryption for attributes with a small amount of minor changes in the original code base. Eventually, we analyze our enhancement and discuss its potential. The insights and experiences from enhancing these systems with PRE will aid the development of the CREDENTIAL wallet.
*This deliverable will be made available after acceptance by the European Commission in late 2018.