Primer: Federated Identity Management

What is it?A system that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions.

How is it used?Partners in a Federated Identity Management (FIM) system depend on each other to authenticate their respective users and vouch for their access to services. That allows, for example, a sales representative to update an internal forecast by pulling information from a supplier’s database, hosted on the supplier’s network.

Why is it necessary?So that companies can share applications without needing to adopt the same technologies for directory services, security and authentication. Within companies, directory services such as Microsoft’s Active Directory or products using the Lightweight Directory Access Protocol have allowed companies to recognize their users through a single identity. But asking multiple companies to match up technologies or maintain full user accounts for their partners’ employees is unwieldy. FIM allows companies to keep their own directories and securely exchange information from them.

How does it work?A company must trust its partners to vouch for their users. Each participant must rely on each partner to say, in effect, “This user is OK; let them access this application.” Partners also need a standard way to send that message, such as one that uses the conventions of the Security Assertion Markup Language (SAML). SAML allows instant recognition of whether the prospective user is a person or a machine, and what that person or machine can access. SAML documents can be wrapped in a Simple Object Access Protocol message for the computer-to-computer communications needed for Web services. Or they may be passed between Web servers of federated organizations that share live services.

Who is using it?Early adopters include American Express, Boeing, General Motors and Nokia. Another, Proctor & Gamble, had improvised its own federated-identity system using the more generic eXtensible Markup Language but is now moving to adopt SAML.

Are the standards solid?They’re getting there. SAML is backed by the Organization for the Advancement of Structured Information Standards (OASIS). The Liberty Alliance, an industry group formed to promote federated-identity standards, has adopted SAML 1.1 as part of its application framework. Microsoft and IBM have proposed an alternative specification called WS-Security. But Dan Blum, a technology analyst with the Burton Group of Midvale, Utah, believes that OASIS may try to make these two approaches converge in SAML 2.0.

What are the challenges?Trusting a partner to authenticate its own users is a good thing only if that partner has solid security and user-management practices. Also, while some Web access-management products now support SAML, implementing the technology still commonly requires customization to integrate applications and develop user interfaces.