DVID: Adding Delegated Authentication to SPIFFE Trusted Domains

One of the challenges of cloud computing is ensuring secure access to data and resources. Identity Management Systems (IMS), which enable organizations to handle user identities, authentication, and authorization, are commonly employed for tackling this issue. Whilst OAuth 2.0, SAML, and OpenID Connect are typically used in web applications, the Secure Production Identity Framework for Everyone (SPIFFE) is today among one of the many open source IMS for cloud environments. The reason is that SPIFFE provides a secure and standardized attestation framework for authenticating cloud workloads from the moment they are instantiated. Our work extends SPIFFE's capabilities, allowing the identification not only of the workload making a request, but also of the user behind that request. For this purpose, we design a new credential called Delegated Assertion SVID (DVID), describe a proof-of-concept implementation, and benchmark some baseline scenarios. (AU)