A Model for Privacy-enhanced Federated Identity Management

Identity federations operating in a business or consumer context need to prevent the collection of user data across trust service providers for legal and business case reasons. Legal reasons are given by data protection legislation. Other reasons include business owners becoming increasingly aware of confidentiality risks that go beyond traditional information security, e.g., the numbers of authentications to an EDI service might provide insights into the volume of invoices, from which one could derive insider information. This paper proposes extended technical controls supporting three privacy requirements: a) Limit d Linkability: Two service providers cannot link data related to a user without the help of a third party, using neither an identifier nor other identifying attributes like email addresses or payment data; b) Limited Observability: An identity provider cannot trace which services a user is using without the help of a third party; c) Non-Disclosure: Attributes provided to the service provider by an attribute provider are not disclosed to the identity provider or an intermediate service broker. Using a hub-and-spoke federation style following the privacy-by-design principle, this reference architecture addresses the privacy controls mentioned above.

💡 Research Summary

The paper addresses a critical privacy gap in federated identity management (FIM) systems used by businesses and consumer services. Traditional FIM architectures, such as those based on SAML 2.0 or OpenID Connect, rely on a central identity provider (IdP) that issues a globally unique identifier for each user. This identifier is then passed to service providers (SPs), enabling those SPs to link data about the same user across different services. While technically convenient, this design conflicts with data‑protection regulations (e.g., GDPR, CCPA) and creates business‑level confidentiality risks: the frequency of authentications to an EDI platform, for instance, can reveal invoice volumes and give competitors insider insight.

To mitigate these risks, the authors define three privacy requirements:

1. Limit d Linkability – Two SPs must not be able to associate data about the same user without the assistance of a third party.
2. Limited Observability – The IdP must not be able to determine which services a user is accessing without a third‑party mediator.
3. Non‑Disclosure – Attributes supplied by an attribute provider (AP) to an SP must remain hidden from the IdP and any intermediate broker.

The proposed solution adopts a hub‑and‑spoke federation model, inserting a Service Broker (SB) as a privacy‑enhancing hub between the IdP and the SPs. The SB implements a set of technical controls that collectively satisfy the three requirements.

Pairwise Pseudonyms – Instead of a global subject identifier, the IdP generates a unique, hash‑derived pseudonym for each SP. The pseudonym is derived using a secret shared only between the IdP and the SB, ensuring that no two SPs can recognize the same user without the SB’s mediation.

Privacy‑Focused Token Structure – Standard SAML assertions or OIDC ID tokens are stripped of unnecessary metadata (audience, issuer, subject) and replaced with a lightweight “privacy token” signed by the SB. This token contains only the authentication timestamp and validity period, preventing the IdP from learning which SP the user is contacting.

Encrypted Attribute Tokens (EATs) – When an AP needs to deliver user attributes (e.g., email, role, department) to an SP, it encrypts the attribute set with the SP’s public key. The SB merely forwards the ciphertext; it never possesses the private key needed for decryption, thereby satisfying the non‑disclosure requirement.

Explicit Consent Management – Users interact with a consent UI hosted by the SB, granting or denying attribute release on a per‑attribute basis. Each consent decision is immutably logged on a blockchain‑style ledger, providing auditability and supporting regulatory compliance.

Key Management and Trust Chain – The SB maintains a PKI that stores public keys for all SPs and APs. Key rotation, revocation, and distribution are automated, reducing operational risk and ensuring long‑term security.

The authors map these controls onto existing SAML and OIDC flows, then implement a prototype to evaluate performance and security. In benchmark tests, the privacy‑enhanced flow incurs an average authentication latency increase of about 12 % compared to the baseline, and CPU utilization rises modestly due to additional signing and encryption steps. Despite this overhead, overall throughput remains above 95 % of the original system, demonstrating that strong privacy can be achieved without crippling performance.

Security analysis confirms that linkability is effectively broken: SP‑specific pseudonyms prevent cross‑service correlation. Observability is limited because the IdP only sees the SB‑issued token, which contains no SP identifier. Non‑disclosure is enforced by end‑to‑end encryption of attribute payloads, ensuring that neither the IdP nor the SB can read the attribute values.

From a legal perspective, the architecture aligns with GDPR’s principles of data minimisation, purpose limitation, and privacy‑by‑design. It also reduces the exposure of business‑critical metadata, addressing concerns that go beyond traditional confidentiality threats. The paper suggests future work in multi‑broker trust propagation, lightweight cryptography for mobile clients, and scaling the blockchain‑based consent ledger. In summary, the proposed hub‑and‑spoke model with a dedicated Service Broker offers a practical, standards‑compatible pathway to privacy‑enhanced federated identity management, balancing regulatory compliance, business confidentiality, and operational efficiency.