Identity federation automates the process of sharing information across traditional organizational boundaries. Without it, every organization involved in collaborative efforts must manually create lists of users who need access to resources, a costly and time-consuming process. Or an organization can use the same Web access management tools employed by the other participating organizations and rely on those proprietary mechanisms for sharing information. However, the proprietary nature of this approach soon makes it impractical to go very far beyond collaborating with one or two partners. Federation sidesteps all of these problems by using standardized, automated mechanisms to widely and securely share user identity information.

Federation Standards Are Essential
Standards are essential to the exchange of identity information across disparate systems. Burton Group CEO Jamie Lewis explains how it works: "If one domain uses Kerberos to authenticate users, for example, and another uses ID/password authentication, the two systems can still exchange information regarding authentication operations if they share a common method for exchanging that information. That's precisely what the Security Assertions Markup Language (SAML) does."

SAML is the eXtensible Markup Language (XML) based specification supported by the Organization for the Advancement of Structured Information Standards (OASIS). It has been adopted by the Liberty Alliance, an industry organization consisting of 160 member companies that have joined together to promote federation standards. The Alliances Identity Federation Framework extended SAML to offer higher-level capabilities that have now been incorporated back into the latest SAML specification.

Trust Needed for Federation to Succeed
An organization can have all the technology standards in place for federation, but the framework will work only if there is one more essential element — trust. Organizations that share information must ultimately trust each other for federation to succeed. Neil McAllister, writing in InfoWorld, says that organizations must establish what he calls "an identity network where if A trusts B and B trusts C, A knows it can also trust C. To create such a network, however, partner organizations have to establish both a shared set of rules and some idea of accountability."

A shared set of rules is a defining element of the identity networks operated by leading service providers today. These "circles of trust" represent a business model in which information-sharing and collaboration are governed by agreements about responsibility for various aspects of the information-exchange infrastructure and by additional agreements that include:

• Mutual confidence
• Service management
• Billing
• Risk management
• Liability management
• Compliance

Balancing Privacy and Interoperability
The sometimes conflicting requirements of privacy and interoperability must be delicately balanced. The requirement to secure privacy has to be balanced with the need for openness. For example, in creating a federated identity network in an education environment, personal student information such as grade history would need to be protected. However, a certain level of personal information, such as area of study, needs to be shared so that relevant and targeted content can be delivered.

Federated identity management is a promising opportunity that the University of St. Thomas, Minnesota intends to explore in the Center of Excellence. Many St. Thomas employees are asking for new options in managing their retirement savings accounts. Entering a fund's Web site to make transactions requires verification of the user from a trusted system. The fund's system wants to be assured that you are, in fact, an employee of St. Thomas and authorized to take these actions. Federated identity management, passing identities from one system to another with an open exchange mechanism, can help resolve this issue and make it easier on the employee and the school while protecting an employee's personal data.

Sun Supports Identity Federation
Sun supports identity federation through its industry leadership in developing federation standards and its demonstrated commitment to creating products based on standards. As a leading member of both OASIS and Liberty Alliance, Sun has played a major role in the evolution of key federation standards.

Sun offers a product line of integrated and integrable identity management solutions. The Sun Java System Federation Manager is the first solution to extend federation to a large number of partners at a low cost. It quickly establishes and extends trusted domains to include large numbers of service providers as part of a hub-and-spoke architecture. Federation Manager provides secure federated services by allowing spoke partners to more efficiently leverage the core security and identity infrastructures of the hub provider. Because it makes trusted domains easily extensible across vast networks of partners, Federation Manager can create application security mechanisms that are infinitely reusable and that enable authentication and access solutions to work together seamlessly across diverse partner environments.

Questions or comments? Please email education_news@sun.com