Skip to main content

Federated identity management (FIM)

Federated identity management (FIM) is an arrangement that can be made between multiple enterprises to let subscribers use the same identification data to obtain access to the networks of all the enterprises in the group. The use of such a system is sometimes called identity federation.

Identity federation links a user's identity across multiple security domains, each supporting its own identity management system. When two domains are federated, the user can authenticate to one domain and then access resources in the other domain without having to perform a separate login process.
Identity federation offers economic advantages, as well as convenience, to enterprises and their network subscribers. For example, multiple corporations can share a single application, resulting in cost-savings and consolidation of resources.
Single sign-on (SSO) is an important component of identity federation, but it is not the same as identity federation.
Identity federation involves a large set of user-to-user, user-to-application and application-to-application use cases at the browser tier, as well as the service-oriented architecture tier.
In order for FIM to be effective, the partners must have a sense of mutual trust. Authorization messages between partners in an FIM system can be transmitted using Security Assertion Markup Language (SAML) or a similar XML standard that enables a user to log on once for affiliated but separate websites or networks.
Examples of FIM systems include OpenID and OAuth, as well as Shibboleth, which is based on OASIS SAML.


How federated identity management works
Under a federated identity management scheme, credentials are stored with the user's identity provider -- usually the user's home organization. Then, when logging into a service such as a software-as-a-service app, that user does not need to provide credentials to the service provider: The service provider trusts the identity provider to validate the user's credentials. Consequently, the user only has to provide credentials directly to the identity provider, which is generally the user's home domain.
Under identity federation, the user authenticates once through the home domain; when that user initiates sessions in other security domains, those domains trust the user's home domain in order to authenticate the user.
Here is how FIM works:
  • Users log in to their home network, authenticating through the home security domain.
  • After they have authenticated to the home domain, users initiate an attempt to log in to a remote application that uses identity federation.
  • Instead of authenticating directly with the remote application, that application requests the user's authentication from their home authentication server.
  • The user's home authentication server authorizes the user to the remote application and the user is permitted to access the app.

The user only needs to authenticate once, to the home domain; remote apps in other security domains that have agreed to cooperate are then able to grant access to the user without requiring an additional login process.
Benefits of federated identity management
Identity federation offers economic benefits, as well as convenience, to companies and their users.
Organizations working together on a project can form an identity federation so that all of their users can access and share resources easily. Doing so authenticates users once to access resources across all the domains, while administrators at each organization can still control the level of access in their own domains. This approach can save money, as well as consolidate resources.
In addition, identity federation aims to do away with the barriers that stop users from accessing the resources they need when they need them securely and easily. Users of systems in identity federations don't have to create new accounts for each domain, which means they can securely access systems in different domains without having to remember credentials for all of them. As they move from one domain to another, users don't have to re-enter their credentials.
Additionally, with identity federation, administrators can avoid some of the issues that go along with balancing multi-domain access, such as developing a specific system to make it easy to access the resources of an external organization.
Identity federation can also be useful when administering applications that need access to resources in multiple security domains.
Differences between FIM and SSO
Although federated identity management systems provide their users with a form of single sign-on, FIM and SSO are not the same. SSO generally enables users to use a single set of credentials to access multiple systems within a single organization, while FIM enables users to access systems across different organizations.
While federated identity management enables single sign-on for users, organizations that implement SSO do not necessarily use FIM. Identity federation, however, relies heavily on SSO technologies to authenticate users across domains.
Single sign-on offers users the ability to authenticate themselves and access multiple services with a single login. SSO is token-based, which means that every user is identified by a token rather than a password.
Federated identity management is the arrangement made between enterprises that enables subscribers to use the same identification information to gain access to applications, programs and the networks of all the group's members.
While SSO lets a single authentication credential access different systems within one enterprise, an FIM system offers single-step access to numerous systems across different organizations. Users, therefore, don't provide credentials directly to a web app, but rather to the FIM system itself.
Advantages and disadvantages of FIM
The main advantage FIM offers to users is convenience: each user only needs to remember one username and password to access websites and applications across multiple security domains. FIM frees users from the burden of having to remember login credentials for each organization they collaborate with regularly.
FIM also benefits systems administrators, as it simplifies the process of authenticating and authorizing users of their systems within the federation. With federated identity management, a system administrator can set permissions and access levels across different systems in different security domains for a user based on a single username. This reduces a system admin's work, makes identity and access management easier, and streamlines access to resources.
There are also some disadvantages to using federated identity management, including the upfront costs that organizations -- particularly smaller ones -- will incur to modify their existing systems and applications.
Another challenge when implementing federated identity management frameworks is the necessity for participating members of the federation to create policies that adhere to the security requirements of all the members -- an undertaking that can be complicated by different requirements and rules set by each enterprise.
Finally, because an organization can be a member of different federations, its policies should accurately reflect the rules of each of the federation members. Ensuring this is the case requires a commitment of time and effort that many enterprises may not be prepared for.

Comments

Post a Comment

Popular posts from this blog

Black swan

A  black swan event  is an incident that occurs randomly and unexpectedly and has wide-spread ramifications. The event is usually followed with reflection and a flawed rationalization that it was inevitable. The phrase illustrates the frailty of inductive reasoning and the danger of making sweeping generalizations from limited observations. The term came from the idea that if a man saw a thousand swans and they were all white, he might logically conclude that all swans are white. The flaw in his logic is that even when the premises are true, the conclusion can still be false. In other words, just because the man has never seen a black swan, it does not mean they do not exist. As Dutch explorers discovered in 1697, black swans are simply outliers -- rare birds, unknown to Europeans until Willem de Vlamingh and his crew visited Australia. Statistician Nassim Nicholas Taleb uses the phrase black swan as a metaphor for how humans deal with unpredictable events in his 2007...
Post a Comment
Read more

A Graphics Processing Unit (GPU)

A graphics processing unit (GPU) is a computer chip that performs rapid mathematical calculations, primarily for the purpose of rendering images. A GPU may be found integrated with a central processing unit (CPU) on the same circuit, on a graphics card or in the motherboard of a personal computer or server. In the early days of computing, the CPU performed these calculations. As more graphics-intensive applications such as AutoCAD were developed; however, their demands put strain on the CPU and degraded performance. GPUs came about as a way to offload those tasks from CPUs, freeing up their processing power. NVIDIA, AMD, Intel and ARM are some of the major players in the GPU market. GPU vs. CPU A graphics processing unit is able to render images more quickly than a central processing unit because of its parallel processing architecture, which allows it to perform multiple calculations at the same time. A single CPU does not have this capability, although multi...
Post a Comment
Read more

6G (sixth-generation wireless)

6G (sixth-generation wireless) is the successor to 5G cellular technology. 6G networks will be able to use higher frequencies than 5G networks and provide substantially higher capacity and much lower latency. One of the goals of the 6G Internet will be to support one micro-second latency communications, representing 1,000 times faster -- or 1/1000th the latency -- than one millisecond throughput. The 6G technology market is expected to facilitate large improvements in the areas of imaging, presence technology and location awareness. Working in conjunction with AI, the computational infrastructure of 6G will be able to autonomously determine the best location for computing to occur; this includes decisions about data storage, processing and sharing.  Advantages of 6G over 5G 6G is expected to support 1 terabyte per second (Tbps) speeds. This level of capacity and latency will be unprecedented and wi...
Post a Comment
Read more