In a distributed environment many information service—such as e-mail, library databases, data repositories, portals, grid/cloud computing applications—require users to authenticate themselves. Within a single institute an institutional identity management system can simplify this authentication for the users. Rather than having separate credentials for each system, a user can employ a single digital identity to access all resources to which he/she is entitled within the organisation. Federated identity management extends this approach beyond the institutional level, creating a trusted authority for digital identities across multiple organizations. This blog post introduces the concept and benefits of identity federations, the next post will describe why and how EGI activities from the domain bring benefits to scientific communities.
An identity federation is made of “[…] the agreements, standards, and technologies that make identity and entitlements portable across autonomous domains (Burton Group)”.. Within an identity federation, participating institutions share identity attributes based on agreed-upon standards, facilitating authentication from other members of the federation and granting appropriate access to online resources. This approach streamlines access to digital assets while protecting restricted resources. When a user, who is affiliated with a member of a federation, requests a protected resource from another federation member organization, he/she is prompted for identifying information including his/her ‘home’ organization. This request is passed on to his/her home organization, which verifies user’s credentials (very often a username-password pair) and asserts to the requesting organization that the user has been authenticated.
The organisations that provide ‘user verification’ within the federation are called ‘identity providers’ (IdPs in short), and the organisations that provide services that verified users can access are the ‘service providers’ (SPs in short). Identity providers determine individually which attributes about authenticated users will be shared, such as name, title, or role. Based on this information and their respective policies, service providers then grant or deny access to particular resources. The most important technologies used for federated login are
SAML,
OAuth and
OpenID.
Identity federation offers economic advantages, as well as convenience, to organisations and their users. Users need only one set of authentication credentials—which could be a name and password or any other identity token—to access resources from other federation members. Institutions no longer have to create and maintain large numbers of user credentials, instead managing identities only for their own users and accepting credentials from other federation members. Attributes about users are verified by the home institution, which is most likely to have current, accurate information about the user, so there is no need to propagate status changes across multiple institutional identity systems.
Federated identity management is one of the few areas where there is a common interest of the largest, multi-national, European scientific collaborations including the
ESFRIs. The representatives from a variety of these research communities started a
workshop series in 2011 to identify and discuss the technical and political issues around adopting federated identity solutions for research collaborations.
Materials for this post were used from:
- EDUCAUSE: 7 things you should know about federated identity management
- Broeder Daan et al: Federated Identity Management for Research Collaborations
- Federated Identity (Wikipedia)
