Federated identity

Last updated

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. [1]

Contents

Federated identity is related to single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or even organizations. [2] [3] SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability, and it would not be possible without some sort of federation. [4]

Management

In information technology (IT), federated identity management (FIdM) amounts to having a common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations. [5]

Single sign-on (SSO) systems allow a single user authentication process across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and technical interoperability.

Centralized identity management solutions were created to help deal with user and data security where the user and the systems they accessed were within the same network – or at least the same "domain of control". Increasingly, however, users are accessing external systems which are fundamentally outside their domain of control, and external users are accessing internal systems. The increasingly common separation of the user from the systems requiring access is an inevitable by-product of the decentralization brought about by the integration of the Internet into every aspect of both personal and business life. Evolving identity management challenges, and especially the challenges associated with cross-company, cross-domain access, have given rise to a new approach to identity management, known now as "federated identity management". [6]

FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise-controlled or business-to-business scenarios.

Federation is enabled through the use of open industry standards and/or openly published specifications, such that multiple parties can achieve interoperability for common use-cases. Typical use-cases involve things such as cross-domain, web-based single sign-on, cross-domain user account provisioning, cross-domain entitlement management and cross-domain user attribute exchange.

Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. It can increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. It can improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. And lastly, it can drastically improve the end-user experience by eliminating the need for new account registration through automatic "federated provisioning" or the need to redundantly login through cross-domain single sign-on.

The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user and user-to-application as well as application-to-application use-case scenarios at both the browser tier and the web services or service-oriented architecture (SOA) tier. It can involve high-trust, high-security scenarios as well as low-trust, low-security scenarios. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open Identity Assurance Framework. It can involve user-centric use-cases, as well as enterprise-centric use-cases. The term "identity federation" is by design a generic term, and is not bound to any one specific protocol, technology, implementation or company. Identity federations may be bi-lateral relationships or multilateral relationships. In the latter case, the multilateral federation frequently occurs in a vertical market, such as in law enforcement (such as the National Identity Exchange Federation - NIEF [7] ), and research and education (such as InCommon). [8] If the identity federation is bilateral, the two parties can exchange the necessary metadata (assertion signing keys, etc.) to implement the relationship. In a multilateral federation, the metadata exchange among participants is a more complex issue. It can be handled in a hub-and-spoke exchange or by the distribution of a metadata aggregate by a federated operator.

One thing that is consistent, however, is the fact that "federation" describes methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability. [9]

Identity federation can be accomplished any number of ways, some of which involve the use of formal Internet standards, such as the OASIS Security Assertion Markup Language (SAML) specification, and some of which may involve open-source technologies and/or other openly published specifications (e.g. Information Cards, OpenID, the Higgins trust framework or Novell's Bandit project).

Technologies

Technologies used for federated identity include SAML (Security Assertion Markup Language), OAuth, OpenID, Security Tokens (Simple Web Tokens, JSON Web Tokens, and SAML assertions), Web Service Specifications, and Windows Identity Foundation. [10]

Government initiatives

United States

In the United States, the National Institute of Standards and Technology (NIST), through the National Cybersecurity Center of Excellence, has published a building block white paper in December 2016 on this topic [11]

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT. [12]

Examples

Digital identity platforms that allow users to log onto third-party websites, applications, mobile devices and gaming systems with their existing identity, i.e. enable social login, include:

Social login examples

Here is a list of services that provide social login features which they encourage other websites to use. Related are federated identity login providers.

Other examples

See also

Related Research Articles

Web Services Security is an extension to SOAP to apply security to Web services. It is a member of the Web service specifications and was published by OASIS.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">Liberty Alliance</span> Computer trade group

The Liberty Alliance Project was an organization formed in September 2001 to establish standards, guidelines and best practices for identity management in computer systems. It grew to more than 150 organizations, including technology vendors, consumer-facing companies, educational organizations and governments. It released frameworks for federation, identity assurance, an Identity Governance Framework, and Identity Web Services.

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:

<span class="mw-page-title-main">Shibboleth (software)</span> Internet identity system

Shibboleth is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains. SAML is a product of the OASIS (organization) Security Services Technical Committee.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLCore, SAMLBind, SAMLProf, and SAMLMeta.

The Microsoft Open Specification Promise is a promise by Microsoft, published in September 2006, to not assert its patents, in certain conditions, against implementations of a certain list of specifications.

<span class="mw-page-title-main">Information card</span> Personal digital identity for online use

An information card is a personal digital identity that people can use online, and the key component of an identity metasystem. Visually, each i-card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. The information card metaphor has been implemented by identity selectors like Windows CardSpace, DigitalMe or Higgins Identity Selector.

Active Directory Federation Services (ADFS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. It is part of the Active Directory Services. Microsoft advises using Entra ID and Azure AD Connect in place of ADFS in most cases.

Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity with which it interacts to effect a transaction, can be trusted to actually belong to the entity.

Security token service (STS) is a cross-platform open standard core component of the OASIS group's WS-Trust web services single sign-on infrastructure framework specification.cf. Within that claims-based identity framework, a secure token service is responsible for issuing, validating, renewing and cancelling security tokens. The tokens issued by security token services can then be used to identify the holder of the token to services that adhere to the WS-Trust standard. Security token service provides the same functionality as OpenID, but unlike OpenID is not patent encumbered. Together with the rest of the WS-Trust standard, the security token service specification was initially developed by employees of IBM, Microsoft, Nortel and VeriSign.

<span class="mw-page-title-main">OpenAM</span>

OpenAM is an open-source access management, entitlements and federation server platform. Now it is supported by Open Identity Platform Community.

An identity provider is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

Security Assertion Markup Language (SAML) is a set of specifications that encompasses the XML-format for security tokens containing assertions to pass information about a user and protocols and profiles to implement authentication and authorization scenarios. This article has a focus on software and services in the category of identity management infrastructure, which enable building Web-SSO solutions using the SAML protocol in an interoperable fashion. Software and services that are only SAML-enabled do not go here.

The SAML metadata standard belongs to the family of XML-based standards known as the Security Assertion Markup Language (SAML) published by OASIS in 2005. A SAML metadata document describes a SAML deployment such as a SAML identity provider or a SAML service provider. Deployments share metadata to establish a baseline of trust and interoperability.

A SAML identity provider is a system entity that issues authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML).

References

  1. Madsen, Paul, ed. (5 December 2005). "Liberty Alliance Project White Paper: Liberty ID-WSF People Service - federated social identity" (PDF). Archived from the original (PDF) on 2018-05-26. Retrieved 2013-07-11.
  2. Federated Identity for Web Applications, microsoft.com. Retrieved 3 July 2017.
  3. Gaedke, Martin; Johannes, Meinecke; Nussbaumer, Martin (2005-05-01). "A modeling approach to federated identity and access management". Special interest tracks and posters of the 14th international conference on World Wide Web - WWW '05 (PDF). pp. 1156–1157. doi:10.1145/1062745.1062916. ISBN   978-1595930514. S2CID   8828239. Archived from the original (PDF) on 2017-09-13. Retrieved 2017-07-03.
  4. Chadwick, David W. (2009). "Federated Identity Management" (PDF). Foundations of Security Analysis and Design V. Lecture Notes in Computer Science. Vol. 5705. pp. 96–120. CiteSeerX   10.1.1.250.4705 . doi:10.1007/978-3-642-03829-7_3. ISBN   978-3-642-03828-0. ISSN   0302-9743. Retrieved 2017-07-03.
  5. http://net.educause.edu/ir/library/pdf/EST0903.pdf Archived 2017-08-29 at the Wayback Machine 7 things you should know about Federated Identity Management
  6. Jensen, Jostein (2012). "Federated Identity Management Challenges". 2012 Seventh International Conference on Availability, Reliability and Security. pp. 230–235. doi:10.1109/ares.2012.68. ISBN   978-1-4673-2244-7. S2CID   18145013 . Retrieved 2023-12-11.
  7. "National Identity Exchange Federation". nief.org. Retrieved 2018-05-15.
  8. "InCommon: Security, Privacy and Trust for the Research and Education Community". incommon.org. Retrieved 2018-05-15.
  9. Cabarcos, Patricia Arias (2013). "Dynamic Infrastructure for Federated Identity Management in Open Environments". doi:10.13140/RG.2.1.2918.0962.{{cite journal}}: Cite journal requires |journal= (help)
  10. Rountree, Derrick (2012). Federated Identity Primer. Syngress Media. ISBN   978-0124071896.
  11. https://www.nccoe.nist.gov/publications/project-description/privacy-enhanced-identity-brokers-project-description-final Privacy-Enhanced Identity Federation
  12. "FedRAMP and Azure". TECHCOMMUNITY.MICROSOFT.COM. Retrieved 2023-09-13.
  13. Login With Amazon
  14. "Single Sign-On (SSO) Solution | LastPass".