Zero Trust Federation: Sharing Context under User Control toward Zero Trust in Identity Federation

TL;DR

This paper introduces Zero Trust Federation (ZTF), a system that shares contextual information among entities to enable continuous, trust-based access control in identity federations, addressing limitations of RPs with sparse access data.

Contribution

It proposes a novel federation model that shares contexts via a dedicated entity and protocols, enhancing Zero Trust access control in federated environments.

Findings

Prototype implementation demonstrates feasibility.

Effective context sharing improves trust evaluation.

Applicable across multiple use-cases.

Abstract

To securely control access to systems, the concept of Zero Trust has been proposed. Access Control based on Zero Trust concept removes implicit trust and instead focuses on evaluating trustworthiness at every access request by using contexts. Contexts are information about the entity making an access request like the user and the device status. Consider the scenario of Zero Trust in an identity federation where the entity (Relying Party; RP) enforces access control based on Zero Trust concept. RPs should continuously evaluate trustworthiness by using collected contexts by themselves, but RPs where users rarely access cannot collect enough contexts on their own. Therefore, we propose a new federation called Zero Trust Federation (ZTF). In ZTF, contexts as well as identity are shared so that RPs can enforce access control based on Zero Trust concept. Federated contexts are managed by a new entity called Context Attribute Provider, which is independent of Identity Providers. We design a mechanism sharing contexts among entities in a ZTF by using the two protocols; context transport protocol based on Continuous Access Evaluation Protocol and user consent protocol based on User Managed Access. We implemented the ZTF prototype and evaluated the capability of ZTF in 4 use-cases.