Federated Identity management (FIM), sometimes called simply ‘federated identity’, is a buzz-phrase that has risen slowly but inexorably up the IT concept hierarchy in the last five years, and now sits among its most important and often-referenced terms. Its promise is huge, probably impossibly so, but still the lure draws ever more large organisations into its eye. But what are IT planners being offered with FIM, and can it be grasped in a tangible way to do useful work for companies?
The first thing to say about FIM is that it is not really a technology as such – despite what some vendors will appear to claim - more a concept for understanding how technologies such as web services can be used to make possible a goal that has started to obsess forward-thinking IT die-hards: how can users at different organisations share or ‘federate’ data and conduct transactions using each other’s networks?
It’s easy to describe such an ambition, less easy to overcome the immense technical hurdles that one encounters in trying to bring it to fruition. Even in its simplest format, that of tying two organisations together, it is complex, requiring common standards and tools to make headway. How will users be authenticated between networks and where will this common identity reside and be managed? Can basic enabling technologies such as single sign-on (SSO) be made available and if so, how will this be done? What are the security implications of such a project?
Now imagine that such a scheme is rolled out to multiple companies working together, and the complexity of what is being proposed starts to hit home. Companies struggle to implement some of these technologies for their own, sometimes disparate user populations, so extending this to third-parties using totally different technologies and suppliers is asking a lot.
But the point of FIM is that it lets companies collaborate and share information, and do so without creating complexity in the authentication of users and the ways in which they move around different data and applications provided on a network. FIM has the potential to streamline something that would otherwise be so cumbersome that it might prove almost impossible to manage without increasing workload or making security almost impossible to impose.
It’s best to think of FIM as expressing itself through one or more of a series of inter-related layers, which steadily become less abstract as you approach the sharp end of the people using it. The first and most general of these is the is known under the umbrella of ‘web services’, really just a convenient way to refer to a class of applications and APIs designed to be overlaid across the physical boundaries that would normally hem a user into working with data and applications only within a single department or company. FIM, then, can be thought of as a type of web service, though web services extend way beyond FIM of course.
Next come the technologies and standards that allow federated web services to exist, the most commonly discussed of which is single sign-on (SSO), itself a series of different technologies for letting users access network applications with a single act of authentication. Again, although SSO is not purely a FIM technology, it is key to making a federated system manageable because it automates a user logging into multiple resources.
Further down, the standards that enable SSO include things like security assertion markup language (SAML), a derivative of XML that is the work of the OASIS standards committee, through which identity information is exchanged between one network (or provider) and another to make SSO work smoothly.