Misplaced Pages

Federated identity: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 16:20, 8 October 2022 editMrOllie (talk | contribs)Extended confirmed users, Pending changes reviewers, Rollbackers236,602 edits Reverted 1 edit by 2600:4040:780C:6F00:5475:EF79:9DFD:3573 (talk): WP:CRYSTAL, no need to cover legislation that hasn't passedTags: Twinkle Undo← Previous edit Latest revision as of 08:29, 8 October 2024 edit undo83.61.73.255 (talk) Added href for SAMLTag: Visual edit 
(27 intermediate revisions by 17 users not shown)
Line 1: Line 1:
{{short description|Identity assurance in IT systems}} {{short description|Identity assurance in IT systems}}
A '''federated identity''' in ] is the means of linking a person's ] and attributes, stored across multiple distinct ] systems.<ref>{{cite web|url=http://www.projectliberty.org/liberty/content/download/387/2720/file/Liberty_Federated_Social_Identity.pdf|title=Liberty Alliance Project White Paper: Liberty ID-WSF People Service - federated social identity|editor-last=Madsen|editor-first=Paul A '''federated identity''' in ] is the means of linking a person's ] and attributes, stored across multiple distinct ] systems.<ref>{{cite web|url=http://www.projectliberty.org/liberty/content/download/387/2720/file/Liberty_Federated_Social_Identity.pdf|title=Liberty Alliance Project White Paper: Liberty ID-WSF People Service - federated social identity|editor-last=Madsen|editor-first=Paul|date=5 December 2005|access-date=2013-07-11|archive-date=2018-05-26|archive-url=https://web.archive.org/web/20180526195535/http://www.projectliberty.org/liberty/content/download/387/2720/file/Liberty_Federated_Social_Identity.pdf|url-status=dead}}</ref>
|date=5 December 2005|access-date=2013-07-11}}</ref>


Federated identity is related to ] (SSO), in which a user's single ] ticket, or ], is trusted across multiple IT systems or even organizations.<ref>, ''microsoft.com''. Retrieved 3 July 2017.</ref><ref>{{cite book |last1=Gaedke |first1=Martin |last2=Johannes |first2=Meinecke |last3=Nussbaumer |first3=Martin |date=2005-05-01|title=A Modelling Approach to Federated Identity and Access Management|url=http://wwwconference.org/www2005/cdrom/docs/p1156.pdf|journal=Special Interest Tracks and Posters of the 14th International Conference on World Wide Web. Association for Computing Machinery.|pages= 1156–1157 |doi=10.1145/1062745.1062916 |access-date=2017-07-03|isbn=978-1595930514 }}</ref> SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability and it would not be possible without some sort of federation.<ref name="Chadwick2009">{{cite book|last1=Chadwick|first1=David W.|title=Foundations of Security Analysis and Design V|chapter=Federated Identity Management|volume=5705|year=2009|pages=96–120|issn=0302-9743|doi=10.1007/978-3-642-03829-7_3|chapter-url=https://www.cs.kent.ac.uk/pubs/2009/3030/content.pdf|series=Lecture Notes in Computer Science|isbn=978-3-642-03828-0|citeseerx=10.1.1.250.4705}} Retrieved 2017-07-03.</ref> Federated identity is related to ] (SSO), in which a user's single ] ticket, or ], is trusted across multiple IT systems or even organizations.<ref>, ''microsoft.com''. Retrieved 3 July 2017.</ref><ref>{{cite book |last1=Gaedke |first1=Martin |last2=Johannes |first2=Meinecke |last3=Nussbaumer |first3=Martin |title=Special interest tracks and posters of the 14th international conference on World Wide Web - WWW '05 |chapter=A modeling approach to federated identity and access management |date=2005-05-01 |url=http://wwwconference.org/www2005/cdrom/docs/p1156.pdf |pages=1156–1157 |doi=10.1145/1062745.1062916 |access-date=2017-07-03 |isbn=978-1595930514 |s2cid=8828239 |archive-date=2017-09-13 |archive-url=https://web.archive.org/web/20170913232609/http://wwwconference.org/www2005/cdrom/docs/p1156.pdf |url-status=dead }}</ref> SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability, and it would not be possible without some sort of ].<ref name="Chadwick2009">{{cite book|last1=Chadwick|first1=David W.|title=Foundations of Security Analysis and Design V|chapter=Federated Identity Management|volume=5705|year=2009|pages=96–120|issn=0302-9743|doi=10.1007/978-3-642-03829-7_3|chapter-url=https://www.cs.kent.ac.uk/pubs/2009/3030/content.pdf|series=Lecture Notes in Computer Science|isbn=978-3-642-03828-0|citeseerx=10.1.1.250.4705}} Retrieved 2017-07-03.</ref>


==Management== ==Management==
Line 11: Line 10:
Single sign-on (SSO) systems allow a single user authentication process across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and technical interoperability. Single sign-on (SSO) systems allow a single user authentication process across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and technical interoperability.


] identity management solutions were created to help deal with user and data security where the user and the systems they accessed were within the same network – or at least the same "domain of control". Increasingly however, users are accessing external systems which are fundamentally outside their domain of control, and external users are accessing internal systems. The increasingly common separation of user from the systems requiring access is an inevitable by-product of the decentralization brought about by the integration of the Internet into every aspect of both personal and business life. Evolving identity management challenges, and especially the challenges associated with cross-company, cross-domain access, have given rise to a new approach to identity management, known now as "federated identity management". ] identity management solutions were created to help deal with user and data security where the user and the systems they accessed were within the same network – or at least the same "domain of control". Increasingly, however, users are accessing external systems which are fundamentally outside their domain of control, and external users are accessing internal systems. The increasingly common separation of the user from the systems requiring access is an inevitable by-product of the decentralization brought about by the integration of the Internet into every aspect of both personal and business life. Evolving identity management challenges, and especially the challenges associated with cross-company, cross-domain access, have given rise to a new approach to identity management, known now as "federated identity management".<ref>{{Cite book |chapter=Federated Identity Management Challenges |chapter-url=https://ieeexplore.ieee.org/document/6329187 |access-date=2023-12-11 |doi=10.1109/ares.2012.68 |title=2012 Seventh International Conference on Availability, Reliability and Security |date=2012 |last1=Jensen |first1=Jostein |pages=230–235 |isbn=978-1-4673-2244-7 |s2cid=18145013 }}</ref>


FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise-controlled or ] scenarios. FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise-controlled or ] scenarios.
Line 19: Line 18:
Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. It can increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. It can improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. And lastly, it can drastically improve the end-user experience by eliminating the need for new account registration through automatic "federated provisioning" or the need to redundantly login through cross-domain single sign-on. Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. It can increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. It can improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. And lastly, it can drastically improve the end-user experience by eliminating the need for new account registration through automatic "federated provisioning" or the need to redundantly login through cross-domain single sign-on.


The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user and user-to-application as well as application-to-application use-case scenarios at both the browser tier as well as the web services or ] (SOA) tier. It can involve high-trust, high-security scenarios as well as low-trust, low-security scenarios. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open ]. It can involve user-centric use-cases, as well as enterprise-centric use-cases. The term "identity federation" is by design a generic term, and is not bound to any one specific protocol, technology, implementation or company. Identity federations may be bi-lateral relationships or multilateral relationships. In the latter case the multilateral federation frequently occurs in a vertical market, such as in law enforcement (such as the National Identity Exchange Federation - NIEF<ref>{{Cite web|url=https://nief.org/|title=National Identity Exchange Federation|website=nief.org|language=en-US|access-date=2018-05-15}}</ref>) and research and education (such as InCommon).<ref>{{Cite web|url=http://incommon.org|title=InCommon: Security, Privacy and Trust for the Research and Education Community|website=incommon.org|access-date=2018-05-15}}</ref> If the identity federation is bilateral, the two parties can exchange the necessary metadata (assertion signing keys, etc.) to implement the relationship. In a multilateral federation, the metadata exchange among participants is a more complex issue. It can be handled in a hub-and-spoke exchange or by the distribution of a metadata aggregate by a federated operator. The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user and user-to-application as well as application-to-application use-case scenarios at both the browser tier and the web services or ] (SOA) tier. It can involve high-trust, high-security scenarios as well as low-trust, low-security scenarios. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open ]. It can involve user-centric use-cases, as well as enterprise-centric use-cases. The term "identity federation" is by design a generic term, and is not bound to any one specific protocol, technology, implementation or company. Identity federations may be bi-lateral relationships or multilateral relationships. In the latter case, the multilateral federation frequently occurs in a vertical market, such as in law enforcement (such as the National Identity Exchange Federation - NIEF<ref>{{Cite web|url=https://nief.org/|title=National Identity Exchange Federation|website=nief.org|language=en-US|access-date=2018-05-15}}</ref>), and research and education (such as InCommon).<ref>{{Cite web|url=http://incommon.org|title=InCommon: Security, Privacy and Trust for the Research and Education Community|website=incommon.org|access-date=2018-05-15}}</ref> If the identity federation is bilateral, the two parties can exchange the necessary metadata (assertion signing keys, etc.) to implement the relationship. In a multilateral federation, the metadata exchange among participants is a more complex issue. It can be handled in a hub-and-spoke exchange or by the distribution of a metadata aggregate by a federated operator.


One thing that is consistent, however, is the fact that "federation" describes methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability. One thing that is consistent, however, is the fact that "federation" describes methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability.<ref>{{Cite journal |last=Cabarcos |first=Patricia Arias |date=2013 |title=Dynamic Infrastructure for Federated Identity Management in Open Environments |url=http://rgdoi.net/10.13140/RG.2.1.2918.0962 |language=en |doi=10.13140/RG.2.1.2918.0962}}</ref>


Identity federation can be accomplished any number of ways, some of which involve the use of formal Internet standards, such as the ] ] (SAML) specification, and some of which may involve open-source technologies and/or other openly published specifications (e.g. ]s, ], the ] or Novell's Bandit project). Identity federation can be accomplished any number of ways, some of which involve the use of formal Internet standards, such as the ] ] (SAML) specification, and some of which may involve open-source technologies and/or other openly published specifications (e.g. ]s, ], the ] or Novell's Bandit project).


==Technologies== ==Technologies==
Technologies used for federated identity include SAML (Security Assertion Markup Language), ], OpenID, Security Tokens (Simple Web Tokens, JSON Web Tokens, and SAML assertions), ], and ].<ref>{{Cite book |last=Rountree |first=Derrick |year=2012 |title=Federated Identity Primer |publisher= Syngress Media |isbn=978-0124071896 }}</ref> Technologies used for federated identity include ], ], OpenID, Security Tokens (Simple Web Tokens, JSON Web Tokens, and SAML assertions), ], and ].<ref>{{Cite book |last=Rountree |first=Derrick |year=2012 |title=Federated Identity Primer |publisher= Syngress Media |isbn=978-0124071896 }}</ref>


==Government initiatives== ==Government initiatives==
===United States=== ===United States===
In the United States, the ] (NIST), through the ], has taken an interest in the topic, and is participating in emerging standards and participating in research.<ref>https://nccoe.nist.gov/projects/building-blocks/privacy-enhanced-identity-brokers Privacy-Enhanced Identity Federation</ref> In the United States, the ] (NIST), through the ], has published a building block white paper in December 2016 on this topic<ref>https://www.nccoe.nist.gov/publications/project-description/privacy-enhanced-identity-brokers-project-description-final Privacy-Enhanced Identity Federation</ref>


The Federal Risk and Authorization Management Program (]) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The Federal Risk and Authorization Management Program (]) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.


FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT. FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.<ref>{{Cite web |title=FedRAMP and Azure |url=https://techcommunity.microsoft.com/t5/azure-architecture-blog/fedramp-and-azure/ba-p/1781624 |access-date=2023-09-13 |website=TECHCOMMUNITY.MICROSOFT.COM |language=en}}</ref>


==Examples== ==Examples==
Digital identity platforms that allow users to log onto third-party websites, applications, mobile devices and gaming systems with their existing identity, i.e. enable ], include: Digital identity platforms that allow users to log onto third-party websites, applications, mobile devices and gaming systems with their existing identity, i.e. enable ], include:
=== Social login examples ===
* ] – Formerly Windows Live ID
{{Excerpt|Social login|List of providers}}

=== Other examples ===

* ]<ref></ref>
* ]
* ]
* ]
* ] * ]
* ] - Login to public social venues.
* ] – users can use their Yahoo! ID to log onto other sites, and users used to have the possibility to log onto Yahoo! with their Google or Facebook IDs.
* ]
* ]<ref>{{cite web | url=https://www.lastpass.com/products/sso | title=Single Sign-On (SSO) Solution &#124; LastPass }}</ref> * ]<ref>{{cite web | url=https://www.lastpass.com/products/sso | title=Single Sign-On (SSO) Solution &#124; LastPass }}</ref>
* ] – Formerly Windows Live ID
* ]
* ] * ]
* ]
* ]
* ]
* ] On November 30, 2016, Mozilla shut down the persona.org services * ] On November 30, 2016, Mozilla shut down the persona.org services
* ] – users can use their Yahoo! ID to log onto other sites, and users used to have the possibility to log onto Yahoo! with their Google or Facebook IDs.
* ]<ref></ref>
* ]

Note: Facebook Connect is a delegated ID, not a federated ID.<ref>{{Cite web|title=Delegated vs. Federated ID {{!}} Nothing to See Here|url=https://sites.psu.edu/ntsh/2010/02/15/delegated-vs-federated-id/|access-date=2020-11-22|website=sites.psu.edu}}</ref>


==See also== ==See also==

Latest revision as of 08:29, 8 October 2024

Identity assurance in IT systems

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

Federated identity is related to single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability, and it would not be possible without some sort of federation.

Management

This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources in this section. Unsourced material may be challenged and removed. (January 2017) (Learn how and when to remove this message)

In information technology (IT), federated identity management (FIdM) amounts to having a common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations.

Single sign-on (SSO) systems allow a single user authentication process across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and technical interoperability.

Centralized identity management solutions were created to help deal with user and data security where the user and the systems they accessed were within the same network – or at least the same "domain of control". Increasingly, however, users are accessing external systems which are fundamentally outside their domain of control, and external users are accessing internal systems. The increasingly common separation of the user from the systems requiring access is an inevitable by-product of the decentralization brought about by the integration of the Internet into every aspect of both personal and business life. Evolving identity management challenges, and especially the challenges associated with cross-company, cross-domain access, have given rise to a new approach to identity management, known now as "federated identity management".

FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise-controlled or business-to-business scenarios.

Federation is enabled through the use of open industry standards and/or openly published specifications, such that multiple parties can achieve interoperability for common use-cases. Typical use-cases involve things such as cross-domain, web-based single sign-on, cross-domain user account provisioning, cross-domain entitlement management and cross-domain user attribute exchange.

Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. It can increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. It can improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. And lastly, it can drastically improve the end-user experience by eliminating the need for new account registration through automatic "federated provisioning" or the need to redundantly login through cross-domain single sign-on.

The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user and user-to-application as well as application-to-application use-case scenarios at both the browser tier and the web services or service-oriented architecture (SOA) tier. It can involve high-trust, high-security scenarios as well as low-trust, low-security scenarios. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open Identity Assurance Framework. It can involve user-centric use-cases, as well as enterprise-centric use-cases. The term "identity federation" is by design a generic term, and is not bound to any one specific protocol, technology, implementation or company. Identity federations may be bi-lateral relationships or multilateral relationships. In the latter case, the multilateral federation frequently occurs in a vertical market, such as in law enforcement (such as the National Identity Exchange Federation - NIEF), and research and education (such as InCommon). If the identity federation is bilateral, the two parties can exchange the necessary metadata (assertion signing keys, etc.) to implement the relationship. In a multilateral federation, the metadata exchange among participants is a more complex issue. It can be handled in a hub-and-spoke exchange or by the distribution of a metadata aggregate by a federated operator.

One thing that is consistent, however, is the fact that "federation" describes methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability.

Identity federation can be accomplished any number of ways, some of which involve the use of formal Internet standards, such as the OASIS Security Assertion Markup Language (SAML) specification, and some of which may involve open-source technologies and/or other openly published specifications (e.g. Information Cards, OpenID, the Higgins trust framework or Novell's Bandit project).

Technologies

Technologies used for federated identity include SAML (Security Assertion Markup Language), OAuth, OpenID, Security Tokens (Simple Web Tokens, JSON Web Tokens, and SAML assertions), Web Service Specifications, and Windows Identity Foundation.

Government initiatives

United States

In the United States, the National Institute of Standards and Technology (NIST), through the National Cybersecurity Center of Excellence, has published a building block white paper in December 2016 on this topic

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.

Examples

Digital identity platforms that allow users to log onto third-party websites, applications, mobile devices and gaming systems with their existing identity, i.e. enable social login, include:

Social login examples

This section is an excerpt from Social login § List of providers.

Here is a list of services that provide social login features which they encourage other websites to use. Related are federated identity login providers.

Other examples

See also

References

  1. Madsen, Paul, ed. (5 December 2005). "Liberty Alliance Project White Paper: Liberty ID-WSF People Service - federated social identity" (PDF). Archived from the original (PDF) on 2018-05-26. Retrieved 2013-07-11.
  2. Federated Identity for Web Applications, microsoft.com. Retrieved 3 July 2017.
  3. Gaedke, Martin; Johannes, Meinecke; Nussbaumer, Martin (2005-05-01). "A modeling approach to federated identity and access management". Special interest tracks and posters of the 14th international conference on World Wide Web - WWW '05 (PDF). pp. 1156–1157. doi:10.1145/1062745.1062916. ISBN 978-1595930514. S2CID 8828239. Archived from the original (PDF) on 2017-09-13. Retrieved 2017-07-03.
  4. Chadwick, David W. (2009). "Federated Identity Management" (PDF). Foundations of Security Analysis and Design V. Lecture Notes in Computer Science. Vol. 5705. pp. 96–120. CiteSeerX 10.1.1.250.4705. doi:10.1007/978-3-642-03829-7_3. ISBN 978-3-642-03828-0. ISSN 0302-9743. Retrieved 2017-07-03.
  5. http://net.educause.edu/ir/library/pdf/EST0903.pdf Archived 2017-08-29 at the Wayback Machine 7 things you should know about Federated Identity Management
  6. Jensen, Jostein (2012). "Federated Identity Management Challenges". 2012 Seventh International Conference on Availability, Reliability and Security. pp. 230–235. doi:10.1109/ares.2012.68. ISBN 978-1-4673-2244-7. S2CID 18145013. Retrieved 2023-12-11.
  7. "National Identity Exchange Federation". nief.org. Retrieved 2018-05-15.
  8. "InCommon: Security, Privacy and Trust for the Research and Education Community". incommon.org. Retrieved 2018-05-15.
  9. Cabarcos, Patricia Arias (2013). "Dynamic Infrastructure for Federated Identity Management in Open Environments". doi:10.13140/RG.2.1.2918.0962. {{cite journal}}: Cite journal requires |journal= (help)
  10. Rountree, Derrick (2012). Federated Identity Primer. Syngress Media. ISBN 978-0124071896.
  11. https://www.nccoe.nist.gov/publications/project-description/privacy-enhanced-identity-brokers-project-description-final Privacy-Enhanced Identity Federation
  12. "FedRAMP and Azure". TECHCOMMUNITY.MICROSOFT.COM. Retrieved 2023-09-13.
  13. Login With Amazon
  14. "Single Sign-On (SSO) Solution | LastPass".
Categories: