Identity federation is a powerful scheme that links accounts of users maintained distinctly by different business partners. The concept of network identity is a driver for accelerating automation of Web Services on the Internet for users on their behalf while protecting privacy of their personally identifiable information. Although users of Web Services essentially delegate some or all privileges to an entity to perform actions, current identity based systems do not take into sufficient consideration delegation between entities hosting Web Services from a viewpoint of identity and privacy. This paper introduces a delegation model for federated identity management systems and proposes a delegation framework to provide solutions for access control in the context of delegation. The framework has a function of transferring user's privileges across the entities encoded in delegation assertion extending SAML (Security Assertion Markup Language). The framework enables users to manage their own privileges, and service providers to control access of entities based on delegated privileges by the users with assistance of a delegation authority that authorizes delegation of a delegating entity and an authentication authority that authenticates a user and manages user's name identifiers.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Martín Abadi , Michael Burrows , Butler Lampson , Gordon Plotkin, A calculus for access control in distributed systems, ACM Transactions on Programming Languages and Systems (TOPLAS), v.15 n.4, p.706-734, Sept. 1993  [doi>10.1145/155183.155225]
	2	M. Ahsant, J. Basney, and O. Mulmo." "Grid Delegation Protocol".In Proceedings of the Workshop on Grid Security Practice and Experience July 2004.
	3	Olav Bandmann , Babak Sadighi Firozabadi , Mads Dam, Constrained Delegation, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.131, May 12-15, 2002
	4	BEA, IBM, Microsoft, RSA Security, and VeriSign. "Web Services Federation Language (WS-Federation)". Version 1.0, July 2003.
	5	Óscar Cánovas , Antonio F. Gómez, Delegation in Distributed Systems: Challenges and Open Issues, Proceedings of the 14th International Workshop on Database and Expert Systems Applications, p.499, September 01-05, 2003
	6	David W. Chadwick , Alexander Otenko, The PERMIS X.509 role based privilege management infrastructure, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA  [doi>10.1145/507711.507732]
	7	Feng Xu , Guoyuan Lin , Hao Huang , Li Xie, Role-Based Access Control System for Web Services, Proceedings of the The Fourth International Conference on Computer and Information Technology (CIT'04), p.357-362, September 14-16, 2004
	8	IBM, Microsoft, Actional, BEA, Computer Associates, Layer 7, Oblix, OpenNetwork, Ping Identity, Reactivity, and Verisign. "Web Services Trust Language (WS-Trust)", February 2005.
	9	SangYeob Na , SuhHyun Cheon, Role delegation in role-based access control, Proceedings of the fifth ACM workshop on Role-based access control, p.39-44, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344300]
	10	G. Navarro, B. Fironzabadi, E. Rissanen, and J. Borrell. "Constrained Delegation in XML-based Access Control and Digital Rights Management Standards". In Proceedings of Communication, Network, and Information Security (CNIS '03)2003.
	11	OASIS. "Web Services Security: SOAP Message Security 1.0". OASIS Standard, March 2004.
	12	OASIS. "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)V2.0". OASIS Standard, March 2005.
	13	OECD. "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data", 2004.http://www.oecd.org/document/18/0,2340, en_2649 201185_1815186_1_1_1_1,00.html
	14	OPA. "Guidelines for Online Privacy Policies". http://www.privacyalliance.org/resources/ppguidelines.shtml
	15	Liberty Alliance Project. "Liberty ID-FF Protocols and Schema Specification".Version 1.2, November 2003.http://www.projectliberty.org/specs
	16	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
	17	D. Shin, G. Ahn, and P. Shenoy. "Ensuring Information Assurance in Federated Identity Management". In Proceedings of IEEE Internatinal Performance Computing and Communications Conference (IPCCC '04)April 2004.
	18	The Globus Security Team. "Globus Toolkit Version 4 Grid Security Infrastructure:A Standards Perspective". Version 2, December 2004.
	19	W3C. "Web Services Description Language (WSDL) 1.1". W3C Note, March 2001. http://www.w3.org/TR/wsdl
	20	W3C. "The Platform for Privacy Preferences 1.0 (P3P1.0)Specification". W3C Recommendation, April 2002.http://www.w3.org/TR/P3P/
	21	W3C. "SOAP Version 1.2 Part 0:Primer". W3C Recommendation, June 2003. http://www.w3.org/TR/soap12-part0/
	22	Jun Wang , David Del Vecchio , Marty Humphrey, Extending the Security Assertion Markup Language to Support Delegation for Web Services and Grid Services, Proceedings of the IEEE International Conference on Web Services (ICWS'05), p.67-74, July 11-15, 2005  [doi>10.1109/ICWS.2005.59]
	23	V. Welch, I. Faster, C. Kesselman, O. Mulmo, L. Pearlman, S. Tuecke, J. Gawor, S. Meder, and F. Siebenlist. "X.509 Proxy Certificates for Dynamic Delegation". 3rd Annual PKI R&D Workshop 2004.
	24	Longhua Zhang , Gail-Joon Ahn , Bei-Tseng Chu, A rule-based framework for role based delegation, Proceedings of the sixth ACM symposium on Access control models and technologies, p.153-162, May 2001, Chantilly, Virginia, United States  [doi>10.1145/373256.373289]