Network World Executive Guide - The Evolution of Network Security

How federated identity works

Identity provider (source domain)

User

Administrator

₁User’s browser or other application engages in an authentication dialog with identity provider in the same domain, providing attribute values associated with their identity.

2 Some attributes associated with an identity, such as allowable roles, may be provided by an administrator in the same domain.

3 A service provider in a remote domain that the user wants to access obtains identity information, authentication information and associated attributes from the identity provider in the source domain.

4 Service provider opens session with remote user and enforces access control restrictions based on user’s identity and attributes.

Service provider (destination domain)

form a federation based on agreed-upon standards and mutual levels of trust.

Federated identity management uses a number of standards as the building blocks for secure identity exchange. In essence, organizations issue some form of security tickets for their users that can be processed by cooperating partners. Identity federation standards are thus concerned with defining these tickets, in terms of content and format, providing protocols for exchanging them and performing a number of management tasks. These tasks include configuring systems to perform attribute transfers and identity mapping, and performing logging and auditing functions.

The principal standard for federated identity is the Security Assertion Markup Language (SAML), which defines the exchange of security information between online business partners.

SAML is part of a broader collection of standards being issued by the Organization for the Advancement of Structured Information Standards for federated identity management. For example, WS-Federation enables browser-based federation; it relies on a security token service to broker trust of identities, attributes and authentication between participating Web services.

The challenge with federated identity management is to integrate multiple technologies, standards and services to provide a secure, user-friendly utility. The key is the reliance on a few mature standards widely accepted by industry. Federated identity management seems to have reached this level of maturity.

Stallings is coauthor of the new book, Computer Security: Principles and Practice. Contact him at ws@shore.net.

Sponsored by HP ProCurve Networking
ProCurve.com/Choice