If identity is defined as a set of attributes that uniquely describe an individual, identity resolution is the confirmation that an identity has been resolved to a unique individual within a particular context. In a federation environment, identity resolution is a means to an end; namely user enrollment. This blog post looks at identity resolution in two separate contexts, at the identity proofing component and at the RP.
My earlier blog post on Identity Establishment, Verification and Validation provided a description of those terms. Given that, some things to keep in mind:
- Verification and validation are two separate functions. Validation is typically performed as a subset of verification.
- Verification and validation could be done by different providers but are typically done by a single “identity proofing component” (e.g. CSP or IM)
- An identity proofing component must be able to resolve to a unique individual, within its context, before performing a verification and/or validation function
- A RP is responsible for resolving an identity to a unique individual within its context
- The context of the identity proofing component could be the entire population of the U.S, while the context of the RP is the set of identity records it holds
This leads to the following question. Given the different contexts, is the set of attributes required by the RP for identity resolution the same as the set of attributes used by the identity proofing component when it does identity resolution?
Some initial thoughts that may lead to an answer:
- If the attributes are self-asserted to the RP by the individual, and it passes them to the identity proofing component, there has to be prior agreement that the information passed is enough for the identity proofing component to do the resolution, verification and validation
- If the identity proofing component performs the resolution, verification and validation first, it determines the mechanisms and sources used, and the verified attributes sent to the RP could be a subset of what the identity proofing component holds
- Identity Establishment, Verification and Validation
- If You Don't Plan For User Enrollment Now, You'll Hate Federation Later. Redux.
- Here Be Dragons - Social Security Number and Federation User Enrollment
- IDMGOV INFO: FICAM TFS TEM on Identity Resolution Needs for Online Service Delivery
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.