- Simplicity by design

Identity Management – Part 2 – Federation

Posted under on September 26th, 2009 

This is part 2 of the series of post which I am planning to write on Identity Management. If you wish you can read Identity Management  – Part 1 – The Basics which gives a brief introduction to Identity management. One of the major part of Identity management is how to simplify the user logging in into the system and thus how to achieve single sign on capabilities in Web. At enterprise level generally it is easy to achieve single sign on as there is only one single Identity provider. But when you want to achieve single sign on between multiple organizations it gets complicated.  In this post we would go through “What is federation and federated Identity?” , “What are various ways by which we achieve SSO?”

In the previous post we discussed Identity as an entity which uniquely identifies an object or user. This identity would generally valid and trusted only with in a domain, just like how your company ID card or college ID card is valid only with in your workplace or school.

So, when a system assembles an identity based on the information collected from one or more security domain and is used across security domain the assembled identity becomes a federated identity.  The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. The setup and standards which enables federated identity is called federation. There are multiple scenarios in federation of an identity which are of significance like cross domain authentication (web based Single sign on) , Cross domain user account provisioning (Managing a user in your domain based on federated identity), cross domain user entitlement and attribute management. We would take a small peek on various ways by which we can achieve  web based Single sign on.

  1. SAML
  2. Open ID Protocol

What is SAML?

SAML stands for Security Assertion Markup Language. It is a XML based standard used for exchanging the authentication and authorization data between two security domains. SAML defines assertions, protocols, binding and profiles. Assertions are the major information which is carried as a part of SAML response. SAML Protocol denotes the set of rules and regulation by which the Service consumer and Identity provider communicate. SAML binding is mapping between protocol message to the communication formats like SOAP etc. A SAML profile describes how SAML supports a particular use case. The guidelines defined by SAML forms an abstract framework and is denoted as SAML framework.

SAML’s Web SSO profile describes how to set up single sign on using the SAML assertions. Which we will go through in our next part.

What is Open ID protocol?

It is an open decentralized protocol / standard used for authenticating users, allowing users to use single identity across various services / domain. The Open ID protocol uses plain http request and response and is a concrete implementation. It also defines how the user experience should be. In my personal opinion Open ID protocol is the simplest protocol for single sign on but at the same time is also restricted. We would see more about the Open ID protocol in the subsequent posts.

One point to note is in both the cases the real authentication is left to the Identity provider. Identity provider can use Active directory or smart card or bio metrics to perform authentication of the user. These standards define how this identity is shared across two domain and hence there needs to be a trust relation ship between the identity provider and the consumer and various systems which form the federation.

Share
  • Turn this article into a PDF!
blog comments powered by Disqus

The previous post is and the next one is