Understanding Network Identity and Federated Identity

Network Identity refers to a software solution that incorporates a set of network-concentric business processes and the supporting technology infrastructure to manage both the life cycle of identities and the relationship between these identities and business applications and information. The concept of network identity goes beyond simple user authentication or authorization for accessing applications and resources. It also entails the management aspects of the life cycle of identities and the implementation of business processes to support it. It is a useful distinction in the context of security breach issues and critical security flaws discussed in Chapter 1.

Federated Identity refers to the use of identity information between companies and applications or across different security infrastructures over a network. Management of these identities is inter-company and inter-dependent. Federated identity extends the use of network identity within a company or enterprise to multiple business entities or security infrastructures. This includes complicated processes and implementations of how identities are registered, revoked, and terminated with an identity provider. Federated identity is obviously subject to more security risks and integration challenges than network identity. Single sign-on across companies is an example of federated identity functionality. It enables a user to access remote applications and resources by authenticating only once. After that single sign-on, a user's identity authentication is shared among different authentication security infrastructures.

Identity management denotes the process of managing network identity and federated identity and provides the following functions:

• User Provisioning. This includes creating or administering user identities that can access enterprise resources and business applications.

• Roles and Groups. This refers to how user entities can be mapped to different roles or groups to access the enterprise resources. For example, creating a user role for managing the user profiles of low-volume mobile phone subscribers will be handy, instead of creating an individual user profile for each subscriber.

• Account Service Provisioning. This denotes how a user account service is provisioned in different systems according to the access rights and user profile. It also encompasses synchronizing user passwords among different applications and systems that can synchronize user passwords, and enforcing security policies for account passwords. Sometimes, provisioning a user account involves multistep management approval workflow processes.

• Delegated Administration. This allows local or distributed administrators to create or update a hierarchy of user identities and roles that grants access to applications and resources. This hierarchy allows an organization to delegate user administration, group and role administration, security administration, and application-specific functions to different roles or principals that are from sub-organizations within a network or dispersed geographically across multiple sub-domains of the network.

• Audit Trails and Reporting. It is becoming more important to track the history of the user identity life-cycle management, and detect any suspicious changes for risk management and compliance purposes.

• Single Sign-on (SSO) and Global Logout. Single sign-on (whether single domain, cross-domain, or across networks) addresses the issue of maintaining a silo authentication security infrastructure. By sharing the same user identity authentication, single sign-on provides for a lower cost of interoperating with other security domains and enhances the user experience. If the system invalidates the user identity or session in the presentation tier, global logout can automatically sign out from the rest of the sessions. Global logout is also critical to protecting user session integrity from security hackers and intruders.

OASIS [OASIS], as an industry effort, publishes a list of security standards supporting identity management. These standards include the following:

• Security Assertion Markup Language (SAML) [SAML-TC]

• eXtensible Access Control Markup Language (XACML) [XACML-TC]

• Service Provisioning Markup Language (SPML)[SPML-TC].

In addition, Liberty Alliance (http://www.projectliberty.org) is a consortium of more than 150 companies, nonprofit organizations, and government organizations worldwide that has developed open standards and specifications for enabling federated network identity architectures. These standards and specifications address key business requirements in terms of providing a single point of access to multiple resources. They also address enabling the integration and interoperability of legacy software products with an existing security infrastructure and other proprietary solutions.

This chapter focuses on SAML, Liberty, and XACML, while Chapter 13, "Secure Service Provisioning," will cover SPML in more detail.

The Importance of Identity Management

Identity management is becoming more important to application security, because security threats and identity fraud are becoming more common and complex, which makes it harder to prevent the related vulnerabilities. Having a robust identity management solution can lower administrative costs (via automated security service provisioning), enhance user productivity (via a streamlined user authentication process), and deliver strong and consistent security for end-to-end business applications (using a central, standards-based authentication point and shared credential management). In addition, it can foster new revenue opportunities through enhanced partnership opportunities.