What is CyberSecurity?

Identity Federation: Business Drivers, Use Cases and Key Business Considerations

Finding ways to more efficiently and intelligently coordinate business and integrate business processes with trading partners to keep up with the ever-accelerating pace of business has long been a dilemma faced by many companies. Identity federation and the industry standards that comprise it were invented to address this cross domain,application interoperation challenge. This paper introduces and defines identity federation, the benefits that companies can reap by leveraging it, the typical use cases that can be enabled by it, the sometimes competing industry standards and specifications that underlie it and finally the business issues that must be addressed for federated applications to be successfully delivered at scale.

Federation – Introduction and Business Value

Basic access to applications and data over the Internet has existed for years; however the ability for a user to easily and securely access services from multiple security domains within an enterprise or from multiple companies has remained a challenge. Finding ways to efficiently and more intelligently coordinate business with trading partners to keep up with the ever-accelerating pace of business has long been a dilemma faced by many companies. Twenty years ago many pinned their hopes on electronic data interchange (EDI), which has been used successfully in the automotive, retail and manufacturing industries, but has generally failed to reach a broader corporate audience primarily because of its cost, inflexibility and proprietary nature. Today, the internet, Internet-compliant technology and standards have matured to the point that effective coordination and mass integration between trading partners is now achievable and affordable. Moreover, the advent of general purpose and industry specific standards are easing the extension of today’s enterprises by lowering the barriers to connecting disparate business applications both within and across corporate boundaries. This enables businesses to substantially reduce costs, create new revenue opportunities and provide greater convenience, choice and control for its users. By integrating applications and business processes across corporate boundaries, trading-partners, business customers and outsourcers can automatically link processes and take part in transactions across multiple companies – eliminating the business interruption associated with traditional means of information exchange, such as phone, fax and email. The ubiquitous network (the Internet) and high-scale transactional applications already exist at most organizations. They can and should be further leveraged to drive cost and time out of doing business. Federation standards and the security systems that implement them were invented explicitly for this purpose.

Federation Use Cases

There are many potential federation use cases. The use cases presented in this paper are not intended to cover all the potential scenarios, but are intended to be generically illustrative of typical federation use cases to get the reader thinking about federation and how it may be leveraged by their organizations.  More specifically, identity federations can be conducted in two basic forms, browser-based or document-based. The browser-based mode of federation is focused on supporting live users that are using Web applications presented to them via standard Internet browsers. Federation in this case enables an authenticated user to move from one Web security domain to another without needing to provide credentials again. Browser-based federations essentially provide the user with SSO between two sets of applications or portals that live in two separate security domains, without requiring the synchronization of the user’s digital identities in the two domains. By contrast, document-based federations use XML documents transported between two security domains leveraging Web services. With document based federations the activity is driven either by a live user sitting on some “client” application or by some client application in the absence of direct human involvement. Federations in document-based scenarios involve defining XML document structures, locations and definitions of credential information and other factors. Both modes of federation, browser-based or document-based, nonetheless hinge on the development and use of standards to simplify how two independent security domains can easily work together for the benefit of their common user.  The full report can be found at http://egovstandards.gov.in/task-force/identity-access-management/technical-papers/egsmeetingfile.2007-03-12.2843640217