Single Sign-On beyond the firewall
It seems like only yesterday that developers were coming to grips with implementing Single Sign-On (SSO) across the enterprise. Now, organizations are concerned with how they can extend that thinking to beyond the corporate firewall. John Dunn wrote about the basic tenants of Federated Identity Management (FIM) in a recent Techworld article:
The first thing to say about FIM is that it is not really a technology as such – despite what some vendors will appear to claim - more a concept for understanding how technologies such as web services can be used to make possible a goal that has started to obsess forward-thinking IT die-hards: how can users at different organisations share or ‘federate’ data and conduct transactions using each other’s networks?
SAML (Security Assertion Markup Language) 2.0 is the standard endorsed by OASIS to facilitate SSO in FIM. John discusses three important SAML features that make it appropriate for FIM projects:
First, it requires no ongoing synchronisation, and sets up connections on the basis of a particular request at a particular moment in time. This makes it simple and auditable. Second, it allows the communication of privacy settings and manages sessions better once the person has logged out of a federated resource. Perhaps most critically, it is an abstraction layer that can unite otherwise different authentication systems from different vendors, something that has thus far tended to cause a mountain of problems for FIM projects.
John then discusses a checklist of issues for companies starting to investigate FIM. These include:
- Ensuring your company has robust authentication in place. Your users will be accessing partner sites, and vice-versa.
- Evaluating the security implications of employees accessing multiple systems
- Compliance concerns
- Determining who is responsible in the event of a failure
The vision of Federated Identity invokes exciting possibilities, however John concludes the article with some sobering advice:
Longer term, it has the potential to transform even the humblest IT operation into something quite new. But as a concept, federation surely represents the future of networks, so that they become not as islands of digital power, but overlapping ‘networks of networks’. It is happening already. But it will force companies to re-examine their own security processes before they jump into its whirlpool of potential difficulties.
More InfoQ coverage of SAML is available here.