Getting a grip on federated identity

The growth of partnerships into e-business networks is one of the most significant trends in the evolution of Internet commerce. Some of the most successful global businesses have achieved a high level of coordination between their own IT systems and those of their customers, suppliers and partners.

In business-to-consumer environments, where end users communicate with one company that presents products or services from multiple partners simultaneously, access to shared resources must be secure and structured to meet the requirements of each partner in the business relationship while also meeting the end users' needs.

In application-to-application or business-to-business environments, where Web services are increasingly used, remote or partner access to corporate data and applications must be achieved securely and seamlessly.

Identity federation is the secure propagation of identities across autonomous domains or multiple enterprises. It's predicated on the use of security objects or "tokens" to represent entities. An entity can be a business, a user or a system, such as a program or a hardware device.

Effective identity federation benefits both users and enterprises. It provides the end user with a seamless, cross-domain Internet experience through single sign-on, and it allows the company to present resources to a larger class of users not directly administered by the enterprise.

Several standards address various aspects of identity federation, such as single sign-on, trust and attribute sharing. Some of those standards combine to provide the basis for an identity federation framework, but there are still overlaps and competition among emerging specifications, which can make purchasing decisions challenging.

Federation requirements

It's virtually impossible to rely on a universal point of control for identity information. In other words, no single security administrator has the responsibility to authenticate all users and manage their accounts. In some cases, companies have multiple identity repositories for their applications, thus creating a corporate infrastructure fragmented in silos of activities. In addition, when companies do business with one another, they need to exchange information about their respective users in a trusted way.

Identity federation can be relative to a single company -- users of that company securely access the company's resources based on their identity information. Or identity federation can span several companies, a network of federations as it were, whereby trust must be established between the multiple companies doing business together.

Companies involved in identity federation establish trusted relationships allowing their users access to resources hosted by business partners. In this case, companies issue security tickets to their users that can be processed by relying parties.

Identity federation provides a foundation for validating users or services from various organizations that are part of a network of business partners. In this way, users or services can seamlessly access resources provided by those trusted partners.

The requirements for identity federation are as follows:

  • Define a framework built on industry standards (data format, message structure) that's independent of specific implementations (client type or server type) and network protocols.
  • Provide the ability for business partners to exchange information about their users in a secure way.
  • Protect the privacy of users within a federation, i.e., keep user identity information secret and conform to international privacy regulations.
  • Allow each company in a federation to manage the identities of its own users without relying on a centralized third party.
  • Provide standard security information descriptions or use current standard security tokens.
  • Provide a standard protocol to exchange security tokens among federation participants.
  • Provide a way to establish trust among federation participants.

Basic concepts

Federating users and/or services into trusted relationships starts from basic processes designed to identify a user or a service (authentication) and granting access rights to an authenticated user or service (authorization). In addition, successful and unsuccessful authentication and authorization activities must be recorded in a way that can be easily analyzed or audited by systems administrators or security experts.

Federation standards

There is no single industry standard meeting all of the federation requirements. As mentioned earlier, federation involves description of identities (i.e., security tokens), protocols to exchange security tokens, preservation of privacy and establishment of trust.

The main standards and industry initiatives involved in identity federation and trust are:

  • Passport: Microsoft Corp.'s centralized authentication service. A user can create a Passport at www.passport.com. A Passport includes credentials (e-mail address and password), profile data (birth date, address, etc.) and optional wallet information (e.g., credit card number). A user can subscribe to any site that's Passport-enabled.
  • Kerberos: A cross-platform authentication and single sign-on system. The current release is Kerberos 5, implemented on various Unix platforms, Apple Computer Inc.'s Mac OS X and Microsoft Windows. (Kerberos is the default protocol used by Microsoft to authenticate users on a Windows 2000-2003 network.)
  • Security Assertion Markup Language (SAML): An open, application-level standard framework for sharing security information on the Internet through XML documents.
  • Liberty Alliance: An industry organization started in September 2001 to create a set of specifications for identity federation in network environments. The Liberty Alliance includes more than 150 member companies worldwide.
  • Web Services Security Specification (WS-Security): Originally developed by IBM, Microsoft and VeriSign Inc., WS-Security is a specification from the Organization for the Advancement of Structured Information Standards (OASIS) that specifies Simple Object Access Protocol security extensions providing data integrity and confidentiality. WS-Security supports various security tokens, such as SAML assertions, Kerberos tickets and X.509 certificates.
    • WS-Trust provides extensions to WS-Security that define security token interoperability through a request/response protocol.
    • WS-Policy is used with WS-Security to express the capabilities and requirements of entities used in Web services environments.
    • WS-Federation provides secure propagation of identity information relying on other Web services specifications such as WS-Security, WS-Trust and WS-Policy.

Conclusion

As identity and access management become the integration point for user and application administration across heterogeneous environments and architectures, emerging standards and industry initiatives will play a strong role in the development of the identity and access management market, including identity federation among corporations.

Today, SAML, the Liberty Alliance and WS-Security provide identity federation solutions for both Web applications and Web services that companies worldwide have successfully deployed.

Over the next few years, the various Web services specifications currently drafted by Microsoft, IBM and other companies will provide products for complex, large-scale identity federation deployments in service-oriented architectures.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon