Home » Identity & Access » Federated IDM

The Truth About Federated Identity Management

When it comes to setting up federated identity management, the security benefits (and potential drawbacks) are not what you might expect

Whichever type of implementation your company wants to pursue, the immediate security benefit of federated identity management is also the most obvious one: simplified password management. Users are screaming about the number of passwords they have, and federated identity management offers some much-needed relief.

Just ask Clair Goldsmith, associate vice chancellor and CIO at the University of Texas System Administration, who keeps track of his 75 passwords by saving them in an encrypted part of his hard drive. "I know we're never going to be single sign-on—I'm not nuts," says Goldsmith, whose institution is two years into an ambitious federated identity management initiative. But he also knows that reducing the number of sign-ons is a good way to sell a project.

That's one of the reasons that the university's first deployment of Shibboleth (a version of SAML driven by a consortium of universities) was intended to allow the administrators who run UT's 15 far-flung campuses to gain easy access to the wireless network at the system's Austin headquarters.

"Before, they'd be visiting the administration offices and try to log on to the networks [with their laptops], and they couldn't get on," Goldsmith says. "Then they'd go back to their offices and complain that they'd been at administration the day before and hadn't been able to access the network."

Now, when employees power up their laptops, "what comes up is a local webpage that says, 'Select your home institution,'" Goldsmith says. "You select whichever one. You're diverted to that institution and log on there. Then [that system] passes back to us a particular piece of data that we recognize"—a SAML token—"and we let you on the system."

This makes life easier for both the end user and the help desk, but Goldsmith also feels that it makes the network more secure: The individual is vetted by his home institution, so Goldsmith's staff doesn't have to keep track of who has permission to access university resources. The system doesn't strengthen authenticationit merely fixes a problem. "[Federated identity management] is certainly more secure than having an open wireless network," Goldsmith says.

All of which brings us to the second obvious benefit of federated identity management: easier enforcement of user provisioning. One of the most notorious aspects of managing identities is keeping track of which users have left a company or changed jobs. Even within a single company, this is difficult. Managing to keep track across corporate boundaries can be nearly impossible. Again, federation fixes this problem. "There are plenty of situations where what happens is Company A makes a magnetic tape with user names and passwords, and they send that tape to Company B," says George Goodman, president of the Liberty Alliance management board, about the security issues that Liberty is attempting to solve. "We've heard this many times from people in workshops who say, In the bad old times this is how we did it.'" Now, instead, companies can agree on what identity information needs to pass from one organization to the rest, and do so via a secure channel (HTTPS).