What Exactly is Identity Federation PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: What Exactly is Identity Federation


1
What Exactly is Identity Federation
  • These days, most websites and mobile apps dont
    know how to authenticate you. Instead, they call
    the APIs of services offered by popular Identity
    Providers or IDPs, like Google and Facebook.
  •  
  • This enables a persons user information to be
    utilized at many different websites on the
    Internet, and information about a person can be
    shared with websites and apps on an as needed
    basis. Of course web site developers dont want
    to learn a different authentication API for each
    IDP. And many organizations dont trust a third
    party to authenticate its people. So the Internet
    has moved to standards. The most widely used
    standard for Web authentication is SAML. Perhaps
    the most promising standard for authentication is
    OpenID Connect, which is a profile of OAuth2.
  •  
  • The explosion of Two-Factor Authentication
    technology
  •  
  • One of the most important new technologies that
    is driving infrastructure changes is the
    explosion of strong factor authentication
    technology.
  • There is a triangle of authentication consisting
    of price, usability and security. Not all
    triangles are equal. New technologies are arising
    that are more convenient, more secure and less
    expensive than passwords.

2
Once a company makes an investment in strong
authentication, they want to use that
authentication technology across the maximum
number of apps. For this reason, it makes sense
to support open standards, so all applications
can benefit from the availability of these new
organizational authentication capabilities.   The
Problem of Client Management   Its not only
people that need to be authenticated and
authorized. There is a proliferation of agents
that act on behalf of the person, or are
independent entities. How are these authenticated
and authorized by the organization ?   Sesimic
Shift LDAP or WAM?   I think the seismic shift
is from WAM (web access management) gt
Federation, not from LDAP gt Federation. LDAP is
still entrenched as a robust persistence
infrastructure for user claims and password
credentials. The problem with WAM products (i.e.
Siteminder, OAM, TAM) is that the cost has been
high, customers are locked in (why else did CA
buy Netgrity), and integrations have been
slow.   Companies realize that whether they are
integrating authentication with internal apps,
external apps, or off-the-shelf products, open
federation standards enable consolidation, which
saves money, and improves security.
3
In the large companies Ive worked with, the
security department did not have control over the
applications, so even though they were
internal, a top-down approach was inefficient.
Its better to publish your standards, and let
the internal app developers help themselves
than to push a WAM architecture on them. In this
sense, the fact that there are external apps just
provides further evidence to a trend that had
already clearly emerged.   IAM, not IDM   Often
times, clients and consultants put too much
emphasis on IDM, and not enough emphasis on
organizational trust management. Its not just
that I need to provision my users for external
websites, but I need to understand with which
websites I have shared which attributes. Also,
organizations need to trust users who
authenticated outside the organization. Most
large organizations participate in an ecosystem
of autonomous parties, and publish websites that
are used by many outside the organization. This
is the old problem of extranet user management.
Trust management, IMHO, is one of the biggest
challenges   Where does XACML fit?   If you talk
to organizations, youll find that the is no
clear trend for XACMLs adoption. Proprietary and
custom solutions are the rule in authorization
right now, with most authorization actually
taking place in the app.
4
To what extent centralized authorization will be
achieved is totally uncertain, and I would argue
that this is the adjacent possible, as
described in Stephen Johnsons book Where Good
Ideas Come From you cant have authorization
before we have clear standards for
authentication. In terms of adoption of
technology, Im bullish about UMA, and in fact I
think UMA and XACML are complimentary app
developers want JSON/REST and it would be more
suitable for the PDP to form a XACML request to a
XACML PDP, then for the app developer to learn
XACML. In any case, Im a fan of XACML as a
standard for expressing authorization rules, but
I do think that the technology is better suited
for server side developers.   Who will Outsource
IDaaS?   I disagree with the common assumption
that the majority of IDaaS will be outsourced.
Perhaps for SMB market, this might be true. But
many large organizations maintain core TCP/IP
services, and AAA has traditionally been managed
within the organizational perimeter. In fact,
many organizations simply cannot outsource this
function for security reasons. With standards, we
will drive down the costs of the software and the
resources, and AAA will be simply another linux
or windows service that can be configured.   Artic
le Resource-http//gluu.jimdo.com/gluu-blog/what-
exactly-is-identity-federation/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "What Exactly is Identity Federation" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!