An approach to detect user behaviour anomalies within identity federations

•This paper defines a workflow to improve the security levels of federated identity management solutions through user and entity behaviour analytics.•This workflow is implemented at the relying party, based on a session fingerprint that summarizes the behaviour of users.•A novel approach for detecting behaviour anomalies based on this kind of fingerprint is proposed.•An implementation of the proposed workflow has been validated in a real use case using OpenID Connect. User and Entity Behaviour Analytics (UEBA) mechanisms rely on statistical techniques and Machine Learning to determine when a significant deviation from patterns or trends established as a standard for users and entities is occurring. These mechanisms are beneficial within cybersecurity contexts because they allow managers and administrators to have early alerts warning about potential security incidents. This paper proposes the utilisation of UEBA to improve the security of Federated Identity Management (FIM) solutions. The proposed UEBA workflow allows Relying Parties within identity federations to build a session fingerprint characterising each user’s behaviour from available information. Furthermore, it enables anomaly detection based on this fingerprint, integrating raised alerts within current identity management specifications. The proposed workflow is validated and evaluated in a real use case based on a web chat application using OpenID Connect for identity management.