Insights from Inside

Identity Federation: The Inside Story (Literally)

By Daniel Raskin
Product Line Manager, Access Manager and Federation Manager

Identity federation is a topic of intense interest these days as more and more companies look for ways to collaborate online that are secure, efficient, and cost-effective — and that deliver a great user experience.

Identity federation can provide all those things. But how, exactly?

In my experience, federation is often best demonstrated by example rather than by an abstract description or definition. When people see the day-to-day business benefits that companies are realizing by federating identities, the exciting potential of this aspect of identity management becomes crystal-clear.

In this issue of Identity Insights, I'd like to show you a couple of ways that Sun is using identity federation to do business online, and let you see for yourself the rewards this technology can bring to a real-world business.

Case #1: Federation for Secure, Compliant Information-Sharing
Sun is one of a number of Fortune 100 companies that are members of a national political action committee that advocates for business and industry. As part of its mission, this organization provides political intelligence, policy analysis, research, and communications about campaigns and elections to its members.

What led Sun and the committee down the road to federation was a mutual desire to provide Sun employees with easy online access to advocacy information generated by the committee. Using Sun Java System Access Manager authorization and authentication capabilities, along with Liberty Alliance standards for streamlined yet secure access to information, Sun and the political action committee developed an access framework through which employees who are logged into their Sun accounts can easily get the political information they want from the other organization, without leaving the Sun site and signing on to another site.

Here's how it works. Sun acts as the identity provider, maintaining and managing its employees' identity information and providing them with a simple way of being authenticated. The committee acts as a service provider (the service in this case being information). When a Sun employee logged into a Sun account navigates to the other site, he or she is automatically recognized by the Access Manager solution and redirected — without a new login prompt coming into play.

Among the keys to making it work:

• The federated solution enables Sun, rather than the other organization, to authenticate users who want access to some of the more restricted political content on the latter's site — essentially eliminating the risk of compromising personal identity information that resides in Sun directories, and of being non-compliant with regulations governing what kind of political information can be provided to what users.
   
• Instead of using an identity framework that relies on a portable common identifier, the solution employs a unique "opaque identifier" that's valid only within the circle of trust established by Sun and the other party. So if it's ever stolen or compromised, it can't be used to gain access at other Web sites.
   
• The entire setup is governed by Liberty Alliance standards and specifications that were established to enable easy and secure access to information. Having a standards-based solution paves the way to for the political action committee to extend this information-sharing model to other members.

Case #2: Federation for Access to Highly Sensitive, Private Information
Like many large enterprises, Sun has outsourced the administration of HR and employee benefits to a third party. Using federation, Sun empowers employees to interact directly with this third party via the Web so that they can get benefits information anytime, anywhere.

The challenge in this scenario has to do with the highly sensitive nature of the information being shared across the two organizations' boundaries. HR records include everything from paycheck status and compensation history to employee applications and performance reviews — in other words, everything an employee would never want an unauthorized user to gain access to. The federation solution therefore had to not only make it easy for employees to get the information they need, but also make it secure.

Within the federated construct, Sun stores its employees' identities, maintaining and managing their identity information and providing a simple authentication mechanism, just as in the previous example. When a Sun employee logged into myHR on the Sun site clicks on a link to benefit information, he or she is automatically recognized and redirected to the HR services provider without a second, separate sign-on process.

Among the keys to making this implementation work:

• Strong security is the result of applying Liberty Alliance federation standards in combination with widely accepted standards and practices for accessing and exchanging information: SIMS (security information management system) for authentication, HTTPS for communications between SIMS on Sun's side and Federation Manager on the partner's side; and encryption and digital signatures.
   
• To help ensure the optimal user experience, the federation framework is designed for 99.9 percent availability, with multiple redundant containers allocated to independent virtual hosts. The virtual hosts are online and load-balanced so that if one fails, all requests will be automatically redirected.
   
• The standards-based deployment establishes the common infrastructure and repeatable processes required for Sun to partner with other companies to securely deliver additional services to employees. No matter how many partners or services there are, the framework can easily scale to accommodate them.

As you can see from just these two brief examples involving Sun, its employees, and a third party, federation offers a wealth of possibilities for delivering services and sharing information across multiple organizations. And I believe the possibilities are going to expand even further when federation becomes widely used by companies as part of a service-oriented architecture (SOA).

In a SOA — or, more specifically, in the absence of traditional point-to-point connections between entities and applications — constructing secure frameworks for federation should be easier than ever. Watch future issues of Identity Insights for more information about the future of federation.