Federation

What is the meaning of “Federation” in Identity Management ?

Federation or account linking describes the loose coupling of different local accounts ( user identifiers and attributes ) across security and policy domains to facilitate cross domain business.

Web Single Sign on across different domains or business entities could be an example of
account federation. A user might have accounts at two different companies. If these two
companies agree on a way of how to refer to a single user, the user after being authenticated by one company or web site can automatically be recognized by the other site without reentering his user id and password.

One of the main advantages of federation in the this case is that there is no need of a single central user store. The user is manually linking accounts together and is able to break up the link at any time. The user also has fine control over which personal data is shared and which is not.

Another advantage is that the linking can be done in an anonymous way. The two parties agree on an anonymous name identifier to which they refer. No site knows which account at the other site the user actually has.

From operational point of view no single point of failure exists. By not having a single user store each of the web sites is still able to authenticate the user locally against its own user database. A very important aspect compared to architectures involving a single central authentication point.

Coming back to the point where two sites need to agree of how to refer to a single user and need to make assertions about the user or the user’s attributes. At this point a framework is needed which defines how to construct, exchange and interpret assertions. SAML consists of a set of specifications and XML schemas which are used for this purpose. SSOCircle Identity provider and all samples and solutions are not limited to SAML support. SSOCircle has a strong focus on multiprotocol Support. Beside SAML SSOCircle supports OpenID.