Federated identity management is a relatively new concept dealing with the use of a common identity management scheme across multiple enterprises and numerous applications and supporting many thousands, even millions, of users.
Identity management is a centralized, automated approach to provide enterprisewide access to resources by employees and other authorized individuals. The focus of identity management is defining an identity for each user (human or process), associating attributes with the identity, and enforcing a means by which a user can verify identity. The central concept of an identity management system is the use of single sign-on (SSO).
SSO enables a user to access all network resources after a single authentication. Typical services provided by a federated identity management system include the following:
- Point of contact: Includes authentication that a user corresponds to the user name provided, and management of user/server sessions.
- SSO protocol services: Provides a vendor-neutral security token service for supporting a single sign on to federated services.
- Key services: Management of keys and certificates.
- Identity services: services that provide the interface to local data stores, including user registries and databases, for identity-related information management.
- Authorization: Granting access to specific services and/or resources based on the authentication.
- Provisioning: Includes creating an account in each target system for the user, enrollment or registration of user in accounts, establishment of access rights or credentials to ensure the privacy and integrity of account data.
- Management: Services related to runtime configuration and deployment.
Figure above illustrates entities and data flows in a generic identity management architecture.
A principal is an identity holder. Typically, this is a human user that seeks access to resources and services on the network. User devices, agent processes, and server systems may also function as principals. Principals authenticate themselves to an identity provider.
The identity provider associates authentication information with a principal, as well as attributes and one or more identifiers. Increasingly, digital identities incorporate attributes other than simply an identifier and authentication information (such as passwords and biometric information).
An attribute service manages the creation and maintenance of such attributes. For example, a user needs to provide a shipping address each time an order is placed at a new Web merchant, and this information needs to be revised when the user moves.
Identity management enables the user to provide this information once, so that it is maintained in a single place and released to data consumers in accordance with authorization and privacy policies. Users may create some of the attributes to be associated with their digital identity, such as an address.
Administrators may also assign attributes to users, such as roles, access permissions, and employee information.
Data consumers are entities that obtain and employ data maintained and provided by identity and attribute providers, which are often used to support authorization decisions and to collect audit information. For example, a database server or file server is a data consumer that needs a client’s credentials so as to know what access to provide to that client.
Identity federation is, in essence, an extension of identity management to multiple security domains. The goal is to provide the sharing of digital identities so that a user can be authenticated a single time and then access applications and resources across multiple domains.
Federated identity management refers to the agreements, standards, and technologies that enable the portability of identities, identity attributes, and entitlements across multiple enterprises and numerous applications and supporting many thousands, even millions, of users. When multiple organizations implement interoperable federated identity schemes, an employee in one organization can use a single sign-on to access services across the federation with trust relationships associated with the identity.
Federated identity management provides other capabilities. One is a standardized means of representing attributes. Increasingly, digital identities incorporate attributes other than simply an identifier and authentication information (such as passwords and biometric information).
Another key function of federated identity management is identity mapping. Different security domains may represent identities and attributes differently. Further, the amount of information associated with an individual in one domain may be more than is necessary in another domain. The federated identity management protocols map identities and attributes of a user in one domain to the requirements of another domain.