A Survey of Identity Management Technology
Yuan Cao
School of Computer Science, National University of
Defense Technology
Changsha, Hunan, China
E-mail: dolf.cao@gmail.com
Abstract—This paper presents a survey of identity
management from the perspectives of development stages and
functions variety of Identity Management. The definition and
core concepts of identity and identity management have been
discussed deeply. Identity Management models including
isolated model, centralized model, and federated model are
grouped by components varying and functions changing.
Based on the transformation of core design principles,
paradigms of identity management are classified into network
centric paradigm, service centric paradigm, and user centric
paradigm. Comparisons of these paradigms and models have
been presented. And we give a rough classification of current
systems to the corresponding paradigms and models.
Keywords-identity management; paradigms; models
I. INTRODUCTION
People’s daily life relies on the online services more and
more for the fast development of IT Technology. Credentials
of users must be provided to the service provider (SP) in
order to prove truthfulness of their identity while using
online services. Scarcity of transparency while exchanging
people’s identity information makes it hard for the people
participate in the protection process of their personal identity
and related information, and most of these protection works
have been done by the SP.
There are two major threatens in face of user’s identity:
˄1) Identity theft [1-3], attacks on identity make the theft
easier to gain profits from the stolen identity information;
Identity theft happens a lot especially when the
authentication methods are not safe and strong enough. In
February 2008, the Consumer Sentinel, a Federal Trade
Commission (TFC) complaint database gave a statistic of
identity theft events in 2007, Consumer Sentinel received
over 800,000 consumer fraud and identity theft
complaints[4]; (2) Identity disclosure[5, 6], many of user’s
extra information may be recorded by applications and
services without notifying users, this can cause serious
information abuse. Users can’t control the extra information,
knowing nothing about who can acquire the information, and
can’t assure how these indirect receivers will use the
information.
The identities of users provided by applications and
services mainly include username/password, certificates,
tokens, biometrics [7], devices, and so on [8]. These
identities have many problems in actual use: (1)
Discommodious to use. They’re hard to support features like
single sign on (SSO) and cross domain access, and
___________________________________
978-1-4244-6943-7/10/$26.00 ©2010 IEEE

Lin Yang
The Research Institute, China Electronic Equipments &
System Engineering Corporation
Beijing, China
E-mail: yanglin61s@yahoo.com.cn
synchronizations of users’ identities while do some
operations on users (such as add new user, modify user’s
information and delete an old user) is quite hard in many
different system. (2) Low security level, they’re easy to lost
and forget especially there are so many malicious software
like key logging, phishing and pharming (DNS Poisoning)
on the Internet; (3) Low authentication strength, these
identities can’t support strong and joint authentication; 4)
low relation and correlation between identities and user
privilege.
Two broad issues exist today with regards to identity on
the Internet: safety, including security and privacy, and
convenience. Problems that exist in today’s online identity
systems can fall into one or both of these categories.
Problems of identity [9] include unreliable identification of
subjects, account management, inconsistent user experience,
and lack of federation, security weakness, and vast
propagation of sensitive information.
People bring forward Identity Management (IdM) to
protect users’ identities. The goal of IdM is to give every
entity in a system an identity, which is closely interrelated to
the entity privilege and constraints, implement access control
to the system resource. IdM supports the following
requirements: 1) end-user requirement, including self service,
SSO, security and privacy, mobility; 2) network operator
requirement, including identity management server,
flexibility and good performance, support and management
of mobility, security; 3) SP requirement; 4) administrative
requirement; 5) legal requirement.
This paper is organized as follows: in Chapter 2 gives a
detail definition and core concepts of identity and IdM;
Chapter 3 discusses the models of IdM and Chapter 4 gives a
classification of IdM paradigms; Chapter 5 presents the
conclusion.
II. DEFINITION AND CORE CONCEPTS OF IDM
As we mention IdM, we must have clear understanding of
identity and concepts of IdM.
A. Identity
It’s hard to give a precise definition of identity; the
specific definition of identity should considering different
applied environments, semantic contexts and usages of
identity. Generally, an identity is the representation of an
entity in a particular context [10] and it consists of identifiers
and credentials (attributes of identifiers, like password, user
profiles) of the users. In a long time, people treat digital
identity the same as the identity in real life [11]: 1) who we
are, name, membership, birthday; 2) our hobbies, clothes,
activities, foods; 3) our reputation, honesty, crime and so on.
But the applications and services only focus on or care about
some attributes of a user which have high relevancy with
applications and services in practice, these attributes directly
influence whether the critical processes of applications and
services can be finished or not. It’s irrational and
unnecessary to make digital identity and identity in reality
equal.
Identity has been defined as ‘the distinct character or
personality of an individual. Consists of traits, attributes, and
preferences upon which one may receive personalized
services’ [11]. Kim Cameron defines identity as ‘digital
identity refers to the aspect of digital technology that is
concerned with the mediation of people's experience of their
own identity and the identity of other people and things’ [12].
In order to give a meticulous protection, identity was divided
into nyms identity and partial identity[3, 13], nyms identity
‘gives a user an identity under which to operate when
interacting with other parties’ while partial identity
‘encompass a set of properties, such as name, birth date,
credit-card-numbers, biometrics, transaction histories,
referred to as identity attributes or identifiers, which are
associated with individuals’. And this paper [3] also divides
identity to strong identity and weak identity, while strong
identity relates to ‘uniquely identify an individual in a
population’ and weak identity refers to some common
attributes of user. The uniqueness of an identity determines
the strength of the identity; many weak identities’
combinations can be treated as a strong identity.
Based on the understanding of these definitions, we
summarize the definition of identity as follow. Identity is the
representation, proofs and credentials of user entity which
should be provide to applications and services, it’s
corresponding to particular contexts and being used by
applications and services to distinguish users from each other
and provide different privileges to different users.
B. IdM
Dabrowski and Pacyna give a definition of IdM as the
system and framework used in computer or communication
systems to control identity [14]. IdM includes trust
relationship build on identity, verification of entity
authenticity, authorization of access control, secure transfer
of identity attributes, lifecycle management of identity,
administration of work flow while exchanging identity and
federation of identity between different domains and
dynamic trust delegations. Netha [15] defines IdM as ‘an
integrated system of business processes, policies and
technologies that enables organizations to facilitate and
control user access to online applications and resources -
while protecting confidential personal and business
information from unauthorized users’. And Lee defines IdM
as the resource access control and identity information
management implemented with new technology, the goal of
IdM is to cut off the cost of manage users and their identities,
attributes and access privilege to improve productivity and
security[16]. HP OpenView [17, 18] defines IdM as ‘the set
of principles, processes, tools, and social contracts

surrounding the creation, maintenance, and use of digital
identities for people, systems, devices and services. It
combines processes and technologies to secure and manage
access to an organization's resources and assets’. Li Jian
et[19] presents IdM as follows: in order to reduce the cost of
manage users’ identities and access privilege, for the purpose
of improve security and privacy, information sharing, work
efficiency, security performance, IdM is an infrastructure of
identity authentication and authorization management
developed from new technology.
IdM integrates many technologies used in user identity
management and resource access control; it includes the
whole process of user identity creation, maintenance,
deletion which is the lifecycle of identity, in this paper, we
define IdM as follows: IdM is the policies, rules, methods
and systems that implement identity authentication,
authorization management, access control, and operation
audit based on digital identity.
C. Core Concepts
1) User, SP and IdP
The core concept of IdM includes user, SP [20] and
identity provider (IdP).
User: User is the client of both SP and IdP. User must
have a legal identity if it wants to use services. User could be
a public organization, a human, a virtual entity like software,
and so on. The only unique identity represents the user.
SP: In IdM, service provider provide services to the user,
people can use any kind of services such as e-bank and
shopping provided by SP.
IdP: IdP is the core of IdM systems. IdP provide different
trust level to different type of user, for example, an ordinary
user and a manager in a same company should have quite
different trust level. IdP mainly has two functions, first it
should implement services for users like user registration,
verification reality of user identity and user identity storage.
Second, IdP must process requests from SP and users for
authentication.
2) IdP Types
Mostly, there are four kinds of IdP while classified by
functionality:
x Credential Identity Service. This type IdP uses
credentials as user identity for user authentication.
Credentials are the proof of user, the earliest and
most popular credential is certificate based on ITU-T
X.509.
x Identifier identity service. Identifier is the
representation of user, it could be a name, an email
account or ID-Card Number assigned with user.
Identifiers could be directly or indirectly assigned
with users, an example of indirect identifier is temp
identity of the user, while user need cross domain
access, IdP always generate this kind of identity and
allocate it to the user.
x Attribute Identity Service. Attribute is the
information which can be used to describe user
identity; it could be part of credential or process of
identifier assignment, such like name, address, and
contact information and so on. The IdP should
 provide the mechanism for user identity attribute with two or more paradigms, and one paradigm may have
verification, this requires the IdP must has interface more than one type of models too.
with government supervision department.
A. Isolated Model
x Pattern Identity Service. Pattern identity means the
IdP uses patterns, reputation, honor, trust records and In isolated model, SP plays the role of service provider
history access records to descript or identify user and identity provider which means all identity storage and
identity. Some kinds of special pattern identity user operations are done by the single server. The unique
service can be used to maintain computer security, identity allocation, deletion, modification, authentication and
for example, the characteristics of an attacker model authorization are implemented in the SP. Each user will have
can be used to identify the hacker attack. separate credentials such as identity associated passwords or
The differences between these four kinds of IdP identity biometrics. SP acts as identifier provider, credential provider
service is not obvious, a credential always has a and attribute provider. This model is illustrated in Fig. 1
corresponding identifier, and this will involve both credential below.
identity service and identifier identity service. Actually, what This model is quite simple, but it has many problems,
kind of identity service should be used and whether combine with the explosive growth of online services, users have to
two or more services together always depend on what trust manage more and more identities information. More and
level the IdM need. For example, for web access and other more credentials such as usernames and passwords should be
common services, identifier identity service is enough, but managed properly by users. Lost or simply fear lost of
for high level services like online banking services, the credentials specially forgotten passwords create a huge
appropriate credentials are also needed. obstacles to usage, bringing out that many services can’t be
fully functional. The cost of Password recovery will increase
III. MODELS OF IDM the cost of SP especially if services need high security level.
Reference [21] gives a classification of IdM models
which are centralized model and federated model. With the
centralized model ‘consolidates both authentication and
attributes in only one site’ and federated model keeps and
manages each user database in every SP. In [22], the models
of IdM were categorized into isolated, centralized, and
distributed. And IdM was classified into common SP model,
isolated SP model, and personal SP model based on the
storage place of identities and SP types in [23].
When consider classification of IdM models, we think
service composition, SP types, identity storage, IdP types,
user control over identity and privacy protection as criterions.
In this paper, IdM has been classified into three types of
model, isolated model, centralized model, and federation Figure 1. Isolated model
model.
While isolated model can only provide single service to B. Centralized Model
users, all identities are stored in one single SP and IdP, the
Centralized model is implemented in a C/S model, user
functions of SP and IdP are integrated together and no
identity storage and user authentication is both implemented
privacy protection and user control of identities; Centralized
in the same servers called IdP. Different from isolated model,
model is quite similar to the isolated model, the key
this model separates functions of SP and IdP. SPs don’t store
differences between centralized and isolated models are that
user identities locally; all identities are sent to the center IdP
centralized model separates functions of SP and IdP, they are
for storage and following authentication. All SPs use the
not integrated together. The identity and credential is also
global unique IdP. This model can be implemented in many
unique in the two models.
different ways. As mentioned in [23], it includes the
In the formal two models, identities are stored centralized,
common identifier model, the meta-identifier model, and the
in the SP or IdP. This brings out problems such as identity
SSO model. Fig. 2 shows the centralized model, all the
theft, privacy protection and single point of failure.
identities of every SP are stored in IdP, when the SP need to
Federated model allows every SP to store part of users’
authenticate an user, it will send the user information to the
identities, and it can provide single sign on and cross domain
IdP to finish the process.
access with combination of different services. IdP is still
There are many IdM systems implemented in centralized
centralized and only store part of identities, it mainly
model, such as PKI [24], Kerberos [25], CAS [26] and so on
implements identities mapping and access privilege
in the early stage of IdM.
delegation. But federated model still has many shortcomings
Centralized model is suitable for the requirements of
mainly user information disclosure and privacy protection.
managing a lot of users, but it has many disadvantages, store
There are no collisions between classifications of IdM
all identities in only one IdP mainly brings the problem of
models and paradigms, one model could be implemented


privacy protection. It can’t support user privilege delegation
and cross domain access well.
Figure 2. Centralized model
C. Federated Model
The centralized model requires all users in the same
domain, but users always need cross domain or network
access. The federated model integrates different domains
together and makes it as a global unique domain virtually.
Federation can be defined as the set of agreements,
standards and technologies that enable a group of SPs to
recognize user identities from other SPs with in a federated
trust domain [27]. Protocols include policy and technology
standards are established between SPs so that identities from
different identity domains can be recognized over all
domains. There is a mapping among different identifiers
owned by the same user in different domains, this mapping
makes that users from one domain can access services in
another domain securely and seamlessly, and no need for
other authentications. When a user is authenticated to one SP
using one of their identifiers, they are considered to have
been identified and authenticated with all the other service
providers as well. Users can still have separate identifiers for
different SPs. While users want to access all services in the
federated domain, a single identifier and credential is enough.
SSO in federated and centralized model is quite different;
federated model supports cross domain SSO while
centralized model only implements SSO in one domain.
The federated model is illustrated in Fig. 3. As we can
see, all user identifiers and credentials can play the role of
Global Virtual Identity; the whole IdM system is transparent
to the user and acts as a Global Virtual SP. Every SP can
store user identities locally and have its own identity
database; the IdP only has a limited identity database for the
purpose of federation.
Protocols, standards and systems for federated model
include the OASIS [28] Security Assertion Markup
Language (SAML) [29], WS-Federation [30], and the
Liberty Alliance framework [31]. Shibboleth [32] is an open
source project of the federated model.

Figure 3. Federated model
Many papers have discussed problems and challenges
that federated model faced. Reference [33] discuss
shortcomings of federated model which are limitations to
web services, persistent data storage, federation security and
privacy control, syntax and semantics of attributes. For the
first one – limitation to web services seems has been solved,
federated model now supports not only web services but also
some not fully web enabled services like file storage and so
on. As the appearance of cloud storage, persistent data
storage seems has been solved too. But federation security
and privacy control, semantics of attributes still are the
problems federated model faces today. Based on identity
lifecycle which includes identity issuance, identity usage,
identity modification, and identity revocation, Bertino
discusses shortcomings of federated model [34]. In the
identity issuance stage, whether the identity has been
correctly enrolled and stored in the IdP is not sure. Identity
usage always faces problems of misusage. It’s not that
flexible to update or modify user identities. Current federated
models lack effective mechanisms to keep consistency and
correctness of user information while revoke a user.
Balasubramaniam gives the challenges of current federated
IdM systems which are establishing trust between IdPs,
providing identity token translation services, synchronizing
identity information across IdPs, agreeing with federation
partners on data ownership issues, minimizing risk and
financial implications, ensuring compliance with regulatory
requirements, preventing privacy violations, agreeing on
governance policies and enforcement [35].
D. Summary
In this section, considering SP type, IdP type, service
composition, cross domain access, identity storage, user
control over identity and privacy protection aspects in IdM
models, we give a comparison of the formal three models
and it’s summarized in Table II.
As we can see in the table, isolated model only supports
integrated single SP while SP is IdP and single service; it
doesn’t support cross domain access and user control over
identity; Identities are stored on SP (IdP) and nearly has no
privacy protection. Centralized model supports multi SPs but
only single IdP, it supports multi services composition but
TABLE I.
Service
Model SP Type IdP Type
Composition
Single SP and Single IdP and
Isolated Sole service
IdP, SP is IdP SP, IdP is SP
Multi services but
Centralized Multi SPs Single IdP
in the same domain
Multi services form
Federated Multi SPs Multi IdPs
multi domains
IV. PARADIGMS OF IDM
Mullyniemi[36] gives a rough division of IdM systems
based on the intended domain and magnitude of the existing
IdM solutions. The division contains three subcategories:
federated IdM, small-scale IdM and proprietary IdM.
Although the division is very rough, it provides a very
good view of IdM systems. In this paper, according to the
development stages of IdM and transfer of IdM core subject,
we think there are three paradigms of IdM, mainly including
network centric paradigm, service centric paradigm and user
centric paradigm. These paradigms are not isolated with each
other; links among them are close although there are clear
boundaries among each other.
A. Network Centric Paradigm
Network centric paradigm occurs in the early
development stage of IdM technology. It has been widely
used and been proved to be effective in the early network
centric services and applications. In this paradigm, identity
creation, management and deletion have nothing to do with
the access or entitlements; the IdM System is established and
operated by a single entity for a fixed user and resource
community. It’s not service-related or user-related. An
example of network centric paradigm IdM is a Microsoft
Windows domain [37] governed by a set of predefined
administrators and domain controller (DC) servers.
In this paradigm, identity model can be derived from a
small set of axiomatic principles, such as ever identity in an
abstract namespace is unique and distinctive; every entity has
its corresponding identity. This paradigm doesn’t consider
the identity application scenarios, and doesn’t subject to the
restrictions of the applying scenarios. An entity may have
several identities; every identity may have several identifiers
or attributes.
Network centric paradigm has many limitations. It
doesn’t support attributes extension and federation, and the
semantics of the attributes haven’t been take into
consideration. People gradually give up the network-centric
IdM for these reasons in real applications and services.
limited to a single domain; cross domain access and user
control over identity have little support; it has some
mechanisms in privacy protection but not that strong.
Federated model supports multi SPs, multi IdPs and multi
services from different domains; It can provide fully support
of cross domain access and give users a lot of control on
their identities; identities in this model can be stored on both
SPs and IdPs and this model provide strong privacy
protection mechanisms.
COMPARISON OF IDM MODELS
User
Cross Domain Identity
Control over Privacy Protection
Access Storage
Identity
Few and very weak
No support On SP No control
protection
Limited support On IdP Few control Much but weak protection
Nearly fully On both SPs Much and strong
Much control
support and IdPs protection
B. Service Centric Paradigm
As more and more services are provided for users on the
Internet or locally available, sometimes SPs should have the
ability to dynamically determine which service users should
use especially when services are added to an IdM system
dynamically. It’s hard to implement this feature in network
centric paradigm IdM.
Service centric paradigm IdM is composed of services
from different providers across multiple domains; these
services are not necessarily under control of their providers.
This paradigm can achieve dynamic replacement of services.
Paper [38] gives a good example of calendar service, if users
need to access the calendar service on line, the actual
calendar being accessed (e.g., Google Calendar, Microsoft
Exchange) will depend on the preference of the specific user.
If a new calendar service enters into the market, service
centric paradigm IdM have to adapt this new service at
runtime. Moreover, this paradigm should provide a way for
the user to dynamically and explicitly delegate his access
rights to the new calendar service.
In service centric paradigm IdM, organizations will
evolve their systems to provide more and more services, so
IdM can offer a broader range of applications and becomes
more critical. The scope of IdM extends to all online
resources in an organization, including devices, network
equipments, servers, portals, content, applications and
products, user credentials, address directory, authorization,
and telephone numbers.
There are two challenges in implementing service centric
IdM paradigm mainly. First, it’s hard to achieve composition
of services from different SPs and domains, these services
may have quite different access control mechanisms and
trust levels; second, delegations of users’ access rights from
one service to another are not easy and users’ behaviors is
hard to track and control.
C. User Centric Paradigm
Service centric IdM paradigm can support functions like
SSO, access delegation and so on which can facilitate users

at a certain degree, but users are not the central of the
paradigm, they can’t take part in the protection of their
identities.
User centric IdM paradigm treats users as the central and
it’s the principle of design IdM. This paradigm shifts the
control of digital identities from SPs to the users by putting
the users into the middle of transactions between identity
providers and relying parties. By allowing users to control
their own identities, users can decide which identities are
needed to share with other trusted parties and under certain
circumstance.
This paradigm makes a satisfaction of users’ all
requirements; implements life cycle management of user
identities, privacy protection and identities disclosure.
There are many projects trying to implement user centric
paradigm: OpenID [39, 40], Windows CardSpace [41], and
Lightweight Identity (LID) [23], Simple Extensible Identity
Protocol (SXIP) [42], Higgins [43] and so on.
D. Summary
The network centric paradigm IdM has always been used
in the early stage of Internet applications and services, and
IdM is not the core but play a supplementary role in
applications and services. IdM issues are not been taking into
consideration in the design of applications and services
specially security aspects of IdM itself. By the network's
TABLE II.
Paradigm Centralized Trust Domain
Authentication
capacity constraints, people pay little attention to IdM and it
doesn’t exposed many problems in the initial stage of
network applications and services.
As the popularity of network applications and services,
more and more people use these services and problems such
as cross domain access, SSO and privacy protection were
exposed in the IdM, and so service centric IdM paradigm
was proposed based on network centric IdM paradigm in
order to solve these problems. This paradigm composes
some services and can provide better and unified user
experience and solves cross domain access problems. But
privacy protection and identity life cycle management
haven’t been well implemented. So user centric paradigm
comes out.
In fact, service centric paradigm has solved many
problems in IdM, but users still have little control on their
identities and user experience is not that good. The main
difference between user centric and service centric paradigm
is what the core of IdM is, user or service.
In this section, we give a comparison of these three
paradigms of IdM from three aspects: centralization, trust
domain and identity handling methods which includes
authentication method, identity number scale, identity
uniqueness, and credentials transmission. Table  gives the
comparison of these paradigms.
COMPARISON OF IDM PARADIGMS
Identity Handling
Identity Number Scale Identity Uniqueness Credentials Transmission

Few transmission, face

problems of credentials
Single Unique; a single
Network Centric Centralized Sole Small scale disclosure and privacy
Method identity
protection, and no
solution
Support of Many transmission, face
Centralized many problems of credentials
Unique; Main
combine with centralized disclosure and privacy
Service Centric Multiple Large scale identity and some
partly and few protection, but security
affiliated identities
distributed distributed than network centric
mehods paradigm
Lots of transmission, face
Support of
problems of credentials
Centralized centralized Unique; Main
disclosure and privacy
User Centric combine with Multiple and Large scale identity and some
protection, but security
distributed distributed affiliated identities
than service centric
mehods
paradigm
IdPs, identity storage methods, whether to support cross
V. CONCLUSION domain access or not, user control over identity, and
This paper briefly summarizes the development of IdM privacy protection.
technology; we first examine the definition and core IdM technology still faces many formidable challenges.
concepts of IdM, then three paradigms has been bring Obstacles to the development of IdM come from the
forward which are network centric paradigm, service original technology, systems, architecture and even in the
centric paradigm, and user centric paradigm based on the habit of users. Secure user information exchanging among
core design principles transmission of IdM and growing different SPs and IdPs is still a hot point of current
importance of IdM in services and applications. While research and has many difficulties in practice; privacy
considering different implementations of IdM, we protection is always a serious problem from the beginning
classified current IdM protocols, standards, and systems of IdM coming out and is quite hard to overcome.
into three models – isolated model, centralized model, and
federated model based on functions variety of SPs and


 REFERENCES
[1] E. Aaron, "Online Identity Theft: Phishing Technology,
Chokepoints and Countermeasures," http://www.antiphishing.org/
Phishing-dhs-report.pdf, 2005
[2] Daniel J. Solove, "Identity Theft, Privacy, and the Architecture of
Vulnerability," Hastings Law Journal, Vol 54, pp. 1227, 2003.
[3] B. Elisa, P. Federica, and S. Ning, "Keynote2: Digital Identity
Protection - Concepts and Issues," Proc. International Conference
on Availability, Reliability and Security (ARES 09.), Fukuoka,
Japan, 2009
[4] Consumer fraud and Identity Theft complaint Data, Federal Trade
Commission. http://www.ftc.gov/opa/2008/02/fraud.pdf, February
2008.
[5] D. Zhu, X. Li, and S. Wu, "Identity disclosure protection: A data
reconstruction approach for privacy-preserving data mining," J.
Decision Support Systems, vol. 48, pp. 133-140, December 2009.
[6] K. Bai, Y. Liu, and P. Liu.,"Prevent Identity Disclosure in Social
Network Data Study," unpublished, 2009.
[7] J.L.Wayman, "Biometrics in Identity Management Systems,"
Security & Privacy, IEEE, Vol 6, pp. 30-37, April 2008.
[8] T.A. Johansen, I. Jrstad, and D.V. Thanh, "Identity management in
mobile ubiquitous environments," Proc. 3rd International
Conference on Internet Monitoring and Protection (ICIMP 2008),
pp. 178-183, 2008.
[9] W. Tsui, "Digital Identity Management on the Internet,"
http://zoo.cs.yale.edu/classes/cs457/tsui_digital_identity_managem
ent.doc, unpublished, April 2006.
[10] A. Jøsang, M. AlZomai, and S. Suriadi, , "Usability and Privacy in
Identity Management Architectures," In Australasian Information
Security Workshop: Privacy Enhancing Technologies, Ballarat,
Australia. 2007.
[11] T. E. Maliki, J.Seigneur, "A Survey of User-centric Identity
Management Technologies," In International Conference on
Emerging Security Information, Systems and Technologies,
Valencia. 2007.
[12] K Cameron, "The Laws of Identity," http://ts-
si.org/files/TheLawsOfIdentity.pdf. 2005.
[13] E. Damiani, S.D. diVimercati, and P. Samarati, "Managing
multiple and dependable identities," Internet Computing, IEEE, vol
7, pp. 29-37, December 2003.
[14] M. Dabrowski, and P. Pacyna, "Generic and complete three-level
identity management model," In 2nd International Conference on
Emerging Security Information, Systems and Technologies, Cap
Esterel. 2008.
[15] National E-Health Transition Authority, http://www.nehta.gov.au/
[16] S.C. Lee,, "An Introduction to Identity Management,"
http://www.sans.org/reading_room/whitepapers/authentication/intr
oduction-identity-management_852. 2003.
[17] HP OpenView Identity Management solution Business blueprint,
http://h41087.www4.hp.com/solutions/entreprises/grandes_entrepr
ises/openview/pdf/im_bb.pdf
[18] HP OpenView Identity Management Solution Whitepaper,
http://www.cbinews.com/uploadfile/whitepaper/2007-01-
30/30160032.pdf
[19] J. Li, Chang, C.X. Shen, H. Zhen, Y.Z. He, and Y. Liu, "Survey of
research on identity management," Computer Engineering and
Design, vol 30, pp. 1365, 2009.
[20] H. Koshutanski, M. Ion, and L. Telesca,, "Distributed Identity
Management Model for Digital Ecosystems," Proc. The

International Conference on Emerging Security Information,
Systems, and Technologies (SecureWare 2007), Valencia, pp. 132-
138, 2007.
[21] T. Miyata,, Y. Koga,, P. Madsen,, and S. Adachi,, "A Survey on
Identity Management Protocols and Standards," IEICE -
Transactions on Information and Systems, vol E89-D, pp. 112-123,
January 2006
[22] G. Ahn,, and M. Ko,, "User-centric Privacy Management for
Federated Identity Management," in Collaborative Computing:
Networking, Applications and Worksharing (CollaborateCom
2007), pp. 187-195, New York, November 2007.
[23] A. Jøsang, and S. Pope, "User centric identity management," In
Australian Computer Emergency Response Team Conference,
Royal Pines Resort, Australia. 2005.
[24] PKI, http://archive.opengroup.org/public/tech/security/pki
[25] Kerberos, http://web.mit.edu/kerberos/
[26] CAS, http://www.jasig.org/cas
[27] Federated identity, http://en.wikipedia.org/wiki/Federated_identity
[28] OASIS, http://www.oasis-open.org
[29] SAML, http://www.oasis-open.org/committees/tc_home.php?wg_a
b brev= security
[30] WS-Federation,
http://www.ibm.com/developerworks/library/specification/ws-fed/
[31] Liberty Alliance, http://kantarainitiative.org/
[32] Shibboleth, http://shibboleth.internet2.edu/
[33] W. Hommel, and H. Reiser, "Federated Identity Management :
Shortcomings of existing standards," In 9th IFIP/IEEE
International Symposium on Integrated Network Management,
Nice, France. 2005.
[34] E. Bertino, F. Paci, and N. Shang, "Digital Identity Protection -
Concepts and Issues," In 4th International Conference on
Availability, Reliability and Security, Fukuoka, Japan. 2009.
[35] S. Balasubramaniam, G.A. Lewis, E. Morris, S. Simanta, and D.B.
Smith, "Identity Management and its Impact on Federation in a
System-of-Systems Context," Proc. IEEE International Systems
Conference, pp. 179-182, 2009.
[36] A. Myllyniemi, "Identity Management Systems: A Comparison of
Current Solutions," TKK T-110.5290 Seminar on Network
Security, December, 2006.
[37] Windows Server domain,
http://en.wikipedia.org/wiki/Windows_Server_domain
[38] L. Bussard, D.E. Nitto, A. Nano, O. Nano, and G. Ripa, "An
Approach to Identity Management for Service Centric Systems,"
Proc. 1st European Conference (ServiceWave 2008), Madrid,
Spain, pp. 254-265, 2008.
[39] OpenID, http://openid.net/
[40] D. Recordon, and D. Reed, "OpenID 2.0: a platform for user-
centric identity management," Conference on Computer and
Communications Security, Proc. 2nd ACM workshop on Digital
identity management , pp. 11-16, Alexandria, Virginia, USA, 2006.
[41] H. Jo, H. Lee, K. Chun, and H. Park, "Interoperability and
Anonymity for ID Management Systems," 11th International
Conference on Advanced Communication Technology (ICACT
2009), pp. 1257-1260, 2009.
[42] SXIP, http://www.sxip.com/
[43] Higgins, http://www.eclipse.org/higgins/