Reliability and Scalability Improvements to Identity Federations by managing SAML Metadata with Distributed Ledger Technology

摘要

In identity federations, users assigned to identity providers (IDPs) can access applications operated by service providers (SPs) without SP-specific credentials for authentication and authorization. While OpenID Connect and SAML are the two most widely adopted federation standards, using them inherently results in a trade-off between data quality guarantees and scalability, given how they handle the Metadata about the involved IDPs and SPs. This paper presents a novel approach for federation membership and federation Metadata management based on Distributed Ledger Technology. It applies the core idea of Certificate Transparency, as known from Global-PKI certificate authorities for X.509v3 server certificates, to SAML federation Metadata; therefore, it achieves OpenID Connect's federation building flexibility without losing the significant advantages of traditional SAML federations. An implementation based on Hyperledger Fabric is used to evaluate typical use cases by measuring impacts on Metadata distribution latency and Metadata size, and to discuss the feasibility of the presented approach.