Federated Identity Through the Eyes of the Deployer

By Eve Maler, with contributions from Marina Sum, February 29, 2008

As a deployer, you manage a software application accessed daily by thousands of employees or millions of consumers. For every one of them you manage an account record, check credentials, control access to sensitive data or functions, and personalize the application's interface and behavior. For every one of them you go to a lot of trouble and expense to get identity, privacy, and security correct, not just because of the potential upside in user satisfaction and enterprise efficiency, but also because of the potential downside in business-threatening breaches.

Would you be interested in outsourcing a part of your identity management infrastructurethe authentication that begins user login sessions and even some user attribute datato an external source? Conversely, would you be interested in exposing an interface to your user accounts for use by the applications that depend on that authentication and data? That's what federated identity is about: distributing identity information and tasks across security domains so that the parties involved can focus on the jobs they do best.

Contents


-	Job One: Single Sign-On
-	The Challenge: Speaking the Same Identity Language
-	Deployment Issues
-	Questions and Considerations
-	References

Job One: Single Sign-On

Why deploy federated identity? To date, it's mostly been used for cross-domain single sign-on (SSO) to save user time and hassle and to eliminate costly password resets. With SSO, users can authenticate at one location and subsequently access protected resources at other locations. For example

Enterprises that outsource functions, such as human resources and health insurance, turn to SSO.
Many governments adopt SSO for citizen portals and cross-agency application access by civil servants.
Academic institutions often manage access to research databases at partner universities with SSO.

In all cases, the same players apply, namely:

Users and the agents, such as browsers, through which they communicate online
Service providers (SPs) that offer Web applications and rely on an external source for crucial input into their authorization decisions
Identity providers (IdPs) that authenticate users and manage attributes of common interest

Figure 1 illustrates the interactions.

Figure 1: SSO Players

To protect the identity and application data being passed around, IdPs and SPs typically establish a circle of trust with technical and business agreements that define their respective responsibilities. Often, a circle of trust assumes a star-shaped topology with a single IdP and many SP spokes that trust the IdP but not necessarily each other. The IdP role is more complex because it must furnish the authentication infrastructure along with most of the security measures. SPs, looking to simplify by outsourcing to the IdP, expect to be offered toolkits that ease deployment.

Which role is right for you? Depending on the business realities, the choice might be obvious or beyond your control. Consider these examples:

A human resources company that offers employee profile management applications to enterprises is a natural SP to its customers, who in turn serve as IdPs. Each IdP would make available its employee directory in a limited fashion.
A university might function as follows:
- As an IdP for its own students and faculty when they access research data at partner universities
- As a research repository SP for the students and faculty at those partner sites
This arrangement would constitute a truly circular relationship of trust.

The Challenge: Speaking the Same Identity Language

The choice of federated identity protocol determines the language in which the parties communicatethe forms and meaning of the messages. However, again depending on the business relationships, the choice might not be up to you.

SAML
The most comprehensive and widely deployed protocol is the Security Assertion Markup Language (SAML, pronounced " sam-ul"), currently at version 2.0. The SAML 2.0 design resulted from a merging of the SAML 1.1 capabilities, the SAML-based Shibboleth protocol that's in use in higher education, and the Liberty Alliance protocols known as the Identity Federation Framework (ID-FF).

You might have come across some of those older protocols, which are still in active deployment. They represent unique languages because their syntaxes are mutually incompatible.

WS-Federation
A somewhat similar protocol that was developed independently is WS-Federation. Its Microsoft genesis makes it most often chosen for IdPs and SPs that share a Microsoft-based identity and Web services platform.

Microsoft's InfoCard protocol, which governs its Windows CardSpace implementation, offers a phishing-resistant means of Web authentication and attribute sharing that meshes well with the concept of SSO. To adopt the CardSpace paradigm, you must ensure that a special agent, called an identity selector, is deployed on your users' client systems.

OpenID
The OpenID protocol focuses on simplicity and ease of SP deployment, particularly for Web 2.0 sites. OpenID presumes a total lack of trust. That is, anyone can create an OpenID identifier (a URI) and host an IdP. SPs that choose to accept OpenID logins do so without setting up trust relationships with IdPs in advance. Such a setup avoids burdening the process of rolling out an SP but limits your options in terms of partner trustworthiness and system security.

Sun Solutions
To help deployers who need multiple protocols or flexibility, Sun Java System Access Manager and its open-source twin OpenSSO have become polyglots. Not only do they work with SAML, ID-FF, and WS-Federation, but OpenSSO also offers an extension for OpenID. Support for the InfoCard protocol through an extension is in the works. This broad coverage addresses many protocol-related concerns in federation and Web access management.

Note that, in an upcoming 8.0 release, Sun Java System Access Manager will be merged with Sun Java System Federated Manager to become Sun Java System Federated Access Manager.

To help smooth interactions among protocols, Sun cofounded and participates in a community called Project Concordia. This project looks into interoperability issues raised by deployers and collaborates with them and vendors alike to develop best practices and to document time-tested solutions.

Deployment Issues

Only rarely can you set up an application with an ideal set of federated-identity relationships at launch. Often, for example, while creating a portal that aggregates existing applications, you add SSO to an application environment that already manages its own "local accounts" and must continue to do so. You must then link each local account at an SP to an account at the IdP for the same user so that the user's logins at the IdP result in SSO into the correct SP account.

You can link the accountsa task sometimes confusingly called identity federationin a batch operation. However, for consumer applications, you would often perform the task interactively with the user's help and real-time consent. For example, if you're a Flickr user, you might recall how that site prompted you to link your account to your Yahoo! account.

A changeover from local logins to SSO might disrupt users if they must authenticate with a different user ID on a different site, possibly through a different process (say, with smart cards instead of passwords). In Flickr's case, users were given a grace period during which both logins worked.

Another consideration is the kind of browsing experience you want to offer users. Here are two common deployment styles:

Portal style (IdP-initiated SSO) From a system perspective, this is the simplest scenario, whereby the user starts browsing at the IdP and simply follows a link to the desired SP.
Bookmark style (SP-initiated SSO) In this scenario, the user visits the SP first and, when the user attempts to access a protected page or function, is sent to the IdP to log in, resulting in more message exchanges between systems. In addition, the SP must determine where to send the user to log ina notorious conundrum called the IdP discovery problem.

Solutions to this problem involve compromise, so you must figure out what matters the most to you: user convenience, architectural flexibility, or cost containment.

Questions and Considerations

Before making your SSO architecture choices, consider these three important questions first:

Will your solution involve walk-up Internet users, members of a paid service, employees?

The answer will affect your ability to control users' client systems and will suggest strategies for data protection, privacy, and collection of user consent.
Will the transactions carry significant monetary value or will you be exchanging relatively trivial data?

The answer will determine your security strategy and part of your strategy for establishing trust.
Do you need to establish trust with online partners beforehand? If so, what trust topology would make sense?

The answer will determine your technology choice, business agreements, and coordination practices with partners over time.

A flood of other practical considerations will follow:

Do you have to link existing local accounts with the IdP's accounts? If so, do you have to establish each link with user input in real time?
What happens if an account on one side is terminated?
What authentication method do you require? Does your protocol support communications about that method?
What and when should user attributes be shared and with what model of user consent?
Do you want to adopt single logout? That is, when a user logs out, should the logout ripple throughout all the user's sessions at that SP or even all of the user's sessions at all the SPs based on the original login at the IdP?

What about session timeouts?

Don't feel overwhelmed. Check out OpenSSO (and, soon, Federated Access Manager 8.0), which takes a wizard-like approach and walks you through configuration screens for a faster and more intuitive route to rollout. Distributing identity jobs and information efficiently can help users, account holders, and application owners alike. OpenSSO can help you help them all.

References

Sun Java System Access Manager
Upcoming Sun Java System Federated Access Manager
- Architectural Overview
- FAMTalk
Related open-source projects, standards venues, and communities
Description and comparison of SAML, OpenID, and CardSpace's InfoCard protocol (PDF)
Sun developer services
- Support
- Training and certification

Rate and Review

Tell us what you think of the content of this page.

Excellent Good Fair Poor

Comments:

</td>
                    </tr>
                     <tr>
                       <td>                        <strong>Your email address (no reply is possible without an address):</strong>
                        <br/>
                         <a href="http://sun.com/privacy/" target="_new">Sun Privacy Policy</a>
                        <br/>
                         <input maxlength="60" name="custom_1" size="35" type="text" value=""/>                        <br/>
Note: We are not able to respond to all submitted comments.
                      </td>
                    </tr>
                     <tr>
                       <td>                        <input border="0" class="buttonblue" onmouseout="this.style.color='#FFF';" onmouseover="this.style.color='#fbe249';" type="submit" value=" Submit » "/>  
                        <input name="custom_0" type="hidden" value="Eve Maler, Marina Sum"/>  
                        <input name="custom_4" type="hidden" value="Federated Identity Through the Eyes of the Deployer"/>  
                        <input name="custom_5" type="hidden" value="http://developers.sun.com/identity/reference/techart/deployment.html"/>  
                        <input name="cf_Form_Name" type="hidden" value="Rate and Review - article feedback"/>  
                        <input name="cf_Form_Location" type="hidden" value="Registrations"/>  
                        <input name="cf_iso2" type="hidden" value="XH"/>  
                        <input name="charset" type="hidden" value="ISO-8859-1"/>
                      </td>
                    </tr>
                  </table>
                </td>
              </tr>
            </table>
          </form>
					
	</div>
</div>
<div class="orcl6w5"><div class="orcl6x0"></div><div class="orcl6x1"></div></div>
	<div class="orcl6w6">
		<div class="orcl6x0"></div>
		<div class="orcl6x1"></div>
	
</div>

</div>
<div id="Wrapper_FixedWidth_Rightnav">
<div style="background-color:#FFFFFF;">
    
                                      
       <style type="text/css">
body {font-family:Arial, Helvetica, sans-serif}
#downRSS {padding:0;position:absolute;top:3px;right:10px;}
#downWrapper {padding:0 0 0px 0;background-color:#ffffff;}
#downMain {padding:5px 0 0 0; margin: 0; font-size:12px; }
#downMain .downLoad {background-image:url(http://www.oracleimg.com/ocom/groups/public/@otn/documents/digitalasset/115899.gif); background-repeat:no-repeat; background-position:top left; padding:0 0 10px 16px; margin:0 0 0 5px;}
#downMain a:link {color:#000;text-decoration:underline;} 
#downMain a:visited {color:#999;text-decoration:underline;}
#downMain a:hover {color:#ff0000;text-decoration:underline;}
</style>
<table width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#dddddd">
    <tbody>
        <tr>
            <td><img width="10" height="20" alt="Left Curve" src="/ocom/groups/public/@otn/documents/digitalasset/121830.gif" /></td>
            <td align="center">
            <div align="center"><span class="boldbodycopy">Java SDKs and Tools</span></div>
            </td>
            <td align="right"><img width="10" height="20" alt="Right Curve" src="/ocom/groups/public/@otn/documents/digitalasset/104150.gif" /></td>
        </tr>
        <tr>
            <td colspan="3">
            <div id="downWrapper">
            <div id="downMain">
            <div class="downLoad"><a target="" href="/technetwork/java/javase/downloads/index.html">Java SE</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javaee/downloads/index.html">Java EE and Glassfish</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javame/downloads/index.html">Java ME</a></div>
<div class="downLoad"><a target="" href="/technetwork/java/javafx/downloads/index.html">JavaFX</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javacard/downloads/index.html">Java Card</a></div>
<div class="downLoad"><a target="" href="http://netbeans.org/downloads/index.html">NetBeans IDE</a></div>
            
            </div>
            </div>
            </td>
        </tr>
    </tbody>
</table>

</div>
</div>

</div>

<div id="Wrapper_FixedWidth_Footer">
            <div class="addThisPrintEmail">
                
	<a href="javascript:mailpage()"><img height="16" src="/ocom/groups/systemobject/@mktg_admin/@ocom_admin/documents/digitalasset/email.gif" width="19" border="0" /></a> <span style="MARGIN-BOTTOM: 2px">
	<a href="javascript:mailpage()">E-mail this page</a></span>   
	<a onclick="printerView()" href="javascript: void 0;"><img height="16" alt="Printer View" src="/ocom/groups/systemobject/@mktg_admin/@ocom_admin/documents/digitalasset/print_icon.gif" width="19" border="0" /> Printer View</a>
			
            </div>
 
				
		 <div data-trackas="ffooter" data-openff="Open Info" data-closeff="Close Info" class="u06v1" id="u06v1"><div class="u06v1z1"> </div> <div class="u06v1w1"><div class="u06v1w2"><ul>     <h5>Oracle Cloud</h5>     <li><a href="/us/solutions/cloud/overview/index.html" data-lbl="cloud:learn-about-oracle-cloud">Learn About Oracle Cloud</a></li>     <li><a href="https://cloud.oracle.com/mycloud/f?p=service:free_trial:0" data-lbl="cloud:get-a-free-trial" target="_blank">Get a Free Trial</a></li>     <li><a href="/us/solutions/cloud/platform/overview/index.html" data-lbl="cloud:learn-about-paas">Learn About PaaS</a></li>     <li><a href="/us/technologies/saas/overview/index.html" data-lbl="cloud:learn-about-saas">Learn About SaaS</a></li>     <li><a href="/us/solutions/cloud/infrastructure/overview/index.html" data-lbl="cloud:learn-about-iaas">Learn About IaaS</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Java</h5>     <li><a href="/us/technologies/java/overview/index.html" data-lbl="java:learn-about-java">Learn About Java</a></li>     <li><a href="http://java.com/download" data-lbl="java:download-java-for-consumers" target="_blank">Download Java for Consumers</a></li>     <li><a href="/technetwork/java/javase/downloads/index.html" data-lbl="java:download-java-for-developers">Download Java for Developers</a></li>     <li><a href="/technetwork/java/index.html" data-lbl="java:java-resources-for-developers">Java Resources for Developers</a></li>     <li><a href="https://cloud.oracle.com/mycloud/f?p=service:java:0" data-lbl="java:java-cloud-service" target="_blank">Java Cloud Service</a></li>     <li><a href="/technetwork/java/javamagazine/index.html" data-lbl="java:java-magazine">Java Magazine</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Customer and Events</h5>     <li><a href="/us/corporate/customers/index.html" data-lbl="customers-and-events:explore-and-read-customer-stories">Explore and Read Customer Stories</a></li>     <li><a href="http://events.oracle.com/search/search?group=Events&keyword=" data-lbl="customers-and-events:all-oracle-events" target="_blank">All Oracle Events</a></li>     <li><a href="http://www.oracle.com/openworld/index.html" data-lbl="customers-and-events:oracle-openworld" target="_blank">Oracle OpenWorld</a></li>     <li><a href="http://www.oracle.com/javaone/index.html" data-lbl="customers-and-events:javaone" target="_blank">JavaOne</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Communities</h5>     <li><a href="/us/corporate/blogs/index.html" data-lbl="communities:blogs">Blogs</a></li>     <li><a href="http://forums.oracle.com/forums/index.jspa?cat=1" data-lbl="communities:discussion-forums" target="_blank">Discussion Forums</a></li>     <li><a href="https://wikis.oracle.com" data-lbl="communities:wikis" target="_blank">Wikis</a></li>     <li><a href="/technetwork/community/oracle-ace/index.html" data-lbl="communities:oracle-aces">Oracle ACEs</a></li>     <li><a href="/us/corporate/customers/oracle-users-groups-192206.html" data-lbl="communities:user-groups">User Groups</a></li>     <li><a href="/us/social-media/twitter/index.html" data-lbl="communities:social-media-channels">Social Media Channels</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Services and Store</h5>     <li><a href="/us/support/software/premier/my-oracle-support-068523.html" data-lbl="services-and-store:log-in-to-my-oracle-support">Log In to My Oracle Support</a></li>     <li><a href="http://education.oracle.com/" data-lbl="services-and-store:training-and-certification" target="_blank">Training and Certification</a></li>     <li><a href="/partners/en/join-now/index.html" data-lbl="services-and-store:become-a-partner" target="_blank">Become a Partner</a></li>     <li><a href="/us/partnerships/solutions-catalog/specialized-partners/index.html" data-lbl="services-and-store:find-a-partner-solution">Find a Partner Solution</a></li>     <li><a href="https://shop.oracle.com/" data-lbl="services-and-store:purchase-from-the-oracle-store" target="_blank">Purchase from the Oracle Store</a></li>     <li><div class="u06callout"><h5>Contact and Chat</h5>     <a href="/us/corporate/contact/global-070511.html" data-lbl="contact-and-chat:global-contacts">Global Contacts</a><br />     <a href="/us/support/contact/index.html" data-lbl="contact-and-chat:oracle-support" target="">Oracle Support</a><br />     <strong>Phone:</strong> 800-633-0738<br />     </div></li> </ul></div></div> <div class="u06v1z2"> </div></div>   <div data-trackas="footer" id="u06"><hr /> <h3><a href="/us/corporate/index.html" data-lbl="hardware and software engineered to work together">Hardware and Software, Engineered to Work Together</a></h3> <ul class="u06-links">     <li><a href="/us/syndication/subscribe/index.html" data-lbl="subscribe">Subscribe</a></li>     <li><a href="/us/corporate/careers/index.html" data-lbl="careers">Careers</a></li>     <li><a href="/us/corporate/contact/index.html" data-lbl="contact us">Contact Us</a></li>     <li><a href="/us/sitemaps/index.html" data-lbl="site maps">Site Maps</a></li>     <li><a href="/us/legal/index.html" data-lbl="legal notices">Legal Notices</a></li>     <li><a href="/us/legal/terms/index.html" data-lbl="terms of use">Terms of Use</a></li>     <li><a href="/us/legal/privacy/index.html" data-lbl="privacy rights">Privacy</a></li>     <li><div style="*margin-top:5px;" id="teconsent"><script type='text/javascript' src='http://consent.truste.com/notice?domain=oracle.com&c=teconsent&language=en&text=true'></script></div>     </li>     <li class="u06-mobile"><a href="/us/corporate/mobile-application/index.html" data-lbl="oracle mobile"><span> </span></a></li> </ul> <ul class="scl-icons">     <li class="scl-facebook"><a title="Oracle on Facebook" href="/us/social-media/facebook/index.html" data-lbl="facebook">Facebook</a></li>     <li class="scl-linkedin"><a title="Oracle on LinkedIn" href="/us/social-media/linkedin/index.html" data-lbl="linkedIn">LinkedIn</a></li>     <li class="scl-twitter"><a title="Follow Oracle on Twitter" href="/us/social-media/twitter/index.html" data-lbl="twitter">Twitter</a></li>     <li class="scl-googleplus"><a title="Follow Oracle on Google+" href="https://plus.google.com/u/0/115607918987921226255" data-lbl="google plus" target="_blank">Google+</a></li>     <li class="scl-youtube"><a title="Watch Oracle on YouTube" href="http://www.youtube.com/oracle/" data-lbl="youtube" target="_blank">YouTube</a></li>     <li class="scl-feed"><a title="Oracle RSS Feeds" href="/us/syndication/feeds/index.html" data-lbl="oracle rss feed">Oracle RSS Feed</a></li> </ul></div> 
 
			
          </div>
        </div>

<script language="JavaScript" src="http://www.oracleimg.com/us/assets/metrics/ora_otn.js"></script>

</div>
    </div>
  </div>

Products and Services

Solutions

Downloads

Store

Support

Training

Partners

About

Oracle Technology Network

Federated Identity Through the Eyes of the Deployer