At a recent Middleware get together, the concept of Identity Federation came up and I realized that most of us either don’t understand it completely or misunderstand it :). So here i will try to give a brief overview of what exactly Identity Federation is all about (?) and I hope it will help at least in basic understanding.
Identity Federation in layman terms, is an act of exchanging information between two separate entities. It is primarily used to authenticate users & sharing identity attributes across domain.
For example, Company A uses Oracle Fusion Apps on Oracle Public Cloud. With Federation in place, the users of company A can login to Fusion
apps without needing a password on Oracle Public Cloud.
So as we can infer from the above example, Federation is an evolution of the SSO paradigm. It is the solution for the requirement of accessing the resources and services that resides outside company boundaries.
A bit more high level information on Federation : –
- Federation is a feature of Access Management. It is complete, flexible, robust & secure solution.
- Identity Federation is based on the principle of Trust. Trust always has a direction (From Sender to Receiver). Trust is used by Receiver to identify Identity Information.
- Identity Federation is specially beneficial for Organizations that grow through acquisitions. It helps them reduce cost of integration of different user directories, data stores, authentication providers and applications.
- It helps such Organizations in enabling cross domain SSO, improved user satisfaction & enhances customer relations.
- Common Terminology Used :-
- Identity Provider – The organization that authenticates the user and generates the SAML assertion. The organization optionally shares attributes requested by the Service Provider.
- Service Provider – The organization that accepts SAML assertions to identify the user (as opposed to username & password). It is also referred as a relying partner within discussions around social login (aka OpenID and OAuth).
- Federated Identity – It is the identity information for a user that is simultaneously managed by the organizations involved in Federation.
- Federated Business Environment – It is where the services offered by organization are accessible by customers, partners and anyone else besides its own employees.
- Establishing Federation – It is done by using various Federation technologies & operational agreements that define trust relationships between organizations.
- Trust Relationship – It is a relationship where federating organizations define an agreement which states the trust (regarding the information flow), the organization have for one another.
- Cross Domain – It refers to any operation that occurs between two or more Security Realms.
I will cover about OIF Architecture and different topologies in my another blog post later. Stay tuned 🙂