Federated Identity

For many years IT departments within organizations have focused much of their time, energy, and budget working to strike the right balance between securing resources on the one hand and facilitating legitimate access on the other. The task is made easier when a high degree of homogeneity exists so that just one system, such as Active Directory, can be made responsible for authenticating users and providing the data (e.g. group memberships) which can then be used by the file system, to authorize their access to resources. Such homogeneity is rare – most large organizations have many systems, and managing all the user accounts and their access to all the resources and applications is a challenge.

To add to the complexity, organizations are increasingly looking for solutions to allow effective collaboration with other organizations, whilst still retaining their separate organizational and legal status. This separation must be bridged regardless of the underlying technology, or technologies, involved and the term used for this kind of requirement is Federation.

Microsoft's Active Directory Federation Services (ADFS), is such a solution. It offers an organization already using Active Directory an out-of-the-box, standards-based technology for collaborating with other organizations. Users in one organization can be provided with access to web-based resources at another organization, (or different security realm in the same organization), without requiring a separate account.

At a very high level, therefore, ADFS can be seen as a single sign-on technology that can be used to authenticate a user to multiple Web applications over the course of a single session.

OCG provide Federation solutions based on ADFS, which can interoperate with other technologies, such as Shibboleth.

• Improve collaboration and operational efficiency by building secure and efficient connections with other organizations.
• Separation of responsibilities. The organization holding accounts handles authentication; the organization holding resources handles authorization.
• Single-sign-on experience. Users experience a single sign-on experience when accessing web resources across security boundaries.
• Simplifies administration by reducing the number of accounts that have to be managed, and provides clear audit trails.