Friday, October 08, 2004

Federated Identity Management

Identity Management includes the process and infrastructure associated with the creation, maintenance, and use of digital identities. The Burton Group defines Federated Identity Management as the

Use of agreements, standards, and technologies to make identity and entitlements portable across loosely coupled, autonomous identity domains. <http://www.cio.gov/eauthentication/documents/BurtonGroupEAreport.pdf>

Informally, Federated Identity Management is authentication, authorization, and single sign-on at the inter-enterprise level, that is, at the level of the extranet. The mantra of federated identity management solutions is:

Authenticate locally, authorize globally.

In a typical federated scenario, a principal (user) is enrolled with a small number of identity providers. Any number of service providers may authorize access to their respective web resources on the basis of SAML assertions obtained from the principal's identity provider(s). These assertions never contain credentials and need not even reveal the identity of the principal; that is, privacy is a primary concern of federated systems.

SAML, Shibboleth, and Liberty Alliance are important technologies within the identity management (IdM) problem space:

Most, if not all federated IdM solutions are based on Security Assertion Markup Language (SAML). For example, the current versions of Shibboleth and Liberty are based on SAML 1.1. Note that SAML is more than a markup language. It consists of protocols, bindings and profiles, in addition to the standard XML markup used for assertions.

Diverse IdM standards are converging upon SAML 2.0, recently released for public comment by OASIS. SAML 2.0 builds on previous work, especially Liberty. Future versions of Shibboleth and Liberty will no doubt be compatible with SAML 2.0.

An important related development within the federal government is the E-Authentication Initiative, which focuses on SAML 1.0:

Of particular interest is the E-Authentication Interoperability Lab, which certifies the compatibility of vendor systems.

It is apparent that the technology is converging (SAML 2.0) and quickly becoming a commodity. The next important step is the development of federations, sometimes called circles of trust. There are a number of production quality federations under development around the world, including:

The enterprise question whether or not to federate is a difficult one involving significant legal, administrative, and political issues.

Subsequent threads will explore the various versions of SAML, Shibboleth and Liberty, and summarize the issues surrounding cross-enterprise federation.