There was a time when identity management was limited to controlling access to resources within a single security domain. But internal users now access external resources and external users access internal resources. Traditional approaches to identity management show their limitations.
In this context, many organizations are turning to identity federation to facilitate user work across multiple systems, while reducing the administrative burden of managing access to these systems.
Identity federation links a user’s identity across multiple security domains, each with its own identity management system. When two domains are federated, the user can authenticate to one domain and then access the resources in the other domain without having to authenticate a second time.
Identity federation allows administrators to solve many problems related to access to distributed resources across multiple domains. For example, it is not necessary to set up a specialized system to facilitate access to resources external to the organization.
To take advantage of these benefits, it is necessary to implement a complete management of the identity federation. This generic term covers the process of administering all elements associated with a complete identity federation platform. This includes not only the technologies that make federation possible, but also the agreements, rights management, standards and other elements that define how the service is implemented.
For the federation to work, all parties involved must agree on these elements. They must agree on which identification attributes to include, such as email, name and function title, how to represent these attributes internally, and what standard to use to exchange data. authentication and authorization. In this regard, the Security Assertion Markup Language (SAML) standard is widely used.
Identity federation management can also be applied to a single organization that manages multiple security domains. It is a relatively young technology, and its exact meaning is still evolving, so that the particularities may vary from one source to another.
Finally, if federated and local authentication must coexist, the options must be clear and the procedures must be intuitive and easy to understand.
The federation of identities: an impact multiplier?
In a federation of identities schema one can think that if the identity of one of the users is compromised, its access to all the applications of the perimeter will be affected. If an incident occurs on the authentication brick, all my users will be affected. The walls inside the SI can be seen as thinner, and the weight carried by the authentication heavier. Thus, the federation of identities can be seen as a factor multiplying the impacts of a possible attack. It is therefore essential to strengthen the security of authentication.
In reality, the federation of identities should rather be seen as a simplifier of the IS, and structural or protocol vulnerabilities are rather rare. Identities and entitlements will be administered centrally, and users will no longer be forced to manipulate a multitude of identifiers and passwords (sometimes auto-synchronized). These projects require a great involvement of all the businesses of the company, but will simplify the user experience and can help to enforce certain security constraints specific to sectors and businesses.
The goal of all is to reconcile security, simplicity and technological innovation, the federation of identity is, and will undoubtedly be, at the heart of the unique authentication in the years to come.