Quote

"Between stimulus and response there is a space. In that space is our power to choose our response.
In our response lies our growth and freedom"


“The only way to discover the limits of the possible is to go beyond them into the impossible.”


Friday, 23 July 2021

Federated Identity Management: The future of identity management

Any enterprise would want users to access different services that it offers, without any extra effort to prove their identity, again and again for each service they want to consume. Examples of this are all around, the most common one being users using various Google services such as Gmail, YouTube, Dropbox etc with a single login on their android, PC or Mac. 

Open standards like SAML (Security Assertion Markup Language), OAuth, OpenID etc make it happen by allowing IdPs (Identity Providers) to pass authorization credentials to service providers. Terms like single Sign-on (SSO), Enterprise SSO, Federated SSO or federated identity management have become common. Because they offer tremendous business benefits by not only simplifying user experiences and enhancing security but also reducing IT and user management costs (some organizations have multimillion $ password related support costs). Let's take a closer look at these and particularly the federated SSO or federated identity management.

SSO or Single Sign-on 
Access to multiple applications using a set of credentials. So you don't have to remember 20 password for working on 20 different applications. It requires password. 

Enterprise SSO 
Software system that helps manage user credentials to login to various applications/services within an enterprise. Generally administrators implement enterprise sso as desktop clients and detect vaulted credentials automtically when the user tries to authenticate providing a hassle free login experience. It requires password too, which is generally vaulted. 

Federated SSO or Federated Identity Management 
Establishment of a trusted relationship between separate organizations, third-parties, partners and vendors by sharing identities to enable authentication across domains. When domains are federated, users can login in one domain and access services hosted in another domain without performing another login. 

So federated identity management enables extension of SSO from a single domain to multiple different domains, enabling broadened horizon for partnerships and scaling services. All this is done without any additional hassle to users. Infact federation enables SSO without password. 
While there can be different workflow implementations a typical IdP initiated federated identity management implementation would look like as follows(source ping id):


Government Initiatives (source wiki)

In the United States, the National Institute of Standards and Technology (NIST), through the National Cybersecurity Center of Excellence, has taken an interest in the topic, and is participating in emerging standards and participating in research.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.

Summary

Federated identity management has huge business potential and can be a force multiplier for small, medium and large enterprises. I personally believe this is still evolving and all major enabling protocols like SAML, OAuth etc are bringing new standards with wide acceptance from industry. So the space of identity management is going to have churn and traction for foreseeable future. 

2 comments: