Key Concepts

The main concept of the OLYMPUS framework, is the concept of a distributed virtual IdP (vIdP), replacing the traditional IdP concept.

A traditional IdP is given a username and password (or similar type of credential) and produces an access token. The access token may then be used by third parties, ie. serviceproviders, to verify the identity of the user.

In the OLYMPUS framework, the traditional IdP is replaced by a vIdP (consisting of 2 or more OLYMPUS partial IdPs (pIdP)). By distributing IdP functionality in the vIdP, the OLYMPUS framework offers distributed password verification (where a single pIdP never learns the user’s password) and distributed signatures (where all pIdPs must cooperate, in order to produce a valid access token). These features forces an attacker to compromise _all_ pIdPs in the vIdP setup in order to impersonate users or learn their passwords, improving security compared to an traditional IdP.

Furthermore, the OLYMPUS project is currently investigating, how it would be possible to split user attributes in the vIdP, such that a single pIdP does know more about the user, then the username.

These new features do however add to the complexity of the overall federated identity setup. While it is a goal for OLYMPUS to ensure compability with existing IdM technologies, such as OpenID Connect and SAML, the distributed protocols for password verification and signatures, does require a dedicated client application rather than native browser support.

In addition to the vIdP concept, the OLYMPUS framework operates with a couple of other important concepts described in the following sections:

• ID proof
• Policies
  • Supported predicates
  • Range predicates for dates
• Offline usage (dp-ABCs)