CardSpace in the Cloud describes a web based federated identity management system which is based on the user centric approach of the Information Card model, but has been significantly enhanced to remove many of the problems inherent in Microsoft’s original design. The new design is an alternative to UProve and Idemix credentials, and uses existing SAML 2 federations and assertions. Our model supports privacy protection of the user attributes, user mobility and the aggregation of multiple claims from different identity providers (IdPs), whilst only requiring the user to authenticate via just one of his IdPs. Furthermore no constraints are placed on the authentication mechanism that is used by this IdP. The level of assurance (LoA) of the authenticating IdP is built into the design.
All this is achieved by introducing a new component, the Linking Identity Selector, which can run anywhere in the cloud, and allows the user to select multiple cards at service provision time. Users can then use the combined set of credentials to access a wider range of web based resources. We describe a use case which allows the user to present a credit card, a self asserted card, a hotel loyalty card and a frequent flyer card in order to make an online hotel booking, using voice biometrics for authentication.
