This paper proposes a hybrid approach that combines claim-based and network-based identity management. Partly by virtue of the principle of separation of concerns, better security and privacy properties are attained. Overall trust is diminished, while simultaneously reducing multiple actors' exposure and value as a target of attack. The proposed architecture also facilitates interoperability and pluralism of credential technologies, authentication protocols and operators. In addition, the user has more control over his personal data than with current network-based identity management systems. A prototype demonstrates the feasibility of the proposed approach.