NIST Privacy-Enhanced Identity Brokers#The National Cybersecurity Center of Excellence (NCCoE) at NIST has released a Building Block White Paper "Privacy-Enhanced Identity Brokers"
"An Identity Broker can provide business value to both RPs and IdPs since each RP and IdP only needs to integrate with the identity broker once. The value to the RP is quite simple connect once (to the identity broker) and accept many types of credentials. Yet the identity broker may raise risks to individual privacy; the broker, if deployed incorrectly, is in a significant position of power, as it creates the potential to track or profile an individual’s transactions. In addition, it could gain insight into user data it does not need in order to perform the operations desired by IdPs and RPs.
Privacy Enhancing Technologies (PETs) are tools, applications, or automated(?) mechanisms which—when built into software or hardware—reduces or eliminates adverse effects on individuals when their personal information is being collected and/or processed. PETs implemented by identity brokers can reduce the risk of superfluous exposure of individuals’ information to participant organizations that have no operational need for the information, as well as shrink the attack surface for unauthorized access.
This document describes the technical challenges unique to integrating Privacy Enhancing Technologies with Identity Brokers. It suggests scenarios suited for exploring the tradeoffs of mitigating or accepting specific privacy risks. Ultimately, this project will result in a publicly available NIST Cybersecurity Practice Guide—a description of the practical steps needed to implement a reference architecture that addresses existing challenges in the current identity broker marketplace."
The complete document can be found at: https://nccoe.nist.gov/sites/default/files/nccoe/Privacy_Enhanced_Identity_Brokers_Building_Block_WP.pdf