The growth of partnerships into seamless e-business networks is one of the most significant trends in the evolution of Internet commerce. Some of the most successful global enterprises have achieved a very high level of coordination between their own information technology (IT) systems and those of their customers, suppliers and partners. This IT coordination is being used to differentiate solutions, reduce costs and improve speed and agility.
In business-to-consumer (B2C) scenarios where consumers communicate with an enterprise that presents products or services from multiple partners simultaneously, access to shared resources must be secure and structured to meet the requirements of each partner in the business relationship, while meeting the consumer's needs.
In application-to-application (A2A) or business-tobusiness (B2B) environments where Web services are increasingly used, remote or partner access to corporate data and applications must be achieved securely and seamlessly.
Effective identity federation benefits both users and enterprises. It provides end users with a seamless crossdomain experience through single sign-on (SSO) and it enables enterprises to expose resources to a larger class of users not directly administered by the enterprise.
CA's Universal Federation Architecture (UFA) is designed to provide identity federation within the company and across external partners for legacy, Web and service oriented environments. CA's Universal Federation Architecture supports the leading federation standards using a highly manageable and scalable infrastructure. When used in conjunction with the other components of CA's Identity and Access Management (IAM) solution, it provides the most comprehensive IAM solution on the market.
While federation technology and markets are still in their early stages, CA envisions a day in the near future when federation and Web services are clearly seen as critical elements of enterprise IAM systems. CA is delivering on this vision today.
Document Purpose and Scope
The purpose of this white paper is to show how CA's IAM solution (specifically the eTrust SiteMinder and eTrust TransactionMinder components) provides a true Universal Federation Architecture.
The first part of this white paper presents "browserbased" identity federation, which is enabled by eTrust SiteMinder. The second part describes how eTrust TransactionMinder enables "document-based" identity federation security using Web services flows.
Terms and concepts not directly defined in the text are explained in a short glossary provided at the end of the document, together with a list of technical references.
Reference Documents
In order to better understand this white paper, readers should be familiar with identity federation concepts, as well as the basic operation of the eTrust SiteMinder and eTrust TransactionMinder products.
Additional information on these topics is provided by three white papers:
- Identity Federation: Concepts, Use Cases and Industry Standards
- eTrust SiteMinder r6 Technical White Paper
- eTrust TransactionMinder: Securing Web Services White Paper
Federation Requirements
Both eTrust SiteMinder and eTrust TransactionMinder solutions are designed to meet the following identity federation requirements:
- Provide a framework built on industry standards (data format and message structure) that are independent of specific implementations (client type or server type) and network protocols
- Provide the ability for business partners to exchange information about their users in a secure way
- Protect the privacy of users within a federation, i.e., keep user identity information secret
- Allow each company in a federation to manage the identities of their own users without relying on a centralized third-party
- Support standard security information descriptions or use existing standard security tokens
- Support a standard protocol to exchange security tokens amongst federation participants
- Provide a way to establish trust amongst federation participants
Federation Models
Identity federation can be achieved through browsers or using XML documents with Web services.
In browser-based federation the end user visits web sites hosted by business partners. Browser-based federation security is provided by eTrust SiteMinder Federation Security Services (FSS) through its support of the Security Assertion Markup Language (SAML) and WS-Federation/ADFS.
In document-based federation, business partners or business units communicate through XML documents used to request and obtain Web services. Documentbased federation security is provided by eTrust TransactionMinder using SAML, X.509 certificates and Username security tokens inserted in Web Services Security (WS-Security) headers.
CA UFA's multi-protocol and multi-model support provides the flexibility for customers to select the appropriate model and protocol to federate with each of their partners.
