In Depth
The Truth About Federated Identity Management
When it comes to setting up federated identity management, the security benefits (and potential drawbacks) are not what you might expect
By Sarah D. Scalet
Behind the scenes, the standard that usually makes it happen is called Security Assertion Markup Language (SAML)—an XML protocol that can be used to share information about who someone is and what he is allowed to do. SAML "tokens" containing this identity information are passed back and forth between computers on the different networks that are part of the federation. One side serves as the "asserting" party and sends the token. The other side is the "relying" party that accepts the token.
"It makes it sound like one is in control and one isn't, but that's just the terminology," says Jeff Anderson, lead technology architect at Fifth Third Bank, which has three federated identity management implementations deployed already and 11 more in the pipeline. The asserter could be either side, or even a third party. Both parties must agree to allow the access, and either can cancel it at any point. The important thing, Anderson says, is that the asserting system be both trusted and secure. In an ideal (and standardized) world, whole communities of trust could interconnect in this manner with simple and minimal effort.
Needless to say, that's not the world we live in.
A Question of Standards
Depending on whom you ask, there are not one, not two, but three ways of doing federated identity management—and that's an improvement over the way things used to be.
SAML, you see, was created by the Organization for the Advancement of Structured Information Standards (Oasis), a nonprofit group funded by IT heavy hitters such as EDS, IBM and Sun Microsystems that is trying to advance Web services.
Originally, the Oasis work on federation overlapped with work being done by a separate industry group called the Liberty Alliance. Founded by some of the same IT vendors, along with nontechnology companies that include General Motors and Fidelity, the Liberty Alliance had the goal of creating best practices around federated identity management. It created its own way of actually using the SAML tokens that Oasis had established.
The difference between the Liberty Alliance's work and Oasis's work, as described by Gartner VP Ray Wagner, is like the difference between buying a movie ticket and entering a movie theater. "SAML is the movie ticket. The way you walk up to someone and hand them your ticket to get into the theater is Liberty."
The good news is that last year, the Liberty Alliance handed over a lot of its work to Oasis, and now the latest version of SAML (2.0) incorporates those token-handling protocols.
federated identity management
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- Implementing Best Practices for Web 2.0 Security
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
