Federated identity management
Encyclopedia
In information technology
, Federated Identity Management amounts to having a common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations.
Related to federated identity is Single sign-on
(SSO), where a user's authentication
process is being used across multiple IT systems or even organizations. SSO is a subset of Federated Identity Management, as it relates only to authentication
and is understood on the level of technical interoperability.
FIDM allows users to reuse electronic identities, saves administrators redundant work in maintaining user accounts and provides a consistent, trustworthy infrastructure component.
scenarios.
Federation is enabled through the use of open industry standards and/or openly published specifications, such that multiple parties can achieve interoperability for common use cases. Typical use-cases involve things such as cross-domain, web-based single sign-on, cross-domain user account provisioning, cross-domain entitlement management and cross-domain user attribute exchange.
Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. It can increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. It can improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. And lastly, it can drastically improve the end-user experience by eliminating the need for new account registration through automatic "federated provisioning" or the need to redundantly login through cross-domain single sign-on.
The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user, user-to-application as well as application-to-application use-case scenarios at both the browser tier as well as the web services or service-oriented architecture
(SOA) tier. It can involve high-trust, high-security scenarios as well as low-trust, low security scenarios. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open Identity Assurance Framework. It can involve user-centric use-cases, as well as enterprise-centric use-cases. The term "identity federation" is by design a generic term, and is not bound to any one specific protocol, technology, implementation or company.
One thing that is consistent, however, is the fact that "federation" does describe methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability.
Identity federation can be accomplished any number of ways, some of which involve the use of formal Internet standards, such as the OASIS
Security Assertion Markup Language (SAML) specification, and some of which may involve open source technologies and/or other openly published specifications (e.g. Information Card
s, OpenID
, the Higgins trust framework
or Novell’s Bandit project
).
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
, Federated Identity Management amounts to having a common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations.
Related to federated identity is Single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO), where a user's authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
process is being used across multiple IT systems or even organizations. SSO is a subset of Federated Identity Management, as it relates only to authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
and is understood on the level of technical interoperability.
FIDM allows users to reuse electronic identities, saves administrators redundant work in maintaining user accounts and provides a consistent, trustworthy infrastructure component.
Background
Centralized identity management solutions were created to help deal with user and data security where the user and the systems they accessed were within the same network – or at least the same "domain of control". Increasingly however, users are accessing external systems which are fundamentally outside of their domain of control, and external users are accessing internal systems. The increasingly common separation of user from the systems requiring access is an inevitable by-product of the decentralization brought about by the integration of the Internet into every aspect of both personal and business life. Evolving identity management challenges, and especially the challenges associated with cross-company, cross-domain issues, has given rise to a new approach of identity management, known now as "federated identity management".Federation Identity Management
FIDM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise controlled or B2BBusiness-to-business
Business-to-business describes commerce transactions between businesses, such as between a manufacturer and a wholesaler, or between a wholesaler and a retailer...
scenarios.
Federation is enabled through the use of open industry standards and/or openly published specifications, such that multiple parties can achieve interoperability for common use cases. Typical use-cases involve things such as cross-domain, web-based single sign-on, cross-domain user account provisioning, cross-domain entitlement management and cross-domain user attribute exchange.
Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. It can increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. It can improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. And lastly, it can drastically improve the end-user experience by eliminating the need for new account registration through automatic "federated provisioning" or the need to redundantly login through cross-domain single sign-on.
The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user, user-to-application as well as application-to-application use-case scenarios at both the browser tier as well as the web services or service-oriented architecture
Service-oriented architecture
In software engineering, a Service-Oriented Architecture is a set of principles and methodologies for designing and developing software in the form of interoperable services. These services are well-defined business functionalities that are built as software components that can be reused for...
(SOA) tier. It can involve high-trust, high-security scenarios as well as low-trust, low security scenarios. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open Identity Assurance Framework. It can involve user-centric use-cases, as well as enterprise-centric use-cases. The term "identity federation" is by design a generic term, and is not bound to any one specific protocol, technology, implementation or company.
One thing that is consistent, however, is the fact that "federation" does describe methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability.
Identity federation can be accomplished any number of ways, some of which involve the use of formal Internet standards, such as the OASIS
OASIS (organization)
The Organization for the Advancement of Structured Information Standards is a global consortium that drives the development, convergence and adoption of e-business and web service standards...
Security Assertion Markup Language (SAML) specification, and some of which may involve open source technologies and/or other openly published specifications (e.g. Information Card
Information Card
Information Cards are personal digital identities that people can use online, and the key component of Identity metasystems. Visually, each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select...
s, OpenID
OpenID
OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...
, the Higgins trust framework
Higgins trust framework
Higgins is an open source project dedicated to giving individuals more control over their personal identity, profile and social network data.The project is organized into three main areas:...
or Novell’s Bandit project
Bandit project
The Bandit project is an open source collection of loosely-coupled components to provide consistent identity services.It implements open standard protocols and specifications such that identity services can be constructed, accessed, and integrated from multiple identity sources. Portions of the...
).
See also
- Athens access and identity managementAthens access and identity managementAthens is an Access and Identity Management service based in the United Kingdom that is supplied by Eduserv to provide single sign-on to protected resources combined with full user management capability...
- Atomic AuthorizationAtomic AuthorizationAtomic authorization is the act of securing authorization rights independently from the intermediary applications that utilize them and the parties to which they apply...
- Central Authentication ServiceCentral Authentication ServiceThe Central Authentication Service is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials,...
- Digital identityDigital identityDigital identity is the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things...
- Federated contentFederated contentFederated content is digital media content that is designed to be self-managing to support reporting and rights management in a peer-to-peer network. Ex: Audio stored in a digital rights management file format.-Further reading:...
- Identity Metasystem
- Information CardInformation CardInformation Cards are personal digital identities that people can use online, and the key component of Identity metasystems. Visually, each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select...
- Kantara InitiativeKantara InitiativeKantara is a non-profit professional association dedicated to advancing technical and legal innovation related to digital identity management. It has members and participants in 11 countries...
- LDAP
- Liberty AllianceLiberty AllianceThe Liberty Alliance was formed in September 2001 by approximately 30 organizations to establish open standards, guidelines and best practices for identity management...
- OpenIDOpenIDOpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...
- ShibbolethShibboleth (Internet2)Shibboleth is an Internet2 project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on Security Assertion Markup Language . Federated identity allows for information about users in one security domain...
- Windows CardSpaceWindows CardSpaceWindows CardSpace , is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual...
- WS-FederationWS-FederationWS-Federation is an Identity Federation specification, developed by BEA Systems, BMC Software, CA Inc., IBM, Layer 7 Technologies, Microsoft, Novell, Ping Identity, and VeriSign...
- X.509X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
- Windows Identity FoundationWindows Identity FoundationWindows Identity Foundation is a Microsoft framework for building identity-aware applications. It provides APIs for building ASP.NET or WCF based security token services as well as tools for building claims-aware and federation capable applications....
Links
- Article from EWeek.com on "What is Federated Identity Management?
- Ping Identity on "Federated Identity Management: A Beginners Guide"
- Deciphering Identity Federation
- Overview from Sun on "What is Federated Identity Management?
- Authentication Federation Article from AuthenticationWorld
- Ideating Identity