Efficiently coordinating and integrating business processes with trading partners in an increasingly dynamic business environment is a complex dilemma faced by most large enterprises. Identity federation and the industry standards that comprise it were invented to address this cross domain, application interoperability challenge. This paper introduces and defines identity federation; the benefits that companies can reap by leveraging it, some use cases that can be enabled by it, the most relevant industry standards and specifications that underlie it and the business issues that must be addressed for identity federation to be successfully delivered at scale.
Federation and Business Value
Basic access to applications and data over the Internet has existed for years. However, the ability of a user to easily and securely access services that are housed in multiple security domains within an enterprise or from multiple organizations has remained a challenge. Twenty years ago many pinned their hopes on electronic data interchange (EDI), which has been used successfully in the automotive, retail and manufacturing industries, but has generally failed to reach broader corporate use primarily because of its cost, inflexibility and proprietary nature. In addition EDI has not provided any direct benefit to consumers or other classes of end-users.
Today, the Internet, Internet-compliant technology and standards have matured to the point that effective coordination and mass integration between trading partners is now achievable and affordable. Moreover, the advent of standards is easing the extension of today's enterprises by lowering the barriers to connecting disparate business applications both within and across corporate boundaries. This enables businesses to substantially reduce costs, create new revenue opportunities, and provide greater convenience, choice and control for its users.
By integrating applications and business processes across corporate boundaries, trading-partners, business customers and outsourcers can automatically link processes and take part in transactions across multiple companies? eliminating the business interruption associated with traditional means of information exchange, such as phone, fax and email?or traditional (custom) means of application integration. The ubiquitous network (the Internet) and high-scale transactional applications already exist at most organizations. Federation standards and the security systems that implement them were invented explicitly for the purpose of securely tying distributed applications together to accelerate business.
Securing Federation
However, the aforementioned gains can fail to materialize if the system-level information exchange is not conducted securely. For example, a government agency could risk damage through a leak of a citizen's private information. A financial institution might incur financial penalties or brand degradation due to an unauthorized trade or withdrawal. A health care firm might suffer damaging lawsuits with the release of personal health information to the wrong parties. In addition a breach of security might put regulated organizations out of compliance with various related data privacy or IT control regulations and thus put them at risk of government enforcement actions. With federation, as really with most IT efforts, organizations need to have security as a front-of-mind item. In the end though, a balance must be found between letting business in and keeping risk out.
In a federation scenario the way to address these security challenges is to integrate partnering companies' security systems so that user, security and entitlement information can be shared in a defined and controlled way between partners in a trusted business relationship. The sharing of digital identities to enable applications in different security domains to work together, securely, is defined as "identity federation". Federation enables users and applications to work across autonomous internal business units, external business partners and other third-parties seamlessly as if they were part of the same security domain, while in fact the domains remain largely independent.
Since cross-company federation is the ultimate goal, the only way to effectively accomplish this is through the development and use of open standards. Fortunately, many standards and specifications have and are being developed to address various aspects of identity federation (single sign-on (SSO), trust, attribute sharing, authorization, Web services security, privacy etc.). These standards, when combined, provide the basis for identity federation, supporting different requirements and use cases.
