Federation Management

Consider the many times an individual accesses services on the Internet in a single day. One person might have a multitude of accounts set up to access various business, community and personal service providers; for example, the person might have used different names, user IDs, passwords or preferences to set up accounts for a news portal, a bank, a retailer, and an email provider. Each time he accesses a service on the Internet, he must log in and identify himself to the service provider.

Federation allows for the interchange of security-related information between different entities. Security-related information meaning: authentication, authorization, and auditing data. Although federation is generally used in the context of an inter-enterprise security mechanism, it can also be used within an enterprise, to provide tighter integration between several loosely-coupled ecosystems. A federation agreement always deals with two entities:

• An asserting party that generates security assertions, and
• A relying party that trusts the security assertion made by the asserting party

What Is Identity?

In today's information systems, not only people have identities in our network, but also organizations, computers, devices, and  systems or  applications have identities. Identity is a set of attributes that describes a profile of an individual, business organization, or software entity. Identity verification is a dialog of presentation and interpretation.

The designers of kerberos understood this concept when they created a mechanism for authenticating not just users, but also machines. Every computer system, every application system and by extension every user within an enterprise have a unique identity and fall into some logical grouping.

A local identity refers to the set of attributes or information that identify a user to a particular service provider. These attributes uniquely identify the individual with that provider. For uniquely identify a person, the attributes can include a name, phone number, passwords, social security number, address, credit records, or other identifier.  For example, the individual in our scenario is known to his company's network as an employee number, but he is known to his travel agent as Joe Smith. He is known to his online news service by an account number, and he is known to his favorite clothing store by a different account number. He uses one email name and address for his personal email, and a different email name and address for his workplace. Each of these different user names represents a different local identity.

Because the Internet is fast becoming the prime vehicle for business, community and personal interactions, it has become necessary to fashion a system for online users to link their local identities, enabling them to have one network identity. This system is identity federation.

What Is Identity Federation?

Identity federation allows a user to associate, connect or bind the local identities configured with multiple service providers. A federated identity allows users to login at one service provider’s site and move to an affiliated service provider site without having to re-authenticate or re-establish their identity.

It combines data on a single user from multiple sources, for purposes such as authorization. Since different organizations probably want to use different products to manage the identity data they have, standards are needed to move that data around the network—from where it is being held to where it will be used. The Liberty Alliance Project addresses these challenges.

Identity Management Architecture

An identity management system mediates between identities and resources: it controls identity resource access and facilitates identity resource access management. There are two possible identity management architectures, one based on a centralized model and the other, on a federated model.

• In the centralized model, a single operator performs authentication and authorization by owning and controlling all the identity information.

Advantages of  the Centralized Model:

• A single operator owns and controls everything, constructing and managing the identity network could be easier than with the federated model.

Disadvantage of the Centralized Model:

• The dangerous potential for the single operator becoming a tollgate for all transactions over the Internet. For example, the operator might charge a fee for every transaction you make. You might have to pay a few cents or dollars whenever you perform a transaction on eBay.
• A single operator could represent a single point of security failure or hacker attack.
• A single operator can take away the most important business asset—that is, customer identity and profile information—from an organization. That results in a serious threat to businesses such as banks and brokerage houses whose success depends on their customer information.

• In the federated model, both authentication and authorization tasks are distributed among federated communities. 

The federated model, driven by the Liberty Alliance Project, is designed to correct the centralized model's problems.  The goal of the Liberty Alliance Project is to create an open standard for identity, authentication, and authorization, which will lower e-commerce costs and accelerate organizations' commercial opportunities, while at the same time increasing customer satisfaction. In a Liberty architecture, organizations can maintain their own customer/employee data while sharing identity data with partners based on their business objectives and customer preferences.

In the federated identity management architecture scheme, three roles could exist:

• Consumer
  

  Consumer can have multiple identity profiles, and you can ask different identity providers to maintain these profiles. For example, you might want your HMO to manage your healthcare profile and your brokerage house to maintain your brokerage profile. In fact, as a consumer, you can pick and choose which identity provider to maintain your profile based on price, credibility, service, and so on. In this model, consumers have a final say in terms of who can access what information. Consumers can be a person, a business, or a software entity.
  

• Identity Provider
  

  Identity providers are service providers that specialize in providing authentication services. As the administrating service for authentication, they also maintain and manage identity information. Authentication accomplished by an Identity Provider is honored by all service providers with whom it is affiliated.  Identity providers maintain user profile information and can interoperate among themselves as long as they have permission to do so from the profile's owner, the consumer.
  

• Service Provider
  

  Service providers are commercial or not-for-profit organizations that offer web-based services. This broad category can include internet portals, retailers, transportation providers, financial institutions, entertainment companies, libraries, universities, and governmental agencies. Service providers can customize their services to each consumer by retrieving relevant identity profiles from the identity providers.
  

In the phase with no federation (separate login for each site), a consumer must log in separately to each site. This phase will then evolve into an environment where multiple identity networks exist. Within a single identity network, single sign-on can be achieved. However, no network-to-network identity propagation is available at this stage. Eventually, these individually constructed and operating identity networks will work together by exchanging their consumers' identity information, thus providing a truly seamless, global-scale identity network, the Liberty Alliance Project's ultimate goal.

The ATM network serves as an analogy for the federated network. Initially, individual banks issued their own ATM cards, and different banks did not interoperate. At this stage, you could not use your ATM card in an ATM machine owned and operated by another bank. These days, you can use your credit card or ATM card in any ATM machine, as long as the bank that owns the machine and your bank are members of the same affiliation network. In the not too distant future, it is not a stretch to think about a single global network to which all banks directly or indirectly belong. The identity network should evolve similarly. One possible challenge of the federated identity network model is that because there are many parties involved, the standard has to be defined in an unambiguous manner. The Liberty Alliance Project addresses that challenge.

A federated identity refers to the amalgamation of the account information in all service providers accessed by one user (personal data, authentication information, buying habits and history, shopping preferences, etc.). The information is administered by the user yet, with the user’s consent, their privilege to access information is securely shared with their providers of choice.  Federated Identity allows users to link identity information between accounts without centrally storing personal information. Also, the user can control when and how their accounts and attributes are linked and shared between domains and service providers, allowing for greater control over their personal data. In practice, this means that users can be authenticated by one company or website and be recognized and delivered personalized content and services in other locations without having to re-authenticate or sign on with a separate username and password.

The Liberty Alliance Project

The goal of the Liberty Alliance Project is to enable individuals and organizations to easily conduct network transactions while protecting the individual’s identity. To accomplish this, the Alliance has established specifications for identity federation that enables:

• Opt-in account linking where users can choose to federate different service provider accounts.
• Single sign-on where a user can log in, authenticate to one service provider and gain access to other service providers with which they have federated without having to log in again.
• Authentication context where service providers with federated accounts communicate the type and level of authentication that should be used when the user logs in.
• Global log-out where a user logs out of an identity or service provider site and is automatically logged out of all sites that maintain a live session.
• Account linking termination where users can choose to stop their account federation.

These capabilities can be achieved when commercial or non-commercial organizations join together into a circle of trust based on Liberty-enabled technology and operational agreements. This circle of trust includes service providers (who offer web-based services to users), identity providers (service providers that also maintian and manage identity information), and the users themselves. Once a circle of trust is established between providers, users can choose to federate any or all identities they might have with the service providers that have joined this circle, enabling them to make use of the federated authentication capabilities.

The  summary the goal of Liberty Alliance Project are : To allow individual consumers and businesses to maintain personal information securely. o provide a universal open standard for single sign-on with decentralized authentication and open authorization from multiple providers. To provide an open standard for network identity spanning all network devices.

Circle of Trust

The goal of the Liberty Alliance Project is to enable individuals and organizations to easily conduct network transactions while protecting the individual's identity. This goal can be achieved only when commercial and non-commercial organizations join together into a circle of trust.

A Circle of Trust  is enabled through federated identity and is defined by the alliance as "a group of service providers that share linked identities and have pertinent business agreements in place regarding how to do business and interact with identities. Once a user has been authenticated by a Circle of Trust identity provider, that individual can be easily recognized and take part in targeted services from other service providers within that Circle of Trust. It should be noted that this concept of trust-based relationships between organizations and their individual or joint customers has existed in the offline business world for years; two common examples would include travel alliances and affiliate business partnerships."

A circle of trust is a federation of service providers linked together by business relationships. The providers within the circle of trust have operational agreements and sufficient infrastructure in place such that customers can transact business with any or all of these service providers within a secure and apparently seamless environment.

A trusted provider is a generic term for one of a group of service and identity providers in an Circle Of Trust. Users can transact and communicate with Trusted Providers in a secure environment.

Reference

Secure Web services at http://www.javaworld.com/javaworld/jw-03-2003/jw-0321-wssecurity.html
http://docs.sun.com/source/817-7643/5_federation.html
http://docs.sun.com/source/816-6774-10/prog_federation.html