Anil John
Making Digital Services Secure and Trustworthy

Anil John

Context and Identity Resolution

 Tweet  Share  Comment  Print  Email

If identity is defined as a set of attributes that uniquely describe an individual, identity resolution is the confirmation that an identity has been resolved to a unique individual within a particular context. In a federation environment, identity resolution is a means to an end; namely user enrollment. This blog post looks at identity resolution in two separate contexts, at the identity proofing component and at the RP.

My earlier blog post on Identity Establishment, Verification and Validation provided a description of those terms. Given that, some things to keep in mind:

  • Verification and validation are two separate functions. Validation is typically performed as a subset of verification.
  • Verification and validation could be done by different providers but are typically done by a single “identity proofing component” (e.g. CSP or IM)
  • An identity proofing component must be able to resolve to a unique individual, within its context, before performing a verification and/or validation function
  • A RP is responsible for resolving an identity to a unique individual within its context
  • The context of the identity proofing component could be the entire population of the U.S, while the context of the RP is the set of identity records it holds

This leads to the following question. Given the different contexts, is the set of attributes required by the RP for identity resolution the same as the set of attributes used by the identity proofing component when it does identity resolution?

Some initial thoughts that may lead to an answer:

  • If the attributes are self-asserted to the RP by the individual, and it passes them to the identity proofing component, there has to be prior agreement that the information passed is enough for the identity proofing component to do the resolution, verification and validation
  • If the identity proofing component performs the resolution, verification and validation first, it determines the mechanisms and sources used, and the verified attributes sent to the RP could be a subset of what the identity proofing component holds


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog ( The opinions expressed here are my own and do not represent my employer’s view in any way.

By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a Public Interest Technologist. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone