π€ AI Summary
In zero-trust architectures, fragmented identities across human users, workloads, and automated systems hinder unified access control. Method: This paper introduces the Identity Control Plane (ICP)βthe first cross-domain identity governance framework integrating SPIFFE identity primitives, OIDC/SAML-based federated authentication, and scoped transactional tokens. It designs a composable, standards-compliant ABAC enforcement layer aligned with IETF WIMSE and OAuth specifications; integrates OPA/Cedar policy engines; and establishes FedRAMP/SLSA compliance mapping mechanisms. Contributions: (1) Unified multi-source identity modeling with fine-grained, dynamic authorization; (2) Transaction-token-driven real-time credential lifecycle management; and (3) A complete theoretical architecture, component specifications, performance modeling, comparative analysis against mainstream zero-trust models, and a production-ready, compliance-validated deployment pathway.
π Abstract
This paper introduces the Identity Control Plane (ICP), an architectural framework for enforcing identity-aware Zero Trust access across human users, workloads, and automation systems. The ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens. We propose a composable enforcement layer using ABAC policy engines (e.g., OPA, Cedar), aligned with IETF WIMSE drafts and OAuth transaction tokens. The paper includes architectural components, integration patterns, use cases, a comparative analysis with current models, and theorized performance metrics. A FedRAMP and SLSA compliance mapping is also presented. This is a theoretical infrastructure architecture paper intended for security researchers and platform architects. No prior version of this work has been published.