Federated identity: What businesses need to know

As we conduct more and more of our work and personal lives using information technology, we have to sign in to lots of different systems. That can mean many different sets of credentials which can be hard to manage.

Federated identity is a way of streamlining this by linking an electronic identity and attributes across several identity management systems. This is related to single sign-on (SSO), which involves sharing authentication between systems – such as signing onto other websites using your social network ID – but federated identity goes much deeper.

Background

At its simplest federated identity means having a not just a shared ID, but a common set of policies, practices and protocols. These are used to manage the identity and trust of users and devices across a number of systems or organisations.

This started with the idea of centralised identity management within a data centre or network. But as IT has moved to a more decentralised model with systems in house and in the cloud, and there’s been more call for access from external users – such as contractors or suppliers – the need for identity management has evolved. It now needs to provide not just cross-system, but also cross-domain and cross-company access.

The purpose of federated identity is to enable users of one domain to securely access the data or systems of a different domain seamlessly, with no need for additional user administration. 

Standards

As federated identity has developed, standards have been drawn up to allow systems to work together. The first to emerge was AuthXML, developed by Securant Technologies (now part of EMC). AuthXML was deigned to support eCommerce by delivering a transparent user experience and providing a standardised approach for presenting and keeping track of security details as a transaction passes through linked Web sites even though they may be based on different technologies, applications and platforms. AuthXML was designed to be an open standard, not owned by any one vendor.

At around the same time two other companies Netegrity and VeriSign developed their own standard called S2ML. Eventually, via the efforts of the OASIS open standards organisation, AuthXML and S2ML were combined to form a new standard. This became known as Security Assertion Markup Language (SAML) and its specification was released in early 2001.

The next step was the formation of the Liberty Alliance, a consortium of technology and other companies, which in 2009 became the Kantara Intitiative.   It worked to develop SAML and at the same time incorporated the WS-Security specification that had been submitted to OASIS by Microsoft, IBM and others.

Microsoft, IBM, VeriSign and some other companies also got together to produce a broad set of specifications under the WS label. The intention being that this should offer a more modular architecture than other federated identity specifications. The WS work is intended to address the needs of a range of web services. 

The next development came with the rise of social media. A group comprising Facebook, Microsoft, Google, PayPal, Ping Identity, Symantec, and Yahoo sponsored production of a standard called OpenID. OpenID allows user to be authenticated using a third-party services known as identity providers. Users can pick their preferred OpenID providers to log in to websites that are signed up to the OpenID authentication scheme.

You'll have gathered by now that there are lots of standards to choose from in the area of federated identity, one more that we need to mention is OAuth. This differs slightly in that it is intended to provide authorisation rather than identification, controlling access to resources after the user is signed in.

Single sign-on

A big part of federated identity and the one most people are likely to encounter is single sign-on. This allows access to multiple systems with a single set of user credentials. Most commonly this is used to grant access to web services using services such as OpenID Connect and Facebook Connect.

The attraction of SSO is that it cuts ‘password fatigue’ by allowing people to use one set of credentials that only need to be entered once. The downside is that the authentication system itself becomes critical, if it’s unavailable the user is denied access to all systems controlled by the SSO.

Drawbacks

Although there are obvious benefits of federated identity, there are also some downsides. We’ve already discussed how single sign-ons can place greater emphasis on the authentication system, but there are other issues too.

In terms of introducing federated identity into a business the need to modify existing systems may prove an obstacle. It might require different or tougher protocols than then organisation already uses, and if membership of more than one federation is needed they may have different standards. All of this means there is both a financial and resources cost.

Perhaps the biggest worry is security. In any business some systems will be more critical than others, so policies and systems need to provide enough assurance that these will be protected. It’s also necessary to ensure that users of federated identity are legitimate. None of the standards in use have proved perfect in this respect and all have been subject to various flaws that could compromise security.

Where next?

Although the idea of federated identity has been around for a long time it isn’t yet as widely adopted as you might expect. This is partly down to a conservative approach – understandable where security is concerned – but as it becomes more widely used trust will deepen.

Where early attempts at federated identity tended to centre on the organisation, the influence of social media means that it’s now more focused on the user. This throws up another issue, which is control of digital identities. There needs to be clear agreement on who originates and verifies identities within a federation.

As connectivity between in-house, cloud, hybrid systems, protocols, and devices increases, federated identity looks like a solution whose time has come. But, though federated identity is a lot more convenient for users – because they don’t have to remember so many different usernames and passwords – it does come with a security price. That said, if correctly implemented technologies like OAuth, SAML, OpenID, or other federated identity protocols can boost convenience without increasing the threat level.