Home » Identity & Access » Identity Management

In Depth

An Introduction to Identity Management

Providing IT managers with tools and technologies for controlling user access to critical information within an organization.

By John K Waters

Page 3

Regulating user access can involve a number of authentication methods for verifying the identity of a user, including passwords, digital certificates, tokens and smart cards. Hardware tokens and credit-card-sized smart cards have traditionally served as one component in the two-factor authentication scheme, which combines something you know (your password) with something you have (the token or the card) to verify a user's identity. A smart card carries an embedded integrated circuit chip that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone. Software tokens, which can exist on any device with storage capability, from a USB drive to a cell phone, emerged in 2005.

What is Federated Identity Management?

Federation lets you share digital IDs with trusted partners. It's an authentication-sharing mechanism designed to allow users to employ the same user name, password or other ID to gain access to more than one network. It's what is known as a "single sign-on." A single sign-on standard lets people who verify their identity on one network or website carry over that authenticated status when moving to another. The model works only among cooperating organizationsknown as trusted partnersthat essentially vouch for each other's users.

The federated model relies on the security assertion markup language specification, better known as SAML (pronounced "SAM-el"). This open specification defines an XML framework for exchanging security assertions among security authorities. SAML was developed by the Liberty Alliance, an organization formed to establish guidelines and best practices for federated ID management. The Sun Microsystems-backed group developed SAML to achieve interoperability across different vendor platforms that provide authentication and authorization services.

Microsoft and IBM have established a rival ID management federation standard: the WS-Federation specification. This spec is also designed to provide a standardized way for companies to share user and machine identities among disparate authentication and authorization systems and across corporate boundaries.

The federation model can simplify administration and enable companies to extend ID and access management to third-party users and third-party services.

What challenges or risks does implementing an identity management solution present?

ID management is inherently challenging. The applications in your system are likely to have their own ID data stores and authentication schemes. The ID data they contain isn't necessarily organized in a standard way. You might have had the foresight to opt for industry standards early on in your company's development, but your latest acquisition may not have been thinking ahead.

A successful implementation requires some forethought. Companies that establish a cohesive ID management strategyclear objectives, stakeholder buy-in, defined business processesbefore they begin the project are likely to be more successful.