Federated Identity, one (ws-standard) step closer to reality

Silicon.com article, Michael Stephenson, lead program manager for Windows Server 2003: "We are showing how a user at one site might log on to a portal and then they can enter a purchase order at another location without having to sign on again,"

The web needs this. Businesses need this. Users need this.

So what is Federated Identity, and where are we? Highlights from Federated Identity workshop results article at MSDN:

“To meet the challenge of current industry trends such as growth in business-to-business commerce, increased mobility and the need for persistent connectivity, organizations are extending internal systems to external users providing connectivity to customers, partners, suppliers and mobile employees.

Federated systems need to interoperate across organizational boundaries and connect processes utilizing different technologies, identity storage, security approaches and programming models. Within a federated system, identities and their associated credentials are still stored, owned and managed separately. Each individual member of the federation continues to manage its own identities, but is capable of securely sharing and accepting identities and credentials from other members' sources.

Within a federated system, an organization needs a standardized and secure way of expressing not only the services it makes available to trusted partners and customers, but also the policies by which it runs its business such as which other organizations and users it trusts, what types of credentials and requests it accepts, and its privacy policies.

Responding to this need, Microsoft is working with industry leaders to develop a set of specifications for distributed application architecture commonly referred to as Web services.

Interop Scenario

In the scenario for the interoperability workshop, a company, My Employer (ME), outsources the management of employee benefits to a third party, Benefits Company (BC). My Employer and Benefits Company have established trust and policies for a business federation. As part of the coordination of their business federation with Benefits Company, My Employer agrees to send certain user-specific attributes, along with the resource request to Benefits Company. The benefits management application at Benefits Company requires these attributes to exist before displaying the specific resource the employee at My Employer has requested.

The goal of this scenario was threefold:

  • Illustrate a business-to-business federation between an organization and a third-party service provider by enabling ME to outsource the management of employee benefits.
  • Test the interoperability between different vendor solutions created using the standards outlined in the WS-Federation Passive Requestor Profile.
  • Realize the benefit of a business federation by:
    • Eliminating the need for BC to manage identity and passwords for ME's employees in order to administer benefits.
    • Providing trusted Web Single Sign On (SSO) for the ME employees to the BC domain.“

XML.com (in depth) article:: Microsoft announced that six companies participating in a WS-Federation interoperability workshop completed testing of their products; the solution was demonstrated in the Microsoft Interoperability Pavilion Microsoft at the TechED conference. Several participating companies have issued announcements describing the implementation of federated identity specifications in their products, including support for Web Services Federation (WS-Federation), OASIS Web Services Security (WSS) 1.0, SAML, and Liberty Alliance.