Have you ever been in a situation where you've had to manage different identities of the same individual for different apps? In other words, the same user uses different login credentials to access different applications within the systems you monitor. If you've been there, you know how chaotic it can be to manage these different credentials.
To make your life as a systems administration much easier, Federated Identity Management (FIM) is the tool you need. Broadly speaking, federated identity management is a model that allows users to log into different systems and security domains using a single set of sign on credentials, regardless of the underlying technology.
For example, Andrew is a marine biologist, and he has to collect water samples from different regions along the Pacific Coast to know more about the impact of climate change on whale migration patterns. He collects and analyzes data from his university in Seattle on a regular basis. Also, he uses the oceanographic facilities from universities in Vancouver and California, where he takes data from government agencies and sometimes even from private organizations. Many of these colleges and organizations not only provide data to Andrew, but also allow him to use some of the specialized applications they have developed in this field. However, authenticating Andrew for each system can be a daunting task both for the organizations and for him, as multiple credentials are needed.
Federated identity management helps to manage such multiple accesses in a smooth way. With FIM, Andrew can have a single university username and password, and every time he logs into the system of another university or organization, his home university confirms that his credentials are legitimate. This way, Andrew can maintain a single identity, and still access different systems, without worrying about security and the technology used for building those systems.
Likewise, when Andrew is ready to share his findings, he can simply share it with all his federation partners. The federated authorization protocols of FIM allow partners to access the data from a single location, and they can even add their comments to it. These comments are seen by other partners and Andrew, and they can work on it together. This way, federated identity management takes collaboration to new levels.
Now, that you know what federated identity management is, let's briefly see how this technology works.
How does federated identity management work?
With federated identity management, a group of organizations come together to become federated members of a university or a "home" organization, with an aim to get mutual benefit from it. When a user who is affiliated with a federated member requests access for information and applications located in the system of other organizations, s/he is prompted to enter the username and password of the home organization. This request is directed back to the home organization for verification of the user's credentials. Once it is verified, the user is authenticated to use the system of other members. This verification can be done using different technologies such as Security Assertion Markup Language (SAML) specifications, Higgins, InfoCard, and OpenID. Also, other open industry-standard specifications can be used, so that participating organizations can achieve interoperability, regardless of the technology they use for identity authentication and web security.
Federated members can even decide which attributes of a user such as name, email address, and title, should be shared, based on their security policies. Accordingly, their systems can be designed to provide or deny access.
Why should you use federated identity management?
The obvious answer is convenience. From a user's perspective, s/he needs to remember only one username and password to access different websites and applications. This can be huge relief, especially if they have to collaborate with different organizations on a regular basis. Imagine, remembering the login credentials of ten different organizations, and knowing which credential is for which organization. It's sure to drive anyone nuts! FIM takes off that unnecessary burden.
If you're a systems administrator, then federated identity management is your best friend, as the system has to check for the credentials only once, and not for every app. Let's say you have a user in your organization who needs access to five different applications in your organization. Without FIM, your system has to authenticate the user across all five apps, and you'll have to monitor all of these authentications. This can be quite a hassle and a drain on your time and effort because it is such a monotonous and repetitive work, and yet it is something that you can't avoid. With FIM, you can set the permissions and access for users based on a single username, and don't have to worry about authenticating for every app. Thus, it reduces your workload, greatly simplifies identity and access management, and streamlines access to resources.
Besides access, the other major reason for using federated identity management is collaboration. The federated members can access data from a single point, comment on it, share their findings and do so much more. Such collaboration, is in fact, a hallmark of the digital world, and FIM helps to make the most of it.
Are there any downsides to it?
As with any technology, federated identity management also has its share of downsides. The biggest drawback is the upfront cost that organizations will have to incur to modify their existing applications and systems. While this cost may not amount to much for large organizations and government agencies, it can be considerable for smaller organizations. Also, participating members of a federation should design policies that meet the security requirements of all the members, and this can be complex, considering the varying landscape and regulations of each organization. For example, the regulations of a university, private organization, and government agency may not be the same, yet the policies should take into account the regulations of all these three entities.
Further, an organization can be a part of different federations, which means its policies should reflect the rules of all the federations. Such streamlining requires huge amounts of time and effort that many organizations may not be willing to put at this time.
Despite these drawbacks and complexities, federated identity management is a worthwhile effort as the benefits from it are enormous, especially if the organization intends to tap into the data and research of other organizations working in the same field. In addition, it lays the foundation for a future connected world.
Putting it all together
To conclude, federated identity management is a set of best practices and tools that allow a user to log into different systems of federated members using a single username and password. Such a streamlined single sign on authentication makes it easy for users to remember their credentials, helps to streamline access to resources, enhances collaboration, and makes it easier for system administrators to stay on top of identity authentication and security. Currently, FIM is at a developing stage, but it is expected to become pervasive when federated identity practices and systems become more mature in the future.