Title: What Exactly is Identity Federation
1What Exactly is Identity Federation
- These days, most websites and mobile apps dont
know how to authenticate you. Instead, they call
the APIs of services offered by popular Identity
Providers or IDPs, like Google and Facebook. -
- This enables a persons user information to be
utilized at many different websites on the
Internet, and information about a person can be
shared with websites and apps on an as needed
basis. Of course web site developers dont want
to learn a different authentication API for each
IDP. And many organizations dont trust a third
party to authenticate its people. So the Internet
has moved to standards. The most widely used
standard for Web authentication is SAML. Perhaps
the most promising standard for authentication is
OpenID Connect, which is a profile of OAuth2. -
- The explosion of Two-Factor Authentication
technology -
- One of the most important new technologies that
is driving infrastructure changes is the
explosion of strong factor authentication
technology. - There is a triangle of authentication consisting
of price, usability and security. Not all
triangles are equal. New technologies are arising
that are more convenient, more secure and less
expensive than passwords.
2Once a company makes an investment in strong
authentication, they want to use that
authentication technology across the maximum
number of apps. For this reason, it makes sense
to support open standards, so all applications
can benefit from the availability of these new
organizational authentication capabilities. The
Problem of Client Management Its not only
people that need to be authenticated and
authorized. There is a proliferation of agents
that act on behalf of the person, or are
independent entities. How are these authenticated
and authorized by the organization ? Sesimic
Shift LDAP or WAM? I think the seismic shift
is from WAM (web access management) gt
Federation, not from LDAP gt Federation. LDAP is
still entrenched as a robust persistence
infrastructure for user claims and password
credentials. The problem with WAM products (i.e.
Siteminder, OAM, TAM) is that the cost has been
high, customers are locked in (why else did CA
buy Netgrity), and integrations have been
slow. Companies realize that whether they are
integrating authentication with internal apps,
external apps, or off-the-shelf products, open
federation standards enable consolidation, which
saves money, and improves security.
3In the large companies Ive worked with, the
security department did not have control over the
applications, so even though they were
internal, a top-down approach was inefficient.
Its better to publish your standards, and let
the internal app developers help themselves
than to push a WAM architecture on them. In this
sense, the fact that there are external apps just
provides further evidence to a trend that had
already clearly emerged. IAM, not IDM Often
times, clients and consultants put too much
emphasis on IDM, and not enough emphasis on
organizational trust management. Its not just
that I need to provision my users for external
websites, but I need to understand with which
websites I have shared which attributes. Also,
organizations need to trust users who
authenticated outside the organization. Most
large organizations participate in an ecosystem
of autonomous parties, and publish websites that
are used by many outside the organization. This
is the old problem of extranet user management.
Trust management, IMHO, is one of the biggest
challenges Where does XACML fit? If you talk
to organizations, youll find that the is no
clear trend for XACMLs adoption. Proprietary and
custom solutions are the rule in authorization
right now, with most authorization actually
taking place in the app.
4To what extent centralized authorization will be
achieved is totally uncertain, and I would argue
that this is the adjacent possible, as
described in Stephen Johnsons book Where Good
Ideas Come From you cant have authorization
before we have clear standards for
authentication. In terms of adoption of
technology, Im bullish about UMA, and in fact I
think UMA and XACML are complimentary app
developers want JSON/REST and it would be more
suitable for the PDP to form a XACML request to a
XACML PDP, then for the app developer to learn
XACML. In any case, Im a fan of XACML as a
standard for expressing authorization rules, but
I do think that the technology is better suited
for server side developers. Who will Outsource
IDaaS? I disagree with the common assumption
that the majority of IDaaS will be outsourced.
Perhaps for SMB market, this might be true. But
many large organizations maintain core TCP/IP
services, and AAA has traditionally been managed
within the organizational perimeter. In fact,
many organizations simply cannot outsource this
function for security reasons. With standards, we
will drive down the costs of the software and the
resources, and AAA will be simply another linux
or windows service that can be configured. Artic
le Resource-http//gluu.jimdo.com/gluu-blog/what-
exactly-is-identity-federation/