Federated Authentication

Site Map
Privacy Policy
Link To Us
Resources

Federated Authentication

The average user today interacts with all sorts of social, business, financial and government agencies digitally. Each of these requires their own id and password as user authentication. Most of these also require additional user identity information to be provided to each entity which the user interacts with.

As a result, the user is increasingly frustrated with:

Having to remember multiple user id and passwords
Providing more identity information than they would otherwise chose to each entity

There are a growing number of options, in the early stages of development, to address user identity trust and authentication. They include:

Higgins

A new open source protocol that allows a user to control which identity information is to be released to an enterprise or with diverse identity management systems.

Windows Cardspace

A Microsoft new identity meta system that provides inter-operability between identity providers and relying parties with the user in control.

Liberty Alliance

A large commercially orientated protocol providing inter-enterprise identity trust. It is the largest existing identity trust protocol deployed around the world.

Web Services Federation

A relatively new protocol to establish identity trust between disparate systems. This protocol is sponsored by IBM and Microsoft but not yet submitted to OASIS.

SAML

Secure Assertion Markup Language. A widely adopted method of accepting user authentication between different enterprises.

MicroID

MicroID is a new Identity layer to the web and Microformats that allows anyone to simply claim verifiable ownership over their own pages and content hosted anywhere.

OpenID

OpenID is an open, decentralized, free framework for user-centric digital identity that uses URI (also called a URL or web address) as a means of identity authentication.

SXIP

A commercially available product that offers users the ability to control their own identity information and authentication in use with blogs and other applications.

Shibboleth

A protocol establishing identity trust between enterprises. This was developed as part of the Internet2 initiaitve. It is used in some universities.

iNames

A new service offering a centralized user controlled identity data store as well as providing authentication trust between enterprises

Most of the leading identity management vendors provide the ability to do identity authentication federation usually using SAML and Liberty Alliance. The recent changes in Microsoft away from Passport to the Infocard herald a sea change in how Microsoft views identity. It no longer believes it should own the identities and instead is using identity federation as the core building block for its future endeavors.

A leading independent supplier of federation products is Ping Identity.

Enterprise Authentication Federation Examples

Business Partners and Customers

There are many examples of enterprises using federated identity and authentication. For example, let's say your enterprise manufactures global parts used by your customers all over the world. You have opened up your internal systems for your customers such that they can log on and obtain CAD drawings, order inventory and check shipping status.

By using federated authentication, you can improve the customer user experience. When the customer's employee logs on to their enterprise systems, they will authenticate. Then during the course of their day they will click on an icon on their desktop to your enterprise applications.

Instead of having to logon with a separate id and password, the customer's enterprise single sign on or federated identity system would automatically generate a secure authentication token to your enterprise. Your enterprise federated authentication system would receive the assertion token, validate it and check to see if the user's authentication is accepted. If it is, it automatically lets the user into the application. This saves your enterprise money in not having to manage ids and passwords for the user.

Employees and Outsourced Benefits

Many enterprises have outsourced some or all of their benefits management. At the moment, when your employee wishes to make changes to their benefits package, they are forced to logon using a separate id and password to the benefit suppliers web site.

By using federated authentication, now when the employee clicks on a link to their benefits supplier from within the enterprise, your enterprise single sign on or federated identity system generates a security assertion token, which is passed to the benefits supplier. The benefits supplier receives the token, validates it and then determines if it will accept the authentication for the employee. The employee is then allowed immediate access to their information without having to re-authenticate using the benefit supplier's id and password.

Blog Authentication

Often blogs are wary of being blog spammed. They then require the identity to authenticate. This is yet another id and password the user has to remember and creates management overhead for the blog author.

Instead, using a mechanism like Sxip, the identity registers themselves at the Sxip homepage. They then request that Sxip add the new blog they want to join to their identity list, telling Sxip what identity details can and cannot be passed to the blog site.

When the identity visits the blog, the blog automatically checks with the Sxip homesite and validates that the identity is who they say they are. The blog then grants immediate access to the user without requiring them to authenticate. The user is in control of their identity data. In the industry we call this "user centric authentication".