Federated identity

A federated identity in information technology is the means of linking a person's electronic identity and
attributes, stored across multiple distinct identity management systems.[1]

Federated identity is related to single sign-on (SSO), in which a user's single authentication ticket, or token,
is trusted across multiple IT systems or even organizations.[2][3] SSO is a subset of federated identity
management, as it relates only to authentication and is understood on the level of technical interoperability
and it would not be possible without some sort of federation.[4]

Contents
Management
Technologies
Government initiatives
United States
Examples
See also
References

Management
In information technology (IT), federated identity management (FIdM) amounts to having a common set of
policies, practices and protocols in place to manage the identity and trust into IT users and devices across
organizations.[5]

Single sign-on (SSO) systems allow a single user authentication process across multiple IT systems or even
organizations. SSO is a subset of federated identity management, as it relates only to authentication and
technical interoperability.

Centralized identity management solutions were created to help deal with user and data security where the
user and the systems they accessed were within the same network – or at least the same "domain of
control". Increasingly however, users are accessing external systems which are fundamentally outside their
domain of control, and external users are accessing internal systems. The increasingly common separation
of user from the systems requiring access is an inevitable by-product of the decentralization brought about
by the integration of the Internet into every aspect of both personal and business life. Evolving identity
management challenges, and especially the challenges associated with cross-company, cross-domain
access, have given rise to a new approach to identity management, known now as "federated identity
management".

FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to
enable the portability of identity information across otherwise autonomous security domains. The ultimate
goal of identity federation is to enable users of one domain to securely access data or systems of another
domain seamlessly, and without the need for completely redundant user administration. Identity federation
comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise-
controlled or business-to-business scenarios.

Federation is enabled through the use of open industry standards and/or openly published specifications,
such that multiple parties can achieve interoperability for common use-cases. Typical use-cases involve
things such as cross-domain, web-based single sign-on, cross-domain user account provisioning, cross-
domain entitlement management and cross-domain user attribute exchange.

Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary
solutions. It can increase security and lower risk by enabling an organization to identify and authenticate a
user once, and then use that identity information across multiple systems, including external partner
websites. It can improve privacy compliance by allowing the user to control what information is shared, or
by limiting the amount of information shared. And lastly, it can drastically improve the end-user experience
by eliminating the need for new account registration through automatic "federated provisioning" or the
need to redundantly login through cross-domain single sign-on.

The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user and
user-to-application as well as application-to-application use-case scenarios at both the browser tier as well
as the web services or service-oriented architecture (SOA) tier. It can involve high-trust, high-security
scenarios as well as low-trust, low-security scenarios. The levels of identity assurance that may be required
for a given scenario are also being standardized through a common and open Identity Assurance
Framework. It can involve user-centric use-cases, as well as enterprise-centric use-cases. The term "identity
federation" is by design a generic term, and is not bound to any one specific protocol, technology,
implementation or company. Identity federations may be bi-lateral relationships or multilateral relationships.
In the latter case the multilateral federation frequently occurs in a vertical market, such as in law
enforcement (such as the National Identity Exchange Federation - NIEF[6]) and research and education
(such as InCommon).[7] If the identity federation is bilateral, the two parties can exchange the necessary
metadata (assertion signing keys, etc.) to implement the relationship. In a multilateral federation, the
metadata exchange among participants is a more complex issue. It can be handled in a hub-and-spoke
exchange or by the distribution of a metadata aggregate by a federated operator.

One thing that is consistent, however, is the fact that "federation" describes methods of identity portability
which are achieved in an open, often standards-based manner – meaning anyone adhering to the open
specification or standard can achieve the full spectrum of use-cases and interoperability.

Identity federation can be accomplished any number of ways, some of which involve the use of formal
Internet standards, such as the OASIS Security Assertion Markup Language (SAML) specification, and
some of which may involve open-source technologies and/or other openly published specifications (e.g.
Information Cards, OpenID, the Higgins trust framework or Novell's Bandit project).

Technologies
Technologies used for federated identity include SAML (Security Assertion Markup Language), OAuth,
OpenID, Security Tokens (Simple Web Tokens, JSON Web Tokens, and SAML assertions), Web Service
Specifications, and Windows Identity Foundation.[8]

Government initiatives

United States

In the United States, the National Institute of Standards and Technology (NIST), through the National
Cybersecurity Center of Excellence, has published a building block whitepaper in December 2016 on this
topic[9]

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program
that provides a standardized approach to security assessment, authorization, and continuous monitoring for
cloud products and services.

FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and
cost effective cloud-based IT.

Examples
Digital identity platforms that allow users to log onto third-party websites, applications, mobile devices and
gaming systems with their existing identity, i.e. enable social login, include:

Microsoft account – Formerly Windows Live ID

Note: Facebook Connect is a delegated ID, not a federated ID.[12]

See also
Account pre-hijacking
Claims-based identity
Digital identity
 Self-sovereign identity

References
1. Madsen, Paul, ed. (5 December 2005). "Liberty Alliance Project White Paper: Liberty ID-
WSF People Service - federated social identity" (http://www.projectliberty.org/liberty/content/
download/387/2720/file/Liberty_Federated_Social_Identity.pdf) (PDF). Retrieved
2013-07-11.
2. Federated Identity for Web Applications (https://msdn.microsoft.com/en-gb/library/ff359110.a
spx), microsoft.com. Retrieved 3 July 2017.
3. Gaedke, Martin; Johannes, Meinecke; Nussbaumer, Martin (2005-05-01). A Modelling
Approach to Federated Identity and Access Management (http://wwwconference.org/www20
05/cdrom/docs/p1156.pdf) (PDF). Special Interest Tracks and Posters of the 14th
International Conference on World Wide Web. Association for Computing Machinery.
pp. 1156–1157. doi:10.1145/1062745.1062916 (https://doi.org/10.1145%2F1062745.10629
16). ISBN 978-1595930514. Retrieved 2017-07-03.
4. Chadwick, David W. (2009). "Federated Identity Management" (https://www.cs.kent.ac.uk/pu
bs/2009/3030/content.pdf) (PDF). Foundations of Security Analysis and Design V. Lecture
Notes in Computer Science. Vol. 5705. pp. 96–120. CiteSeerX 10.1.1.250.4705 (https://cites
eerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.250.4705). doi:10.1007/978-3-642-03829-
7_3 (https://doi.org/10.1007%2F978-3-642-03829-7_3). ISBN 978-3-642-03828-0.
ISSN 0302-9743 (https://www.worldcat.org/issn/0302-9743). Retrieved 2017-07-03.
5. http://net.educause.edu/ir/library/pdf/EST0903.pdf Archived (https://web.archive.org/web/201
70829201047/http://net.educause.edu/ir/library/pdf/EST0903.pdf) 2017-08-29 at the
Wayback Machine 7 things you should know about Federated Identity Management
6. "National Identity Exchange Federation" (https://nief.org/). nief.org. Retrieved 2018-05-15.
7. "InCommon: Security, Privacy and Trust for the Research and Education Community" (http://i
ncommon.org). incommon.org. Retrieved 2018-05-15.
8. Rountree, Derrick (2012). Federated Identity Primer. Syngress Media. ISBN 978-
0124071896.
9. https://www.nccoe.nist.gov/publications/project-description/privacy-enhanced-identity-
brokers-project-description-final Privacy-Enhanced Identity Federation
10. "Single Sign-On (SSO) Solution | LastPass" (https://www.lastpass.com/products/sso).
11. Login With Amazon (http://login.amazon.com/)
12. "Delegated vs. Federated ID | Nothing to See Here" (https://sites.psu.edu/ntsh/2010/02/15/d
elegated-vs-federated-id/). sites.psu.edu. Retrieved 2020-11-22.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Federated_identity&oldid=1126779182"

This page was last edited on 11 December 2022, at 05:32 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License 3.0; additional terms may apply. By
using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the
Wikimedia Foundation, Inc., a non-profit organization.