Digital Identity Basics
Today, individuals and enterprises can communicate and access critical resources more readily than ever before. The Internet allows users to connect directly with goods, services, and information, while enabling companies to link with their customers, employees, and trading partners.
Digital identity is a crucial element in the growth of sensitive data and confidential relationships online. All users create digital identities as they traverse cyberspace. At the same time, every enterprise creates identities to provide individuals with secure access to online resources and services. Without digital identities, there is no way to give certain users access to certain resources. Those resources might include a bank statement, the shipping status of an order, the email directory of co-workers, the results of an AIDS test, or the company intranet; the list is endless.
Multiple identities are the rule. Individuals employ different user names, passwords, and other identifying attributes in various online contexts due to practical limitations or out of a desire for anonymity. The same person may have links to many organizations. A United Airlines MileagePlus customer may also be a Citibank Visa card holder, an IBM employee, and an active participant in the Everquest multi-player online gaming world. Even within a single company, data tied to the same individual often appears in several different databases, whether by design or accident.
The proliferation of digital identities creates significant challenges. Users have trouble remembering multiple usernames and passwords. IT organizations find it increasingly difficult to manage the profusion of identity databases, even within the corporate firewall. The problem becomes worse when identities span organizational boundaries, as when providing partners access to a project intranet; allowing investors to see their brokerage, 401K, and bank accounts on the same screen; or providing customer service in an enterprise with multiple databases thanks to acquisitions and legacy systems. When either the users or the companies take shortcuts, the result is increased management costs and increased security risks.
Today's Enterprise Challenge
Maintaining security while enabling ever-increased access to information.
Business is becoming increasingly virtual and decentralized. Real-time management of relationships with employees, contractors, partners, suppliers, and customers is becoming ever more crucial. Even within a single company, applications may reside on different platforms, in separate departmental security domains, in legacy databases derived from prior acquisitions, or in separate organizations thanks to outsourcing. As gaining access to distributed resources--including applications--that reside beyond corporate firewalls becomes increasingly vital, the ability to manage identity effectively becomes a paramount concern. Web services, which have the potential to enable even greater interoperability and business integration, only magnify the challenge. Web services, which are by nature distributed, require digital identities that are both
What is Federated Identity?
"Federated Identity," and the standards for federation established by OASIS and the Liberty Alliance Project, define mechanisms for companies to share identity information between domains. As a result of federation, companies are now able to create identity-based applications (such as federated single sign-on) that enable increased access to cross-boundary information.
The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains. - Burton Group
federated identity systems will become a market standard for enabling Internet-empowered competition, cooperation, collaboration, and economic growth. - Aberdeen Group
Most enterprises are now familiar with the benefits of implementing an internal identity management system, but federated identity presents an entirely new set of challenges and solutions.
Why Federate Identity?
- Federation establishes a standards-based mechanism of both sharing and managing identity information as it moves between discrete security, legal and organizational domains.
- Federation enables a cost-efficient means of establishing single sign-on to cross-domain, cross-company information . federated single sign-on.
- Federation provides companies managing multiple security domains with an efficient, lightweight mechanism of linking redundant identities and enabling single sign-on between security domains.
While today's existing identity management solutions can help increase security and reduce inefficiencies associated with managing internal users and access to internal information, increasingly the users that require access are outside of any one company's control. Federated identity provides companies with an open-standards approach of enabling increased access to cross-boundary information.
Benefits of Federation
Federated identity can deliver several compelling benefits to organizations. Federation means that local identities and their associated data stay in place, but they are linked together through higher-level mechanisms.
Many enterprises are seeking cost-efficient ways to provide single sign on to applications between discrete security domains. Enabling this via federated identity solutions provides enterprises with the ability to:
- Perform better logging and audit functions
- Reduce costs associated with password reset
- Secure access to existing heterogeneous applications
The driving concept behind federated identity is that the existing, heterogeneous nature of enterprise IT architecture should not have to be changed. Federation is the notion that by securely and efficiently enabling access to cross-domain resources, enterprises are able to improve productivity, operational efficiency and competitive differentiation.
Applications & Examples of Federation
American Express - Digital ID World Article Re-Print Excerpt
Federating Identities between Multiple Security Domains to Enable Single Sign-On to Employees
According to American Express's Vice President of Internet Strategy, Michael Barrett, however, "the paradigm is changing. What you have [today] is an approach where the system is constructed of a series of components that run on different platforms, so its more of an orchestration approach to systems architecture. The difficulty is that you have to move the identities seamlessly across those platforms as the transaction itself flows across them. That exposes you almost immediately to the vagaries of the island of identities that companies like ours tend to have," noted Barrett.
"We find that the security integration aspect is actually exceedingly expensive. It is literally an order of magnitude more complicated when you are on different security environments," Barrett reports.
American Express has worked to develop a strategy to deal with integration the many islands of identity. Barrett has reached the conclusion that the only feasible answer is to loosely couple them through identity federation rather than mount a large, tightly couple identity integration project.
By building gateways from each identity island to a Liberty [Alliance] protocol identity network, Barrett is looking to create a standardized federated identity environment for American Express, one that he can grow into incrementally. To build the gateways, he is licensing the core SourceID Liberty protocol software technology from Ping Identity.
Use Case - Enabling SSO to 401k Benefits
Fidelity Investments provides 401K benefits to 11,000 companies in the United States. Assume, for example, that an Agilent employee, Joan Smith, wants to view her Fidelity-managed benefits information through the corporate intranet. Smith is authenticated when she logs into the Agilent intranet, but that only provides access to resources inside the firewall. Without federated identity, she would have to log in again to the Fidelity site. Even if it were practical, Fidelity has no desire to put its proprietary information or user databases inside 11,000 companies, and those companies don.t want to turn over their internal log-in information to an outside vendor. The solution is to federate the identity systems. When Smith goes to the Fidelity page, Agilent and Fidelity automatically and securely exchange identity information. Her verified Agilent identity is matched with her customer record at Fidelity, which provides direct access without a separate log-in.
This example suggests how federation takes the benefits of single sign-on and extends them beyond an organization's boundaries. However, there is more to federation than extending single sign-on. Federation respects the distributed, heterogeneous architecture of the current IT environment. Efforts to implement unique, all-encompassing identifiers inevitably fail as requirements and relationships change. By contrast, federated identity organizes controlled linkages among the distributed identities of a user. It allows for efficient management, control and movement in a radically distributed world. As organizations integrate more tightly with trading partners and outsourcers, federated identity provides a flexible mechanism to authenticate users from partner organizations and provide them with seamless access to protected online resources.
Federated identity systems can address the integration needs that drive centralized identity efforts, without the associated inefficiencies and costs. Some requirements are common across any digital identity system, including basic operational standards, certification and auditing, security, fraud prevention, and privacy protection. A federated system provides an umbrella of common policies and mechanisms across disparate local identities.
Federation Standards - A Primer
Federated Identity requires loosely-coupled software architecture for automatically exchanging identity information between heterogeneous systems. Standards are essential for this process. Several efforts are underway to create specifications for exchanging identity information. Standards with significant traction include:
OASIS and SAML
The Security Assertions Mark-up Language (SAML) is an XML-based specification developed by the Organization for the Advancement of Structured Information Standards (OASIS). SAML provides a common language for three kinds of assertions:
- Authentication assertions: declarations about a user.s identity
- Attribute assertions containing particular details about a user
- Authorization decision assertions, which specify what the user is allowed to do at a particular site
Assertions are issued by server-based applications known as SAML authorities. When a subject (person or computer) successfully requests access to a protected resource, a SAML authority issues a digitally signed token that the subject can use for further requests without re-authenticating within any domain that trusts the issuer of the token.
Microsoft, IBM, and the WS- Roadmap
In April 2002, Microsoft and IBM published a joint whitepaper outlining a roadmap for developing a set of Web service security specifications. Their first jointly-developed specification, WS-Security, offers a mechanism for attaching security tokens to messages, including tokens related to identity. The roadmap described in the 2002 whitepaper included six more specifications, three of which have been published so far.
Liberty Alliance
The Liberty Alliance is a consortium of approximately 170 companies that develops specifications for federated identity management. It originally envisioned creating a single comprehensive federated identity specification. In March 2003, however, it released a new blueprint that described three separate specifications that can be used together or independently:
- Identity Federation Framework (ID-FF) allows single sign-on and account linking between partners with established trust relationships.
- Identity Web Services Framework (ID-WSF), allows groups of trusted partners to link to other groups, and gives users control over how their information is shared.
- Identity Services Interface Specifications (ID-SIS) will build a set of interoperable services on top of the ID-WSF.