Federated Identity

From P2P Foundation
Jump to: navigation, search


From the Wikipedia:

"In information technology, federated identity has two general meanings:

  • The virtual reunion, or assembled identity, of a person's user information (or principal), stored across multiple distinct identity management systems. Data are joined together by use of the common token, usually the user name.
  • A user's authentication process across multiple IT systems or even organizations.

For example, a traveler could be a flight passenger as well as a hotel guest. If the airline and the hotel use a federated identity management system, this means that they have a contracted mutual trust in each other's authentication of the user. The traveler could identify him/herself once as a customer for booking the flight and this identity can be carried over to be used for the reservation of a hotel room.

Federated identity, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise controlled or B2B scenarios.

Federation is enabled through the use of open industry standards and/or openly published specifications, such that multiple parties can achieve interoperability for common use cases. Typical use-cases involve things such as cross-domain, web-based single sign-on, cross-domain user account provisioning, cross-domain entitlement management and cross-domain user attribute exchange.

Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. It can increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. It can improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. And lastly, it can drastically improve the end-user experience by eliminating the need for new account registration through automatic "federated provisioning" or the need to redundantly login through cross-domain single sign-on.

The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user, user-to-application as well as application-to-application use-case scenarios at both the browser tier as well as the web services or service-oriented architecture (SOA) tier. It can involve high-trust, high-security scenarios as well as low-trust, low security scenarios. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open Identity Assurance Framework. It can involve user-centric use-cases, as well as enterprise-centric use-cases. The term "identity federation" is by design a generic term, and is not bound to any one specific protocol, technology, implementation or company.

One thing that is consistent, however, is the fact that "federation" does describe methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability.

Identity federation can be accomplished any number of ways, some of which involve the use of formal Internet standards, such as the OASIS Security Assertion Markup Language (SAML) specification, and some of which may involve open source technologies and/or other openly published specifications (e.g. Information Cards, Open ID, the Higgins Trust Framework or Novell’s Bandit project)." (http://en.wikipedia.org/wiki/Federated_identity)