federated identity management l.
Skip this Video
Loading SlideShow in 5 Seconds..
Federated Identity Management PowerPoint Presentation
Download Presentation
Federated Identity Management

Loading in 2 Seconds...

play fullscreen
1 / 29

Federated Identity Management - PowerPoint PPT Presentation

  • Uploaded on

Federated Identity Management. Business and Technical Overview. Identity Crisis. Joe’s Fish Market.Com. Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams. Too many passwords, too few uses…. More Identity Crisis…. Recent Headlines:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Federated Identity Management' - paul

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
federated identity management

Federated Identity Management

Business and Technical Overview

identity crisis
Identity Crisis

Joe’s Fish Market.Com

Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams

Too many passwords, too few uses…

more identity crisis
More Identity Crisis…
  • Recent Headlines:
    • “Huge credit card data theft found – MasterCard: 40 million accounts at risk”

-- San Jose Mercury News Jun 18, 2005

    • “Info on 3.9M Citigroup customers lost” -- CNN June 6, 2005
  • “Identity Theft is an epidemic” – Equifax CEO
  • Multiplicity of sensitive data a key cause of identity theft
  • “Identity Federation is a killer app for Authentication” – Forrester
  • “Federation is a key component of an Identity Management architecture” - Burton Group
growing complexity of user identity
Growing Complexity of User Identity










Client Server



# of

Digital IDs


Pre 1980’s




the identity management paradox
The Identity Management Paradox
  • Many enterprises have deployed centralized identity management throughout their enterprises
    • Though users still have multiple passwords and user ID’s!
  • If I’m an employee, I have many more external passwords than internal
  • If I’m a partner / customer employee or a consumer, I have many id’s and passwords at many sites
  • Net Result – Single sign-on is not achieved in any circumstance!
  • Fidelity Study* shows enterprise users have on average 20 accounts!
    • 5 internal and 15 external
    • Even after enterprises have deployed Identity Management!

*Presented in the Digital ID World Conference 2003

identity management components
Identity Management Components
  • Web Access Management
  • Identity Management / Provisioning
  • Virtual Directories
  • Federated Identity Management
web access management
Web Access Management
  • Web Access Management
    • Centralized policy server with agents protecting web-sites
    • Agents authenticate users against central policy server
    • Agents share session tokens for single sign-on

Source: Computer Associates

identity management provisioning
Identity Management / Provisioning
  • Ensuring application stores have user information before users log on
  • Enable “reduced sign-on” (RSO)
  • Extend to mainframe and client-server applications
virtual directories
Virtual Directories
  • Aggregate view of information based on disparate stores
    • Typically an LDAP view
    • Connectors / adapters to all data sources / sinks
  • Can be used to enable provisioning
  • Provide password synchronization
federated identity management10
Federated Identity Management
  • The evolution of identity and access management (IAM)
    • Agreements, standards and technologies that make identity and entitlements portable across autonomous domains.
  • Seamless access to

independent web-resources without a centralized repository

  • Standards based
    • Liberty Alliance
    • SAML
    • WS-Federation / Trust

Source: Aberdeen Group

why federated identity standards
Why Federated Identity Standards
  • Federation is all about communication between independent enterprises / organizations
  • Proprietary approaches have failed in the past
    • Microsoft Passport
    • Proprietary WAM solutions
  • Interoperability is of paramount importance
    • Technical Interoperability
    • Business and Process Interoperability
  • Open reviews and non-discriminatory IP policy drives security
standards in federated identity
Standards in Federated Identity

“I love standards – there are so many to choose from!”

    • Oldest, most prevalent standard
    • Foundational mechanisms in SAML 1.1 and 1.0 (Liberty based on SAML 1.1)
    • SAML 2.0 has more features (e.g. global logout)
  • Liberty Alliance a body of over 150 companies
    • Many technology users on management board
  • Microsoft and IBM: behind WS-Federation
    • Microsoft incorporating into Windows 2003 server R2 patch release
key concepts and terminology universal to the standards
Key Concepts and Terminology - Universal to the “Standards”
  • Identity
  • Circle of Trust / Trusted Sites
    • Principal Identity
    • Identity Provider (IdP)
    • Service Provider (SP)
    • Liberty Enabled Clients or Proxies (LECP)
  • Federation and De-federation – initial linkage or final disconnect
  • Single Sign-On and Authentication
  • Single Logout / Global Logout
  • Network Identity / Federated Identity – Federated Network
  • Pseudonyms & Anonymity (Opaque Identifiers)
  • Authentication Assertions
federated identity management value proposition
Federated Identity Management – Value Proposition
  • Each domain manages attributes and credentials for their own user community.
    • Deployments focus on reduced administrative costs and improved user convenience, but there is more value to be gained.
  • Administrative authorities can react faster to status changes of their own employees.
    • Instead of relying on delegated administration or synchronization.
  • User Attributes are shared on a limited basis or specific purposes
    • Improving implied and effective privacy.
  • Federation supports and simplifies compliance initiatives.
  • Federation separates Session Management from the User Management and Provisioning infrastructure.
federated identity management typical scenario
Federated Identity Management – Typical Scenario
  • A large organization must provide access to internal applications for thousands of partners (each having thousands of potential users).
  • External users are co-mingled with employees in a corporate directory.
  • A combination of delegated administration and synchronization is used to manage these entries.
    • Often this is coupled with other processes to maintain the directory.
  • Identity Federation provides relief for this situation.
simplified sign on
Simplified Sign-On


“Fly Right,Airline Group”



Identity Provider






Shared AuthenticationDomain

Access federated services

Service Provider


“Fly Right,Airline Group”

Welcome John12

You’re signed on.


No longer need to provide username and password for each service. Once a user has authenticated she can use the other services directly and securely.

Source: Liberty Alliance

simplified sign on contd
Simplified Sign-On (Contd.)

SP① account


IDP account

SP② account



SP③ account


Even with different usernames and passwords at each service provider the initial authentication provides secure and simplified access to federated services.

Source: Liberty Alliance

federated identity management enhancing privacy
Federated Identity Management – Enhancing Privacy

Who are you?

  • Federation reduces (if not eliminates) the capture and storage of identity data across domains.
    • Fewer organizations hold user information
    • Easily accommodate regional, cultural or legal differences in privacy regulations
  • Make users anonymous where appropriate.
    • A partner may only need to know the originating domain (and assume that domains user authentication) not specific information about the specific user.
  • Implement pseudonyms for audit tracking.
    • Home domain holds mapping for user to pseudonym.
  • Permission based attribute sharing.
    • Puts user in control of attributes being shared
    • Application can prompt user to release information
      • A user can control what information is released and when
  • Effectively ties into “Emerging User Centric Business Model”.
  • Simplify infrastructure for global enterprises
    • Privacy concerns delaying or stopping deployments due to regional issues
    • Federation provides a viable alternative
      • Reduced need to consolidate all attributes in a single location
      • Provides opt-in model
federated identity management improves security
Federated Identity Management – Improves Security

Reduce Burden on Security Administrators

  • Enable them to focus on internal users
    • Let partners / customers manage their own users
  • Reduce or eliminate the need to mix external identities in internal user repositories
    • Best practices say that you should separate internal users from other user communities.
    • This reduces your exposure to vulnerability and outside attack.
federated identity management improves security21
Federated Identity Management – Improves Security

Federation Provides more Access Control Options

  • Access control checking at originating site, destination site, or both
  • Ability to map external users to internal groups, roles or local system records
  • Eliminate the need to provision credentials and access control to partner systems.
  • Consistently enforce policy throughout a transaction chain.
  • More granular access control than most VPN connection options.
federated identity management improves security22
Federated Identity Management – Improves Security

Fewer Passwords for Users to Remember

  • Passwords are weak authenticators
  • Users can rely on fewer, yet stronger authentication credentials
  • Enterprises have more flexibility to implement stronger authentication where appropriate.
  • Enterprises can convey that stronger authentication in a federated network.
federated identity management demonstrates compliance
Federated Identity Management – Demonstrates Compliance

Holding Authoritative Parties Accountable

  • Federation places user registration and credential management with the most responsible party.
  • Federation reduces duplicate administrative steps which could introduce errors or inconsistencies.
  • Policies and procedures for user management can be included in the ‘Federation Agreement” to be clear about responsibility and liability

Makes it Easier to Audit the Environment

  • Streamline the audit process to clearly separate internal employees from external parties and easily demonstrate the environment is properly partitioned.
  • Reduces the amount of data that is collected and stored thus relieving administrative burdens as well as custodial responsibility (liability)
  • Reduces compliance interdependencies between partners.
federated identity management simplifies idm infrastructure
Federated Identity Management – Simplifies IdM Infrastructure

Separates User Deployment from User Management

  • Expands effective user session management quickly to all resources (internal and external).
  • Allows for quick adoption of various standards depending on choices of all participants, without major management systems upgrades.
  • Provides simplified method to expose or integrate web resources (web services, applications, partners, customers) to user communities.
  • Delivers total platform integration flexibility (Open systems, Windows, Mainframe).
web services security impact of federated identity management
Web Services Security – Impact of Federated Identity Management
  • Web-services typically extend key enterprise resources
    • Not having to trust apps simplifies development and adds flexibility
    • Web-services may also be exposed to partners
  • Usual security concerns
    • Authentication, privacy, integrity, non-repudiation
  • But at at-least two levels:
    • Between a web-service and an app using it
    • Between the web-service and the end-user using the app
  • Lack direct user-sessions
    • Proprietary technology works within one identity domain
    • Standards solve the problem effectively
identity based web services
Identity Based Web Services
  • Effectively provides security between the web-service, consuming applications and the end-user
  • Security Mechanisms
    • Service discovery
    • Service invocation
    • Interaction with users
  • Standard service interfaces
    • Common services (e.g. user profile information)
web services architecture
Web Services Architecture

HR Web Service

Sales Web Service

Purchasing web service

Who is the user?

Which region is the user in?

What is the user’s purchasing privilege?

Web Service Applications

Web Service Applications

Authenticated Session


Partner Enterprise

Typical Web Service Architecture

benefits of federated identity management
Benefits of Federated Identity Management
  • Delivers on the promise of single sign-on and application access control
    • Can provide seamless, relevant access to all websites, applications, web services
  • Dramatic reduction in help desk (user administration) costs
    • Enterprises no longer required to manage their partners’ or customers’ user
    • Password resets, authentication enforcement.
  • Better Security
    • No stale accounts or sessions
    • Is the user still there?
    • Ensures Privacy
  • Places liability for user actions at authenticating party
    • Enables more valuable extranet transactions
    • Compliments and enhances compliance requirements
  • Creates monetization (Revenue Growth) opportunities.
    • Seamless access to independent partner websites
    • Seamless access from customer domains
    • Ensures user visibility and loyalty