Internet Single Sign-On & Federated Identity
With employees accessing many different resources over the Internet to do their daily jobs, organizations need to maintain a secure working environment while ensuring users remain productive. Single Sign-On (SSO) is ideal for achieving both objectives. However, traditional SSO products were never designed to be used over the Internet with one organization managing user’s identities and a different, independent organizations providing the user’s applications.
Internet SSO, as the name implies, is single sign-on that works across the Internet. It allows users with Web browsers to securely and easily access multiple Web applications while only logging in once, even though the applications are most likely managed by different organizations. The key to implementing Internet SSO is a technology and a set of industry standards called “federated identity”. Federated identity allows identities to be shared securely across disparate networks and applications. It is the "glue" that enables Internet SSO to occur at scale.
Federated identity is the glue that enables Internet SSO to occur at scale across numerous identity providers and service providers.
In order for identity federation to work, a few prerequisites must be met. First, users must be authenticated by an organization such as their employer or a hosted authenticator such as Google Apps. The organization that “owns” the users’ identity is known as the Identity Provider or IdP. Identity federation also assumes that another group or organization owns the data and applications that IdP users need to access via Internet SSO. These organizations are known as Service Providers (SPs). Both the IdP and the SP need to be running federated identity software that supports the same federation protocol so the IdP and SP can communicate.
When a user wants to use federated identity to SSO into an application, all they have to do is click on a hyperlink or a shortcut to get directly into their application. If they are not already logged in to their IdP, they are prompted to do so before they are automatically redirected into their application.
The underlying system that makes this secure Internet SSO operation possible is completely invisible to the end user. Under the covers, when the user clicks on the link, the IdP securely communicates a predefined set of facts about the user called attributes to the SP so the SP can set up a Web session for the user.
Several different federated identity standards have been created over the years to address different use cases. By far the most widely deployed and popular federated identity standards is OASIS Security Assertion Marketing Language (SAML). SAML has emerged as the predominant standard for most businesses, government organizations and their service providers.
A similar and related standard, WS-Federation, continues to be found in Microsoft-centric environments. Newer protocols including OpenID, OAuth and CardSpace are attracting some interest for so-called user-centric use cases. Without these federated identity standards, each Internet SSO connection would have to be individually negotiated and engineered—think of the days before TCP/IP became the common protocol for networking.