Identity Federation: Securing Your Extended Enterprise

On the business side, collaborating with partner companies to provide customers and employees with products and services is a top priority that promises to increase revenue, customer loyalty, and competitive advantage. But for IT, the growth in these multi-party relationships and delivery as Web services poses vexing issues on how to manage user identities.

How can partnering organizations verify the digital identities of thousands or even millions of individuals across an extended enterprise of disparate partner domains — while providing users with single sign-on (SSO)? How can IT protect access to applications and information and secure Web services delivery? How can multiple IT systems authenticate and authorize the identity of, for instance, a wireless phone customer or a stock trader?

The answer is identity federation — the technologies and standards that allow partnering organizations to securely share digital identities across multiple domains. Identity federation provides an auditable framework by which an organization accepts that external users have been authenticated by a trusted partner, and enables SSO across partner sites.

While many companies are beginning to use Web services security to secure federated transactions, others continue to rely on point-to-point solutions that can be overly complex and fall short of the higher levels of identity-based security possible with federation. For instance, secure socket layer (SSL) security provides no identity capture, no auditing capabilities, no means of enforcement, nothing to prove what happened in a Web services transaction. Those capabilities are built into leading identity federation solutions.

The Journey from SSO to SOA
The concept of identity federation has been around for several years. Initially, the focus was on developing common standards that would enable partnering organizations to securely share identity data. Because every company that does business with companies beyond its confines must grapple with how to manage identity across boundaries, identity federation is increasingly a hot topic for both IT and business. Its role in this essential challenge has unfolded in three stages.

Stage 1: Internal SSO. The precursor to federated identity was for internal SSO — enabling employees to log in to multiple applications, within a single security domain, with a single user name and password. This stage focused on solving the most basic SSO problem, but securing identity has grown more complex. Today, the need for federated SSO to secure identity is growing organically within the enterprise as more employees turn to consumer-oriented Web applications, such as Google Calendar, Facebook, and WordPress as an alternative or complement to internal applications.

Stage 2: Extranet-facing. The demand for federation at the extranet level is not only being driven by the opportunity to reduce costs through outsourcing but also by companies' ability to leverage federation to extend customer-facing services and grow revenue. Federation offers a compelling way to securely make other companies' resources available to the enterprise securely — and vice-versa.

Stage 3: Web services security. Attention is shifting to the challenge of ensuring that Web services delivered by organizations are secure. This can be achieved by tying identity federation to the process of authenticating users for access to Web services. In this scenario, access to Web services is secured with a federation-driven identity management solution within a service-oriented architecture (SOA).

With a standards-based identity federation solution, organizations don't have to build security into every application that's developed and delivered as a Web service. This is crucial to being able to scale to secure the millions of transactions that typify many services-centric Web sites today, especially in transaction-driven industries such as financial services and telecommunications.

With the maturity of such standards as SAML (Security Assertion Markup Language), WS-Federation, WS-Security, and WS-Trust, identity federation is moving out of the ivory tower and into the real world of standards-based services delivery. Yet even as adoption grows, certain myths around identity federation persist:

Myth #1: Federation takes too long to implement. It doesn't. In most cases, an end-to-end solution can be implemented in 90 days or less. Most of that time is usually in architectural design and planning, with the actual deployment in a matter of weeks or days.

Myth #2: Federation is expensive and requires large investment. The short timeframe for implementation helps make an identity federation solution very affordable, and once in place, it is a scalable and repeatable solution that helps drive revenue while decreasing operational costs.

Myth #3: Federation requires an existing access management infrastructure. It doesn't. A good federation solution is architecturally agnostic and should not require an organization to change its existing identity infrastructure.

Myth #4: Federation, Web services security, and access management require standalone products that need to be licensed and deployed separately. Not with Sun. The Sun Java System Access Manager is a completely self-contained Java EE application that covers federation, access management, and Web services security in a single product.

Sun Solutions for Federated Identity Management
Sun Java System Access Manager and Sun Java System Federation Manager meet the need for scalable, standards-based, rapidly deployed identity management solutions that deliver federation capabilities.

Both Access Manager and Federation Manager offer highly integratable, infrastructure-agnostic federation solutions that can be rolled out quickly to extend access management to partners, outsourcers, and other external users. Federation Manager, a subset of Access Manager, is a federation-only solution that can sit on top of a company's existing identity infrastructure, while Access Manager covers the three bases of access management, federation, and Web services security.

The software is built from the open source OpenSSO code base and the next release will focus on simplification to enable users to easily complete common tasks, with expanded support and functionality in:

• Access Management: Centralized configuration and deployment, and support for XACML (Extensible Access Control Markup Language)
• Federation Management: Expanded interoperability, support for the WS-Federation 1.1 specification for Web services
• Web Services Security: New Web service security plug-ins for Sun, IBM, and BEA Web and application servers

Here are a few examples of how several companies have put Sun Java System Access Manager to work for identity federation.

Manufacturing: Simplifying Access to Partner Services
One of the largest automotive manufacturers in the world wanted to pave the way for more productive business relationships by simplifying the way its employees accessed the services of the company's business partners. Federation-based SSO was the key to giving employees secure access to services from multiple business partners without having to use different passwords for different partners.

The company's implementation of Sun Java System Access Manager enables more than 70,000 employees to directly access employee benefit information behind a partner firewall without logging on to a separate Web site. And because Sun's federation solution is standards-based, the company has gained the flexibility to infinitely expand its partner relationships and use them to pursue new opportunities.

Telecommunications: Launching Services Across Multiple Domains
A global provider of solutions that enable telecommunications providers to deliver services undertook a major subscriber-data integration initiative that included data federation. The company implemented Sun Java System Access Manager for SSO to multiple networks and services, to allow content service providers to offer services via operator portals, and to offer subscribers new value-added services such as online travel planning and management, weather and traffic reports to mobile devices, and others.

The implementation was part of a comprehensive approach to data integration that progressed in complexity and challenge from data centralization to intra-network data consolidation to inter-network federation, as illustrated in the diagram below.

Banking: Making Secure, Federated SSO Work in the Real World
A top U.S. retail bank — the first in the country to provide online account access — wanted to give customers the ability to view images of paid checks online, but didn't want to take on the burden of implementing and internally managing the required IT infrastructure for this service. Instead, the bank is using Sun Java System Access Manager to federate with a partner that provides the service and to incorporate Web services security.

In this example, federation-based SSO enables the bank customer to securely log in to the bank's online service and seamlessly view check images without having to reauthenticate at the partner's site. Because Federation Manager is infrastructure-agnostic, the capability was easily implemented without the bank or partner having to make changes to existing identity management infrastructures.

What's Next: Federation in an SOA
Identity federation is a topic of intense interest these days, as more and more companies look for a foundation that enables secure, efficient, and cost-effective online collaboration among multiple partners. The wealth of possibilities that it offers for securely delivering services and sharing information across organizations is increasingly well recognized.

At the same time, companies want to transition away from costly point-to-point connections between entities and applications. With an SOA and its component-based model, constructing secure frameworks for federation is becoming easier than ever.