This document proposes a solution called purpose-aware attribute-based encryption to preserve user privacy in federated identity management systems. The solution involves a trusted identity provider encrypting user data with a disclosure policy specifying purposes, time limits, and domains that the data can be decrypted and used. Service providers receive time and purpose tokens that, when combined, only allow decrypting and using user data if the purposes and time constraints in the policy are satisfied. This prevents unauthorized access and insider attacks while allowing flexible yet privacy-preserving access control over user data in distributed environments.