Organizations today are increasingly dependent upon partners that span supply chains, brokers and other networks. Likewise, organizations are adopting Software-as-a-Service (SaaS) solutions and creating partnerships with application providers such as Salesforce.com, Concur and SuccessFactors.
These distributed computing models and cloud-based services have created new challenges for identity and access management (IAM) solutions, which provide a framework for managing users and their access privileges across the enterprise. IAM tools include user provisioning, password management, strong authentication, single sign-on and other technologies, which are increasingly bundled into comprehensive platforms. Traditionally, however, these solutions are designed to operate within the enterprise security framework.
Organizations are now grappling with a new definition of “identity” — one not just contained within internal applications and data. In a supply chain, for example, organizations must figure out how to integrate external user groups into their security controls in order to provide access to appropriate resources. Organizations that use SaaS solutions must also manage user credentials outside the enterprise security framework.
Federated identity management provides the mechanism for handling this new identity paradigm. It enables business-to-business integration by making identities portable and enabling the exchange of identity data. Federated identity management offers two key benefits: it enables users to access external resources with a single credential, and it streamlines identity provisioning and management across distributed resources.
Federated Single Sign-On
The growing popularity of SaaS applications has increased demand for federated identity management solutions. Many organizations are looking to use federation so that users don’t have to manage multiple IDs and passwords for SaaS applications.
Federated identity management enables organizations to provision users, roles and entitlements to partner applications in a secure, open-standard format. If users regularly access applications hosted by a business partner that leverages federation technology, Federated Single Sign-On (FSSO) will act as a bridge, allowing internal user credentials to be transformed and accepted by those partners. As such, federation facilitates single sign-on across third-party providers, allowing users to seamlessly access applications that are hosted by a partner. Upon clicking a link posted within an enterprise portal, the user is seamlessly logged into the external application or resource — no user ID or password required.
The end result is a seamless SSO experience for the user. Whether partner applications are private (such as a distributor’s warehousing application) or cloud-based (such as SalesForce.com), FSSO can help improve user productivity, reduce help desk calls for forgotten passwords and improve identity lifecycle management.
Various open-standard protocols have emerged to address the challenge of extending IAM to external applications. These protocols, which allow independent parties to securely share identity information, form the basis of federation. FSSO relies on open-standard protocols, such as Security Assertion Markup Language (SAML) and Web Services Federation (WS-Federation), that are platform and technology agnostic. The parties need not be concerned with the operating systems, software or other technologies implemented on either end of a federated relationship. Federation protocols enable existing identity information about a user to be securely transmitted between the two parties.
Improving Security
Maintaining a discrete set of user identities within cloud applications is more than a hassle — it’s a security threat. In June 2011, Google announced that computer hackers in China broke into the Gmail accounts of several hundred people, including senior government officials in the U.S. and political activists. Google believes Chinese hackers used phishing scams to trick people into sharing their passwords. This attack highlights the need for enterprises to take control of user credentials and authentication for SaaS applications.
The good news is that many SaaS providers are now exposing mechanisms that enable programmatic management of identities within their environments. For example, Google allows enterprise customers to leverage the SAML protocol to delegate the control of authentication. Companies can safely keep their Gmail user credentials where they choose and take control of the Gmail authentication process away from Google.
Federated identity management can also help organizations share their Web applications with partners in a cost-effective and timely manner. Utilizing federation services, organizations can easily accept federated assertions of identity such as SAML, WS-Federation and OpenID, allowing business partners to log in seamlessly without the need for a native user ID and password. This improves productivity for users, increases the appeal of the organization’s services, and eliminates the need for partners to maintain another set of IDs and passwords.
Organizations that integrate extensively with third parties or utilize SaaS solutions must deal with an increasing number of user accounts maintained on affiliate or partner applications. As a result, managing application accounts across the business-to-business boundary is becoming a priority. Federated identity management can help streamline and standardize the process of business-to-business identity management by enabling organizations to securely share user credentials with business partners. Federation allows organizations to share identity credentials and facilitate single sign-on for access to external resources.
