The growth of partnerships into e-business networks is the most significant trend in the evolution of Internet commerce. Some of the most successful global enterprises have achieved a very high level of coordination between their own information technology (IT) systems and those of their customers, suppliers and partners.
In business-to-consumer (B2C) environments, where end-users communicate with a single enterprise that simultaneously presents products or services from multiple partners, access to shared resources must be secure and structured to meet the requirements of each partner in the business relationship, while meeting end-users’ needs.
In application-to-application (A2A) or business-to-business (B2B) environments, where Web services are increasingly used, remote or partner access to corporate data and applications must be achieved securely and seamlessly. Effective identity federation benefits both users and enterprises. It provides the end-user with a seamless cross-domain internet experience through single sign-on (SSO) and it allows the enterprise to expose resources to a larger class of users not directly administered by the enterprise. Several standards address various aspects of identity federation (SSO, trust, attribute sharing, etc.). Some of those standards combine to provide the basis for an identity federation framework, but there are still overlaps and competition between emerging specifications, which makes purchase decisions a challenge.
Document Purpose and Scope
The first part of this white paper discusses the basic concepts underlying identity federation, namely authentication, authorization and single sign-on (SSO) using a real-world example. The second part introduces browser-based and documentbased identity federation by describing typical use case scenarios. The third part describes the various standards and industry initiatives that address identity federation and how some of these standards can co-exist and cooperate to offer efficient solutions to the problems encountered with identity federation.
This document is aimed at IT staff, application development managers, security architects and technical decision makers who need to learn more about identity federation and the industry standards that formalize federated environments. Some sections of this document require a basic knowledge of the Extensible Markup Language (XML) and related XML technologies (XML Schema and the Simple Object Access Protocol (SOAP). Terms and concepts not directly defined in the text are explained in a short glossary provided at the end of the document, together with a list of technical references.
Identity Federation Requirements
It is virtually impossible to rely on a universal point of control for identity information. In other words, no single security administrator has the responsibility to authenticate all users and manage their accounts. In some cases, companies have multiple identity repositories for their applications, thus creating a corporate infrastructure fragmented in silos of activities. In addition, when companies do business with each other, they need to exchange information about their respective users in a trusted way.
Identity federation can be relative to a single company (users of that company securely access the company’s resources based on their identity information). Identity federation can span several companies, a network of federations as it were, whereby trust must be established between the multiple companies doing business together.
Companies involved in identity federation establish trusted relationships, allowing their respective users to access resources hosted by a business partner. In this case, companies issue security tickets to their users that can be processed by relying parties. Identity federation provides a foundation for validating users (or services) from various organizations that are part of a network of business partners. In this way, users (or services) can seamlessly access resources provided by those trusted partners.
