Federated identity management means linking and using the electronic identities a user has across several identity management systems.
In simpler terms, an application does not necessarily need to obtain and store users’ credentials in order to authenticate them. Instead, the application can use an identity management system that is already storing a user’s electronic identity to authenticate the user—given, of course, that the application trusts that identity management system.
This approach allows the decoupling of the authentication and authorization functions. It also makes it easier to centralize these two functions in the enterprise to avoid a situation where every application has to manage a set of credentials for every user. It is also very convenient for users, since they don’t have to keep a set of usernames and passwords for every single application that they use.
Single sign-on (SSO) started it all. Organizations needed a way to unify authentication systems in the enterprise for better management and security. Single sign-on was widely adopted and provided a solution for keeping one repository of usernames and passwords that could be used transparently across several internal applications.
Service-oriented software kicked off the next wave of change. Organizations wanted to open APIs in their software so partners and independent developers could use them. Managing authentication and authorization for entities looking to consume these APIs was obviously a challenge.
Social media moved things even further. Various platforms spread far and wide on a plethora of devices, and many applications were built on top of those platforms. Now we have countless apps and services hooked into Twitter, Facebook, and LinkedIn.
The problem? How to bring together user login information across many applications and platforms to simplify sign-on and increase security. The solution? Federated identities ...
There are three major protocols for federated identity: OpenID, SAML, and OAuth.
OpenID is an open standard sponsored by Facebook, Microsoft, Google, PayPal, Ping Identity, Symantec, and Yahoo. OpenID allows user to be authenticated using a third-party services called identity providers. Users can choose to use their preferred OpenID providers to log in to websites that accept the OpenID authentication scheme.
The OpenID specification defines three roles:
The following diagram explains a use case for an OpenID scenario:
Security Considerations
OpenID had a few interesting vulnerabilities in the past, for example:
Security Assertion Markup Language (SAML) is a product of the OASIS Security Services Technical Committee. Dating from 2001, SAML is an XML-based open standard for exchanging authentication and authorization data between parties.
The SAML specification defines three roles:
Security Considerations
OAuth is another open standard. Dating back to 2006, OAuth is different than OpenID and SAML in being exclusively for authorization purposes and not for authentication purposes.
The OAuth specifications define the following roles:
Security Considerations
This table explains the major differences between the three protocols:
OpenID |
OAuth |
SAML |
|
Dates From |
2005 |
2006 |
2001 |
Current version |
OpenID 2.0 |
SAML 2.0 |
|
Main Purpose |
Single Sign-On for Consumers |
API Authorization Between Applications |
Single Sign-On for Enterprise Users |
Protocols Used |
XRDS, HTTP |
JSON, HTTP |
SAM, XML, HTTP, SOAP |
No. of Related CVEs |
24 |
3 |
17 |
There is a growing number of other federated identity management options. Here are a few examples.
Higgins: Higgins is a new open source protocol that allows users to control which identity information is released to an enterprise.
Windows CardSpace: CardSpace is Microsoft new identity metasystem that provides interoperability between identity providers and relying parties with the user in control. This protocol is retired though and Microsoft is working on a replacement called U-Prove.
MicroID: MicroID is a new identity layer to the web and microformats that allow anyone to simply claim verifiable ownership over their own pages and content hosted anywhere.
Liberty Alliance: Liberty Alliance is a large commercially oriented protocol providing inter-enterprise identity trust. It is the largest existing identity trust protocol deployed around the world.
In a world with increased interconnectivity between hybrid systems, protocols, and devices, federated identity management tools seem to be here to stay. Although managing federated identity is much more convenient for users who don’t have to remember so many different usernames and passwords, it comes with a security price. However, proper implementation of OAuth, SAML, OpenID, or any other federated identity protocol adds convenience without extra threat surface.
For an updated article comparing OpenID Connect vs SAML 2.0 vs OAuth 2.0, please click here.
301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4