With identity theft on the rise, consumer trust of the Internet eroding and the number of passwords users need to remember growing, the battle cry for an integrated approach to manage electronic identities is resounding. Meeting that need is the Liberty Alliance federated network identity architecture, which lets users sign on with one ID and manage their identities across multiple organizations, choosing what information they share with others.
As businesses start deploying distributed federated models to solve identity management problems, the Liberty Alliance has developed the Liberty Identification Federation Framework (ID-FF) 1.2 specification to provide additional capabilities.
ID-FF extends the work done in Security Assertion Markup Language 1.0 for securely exchanging user information across domains of organizations. The first version of the framework, ID-FF 1.1, outlined single sign-on and account sharing between partners with established trust relationships. Ratified in November 2003, ID-FF 1.2 establishes federated, multilateral trust relationships across Liberty-enabled identity domains known as circles of trust.
Among the enhancements, Version 2 enables account linking, single sign-on and privacy enablement. The specification also adds single-use assertions of identity for anonymity, metadata exchange and affiliate relationships.
Single-use assertions of identity for anonymity, or the single use of accessing identity information for provided services, are useful for when short-term identifiers are used. Metadata provides multiple types of information, such as Social Security information, date of birth, driver’s license number, invoice number or purchase order, to establish or exchange identity information between the identity provider (business) and the business’ service provider. Affiliate relationships are business partnerships that exist between organizations that are providing each other with trusted information.
ID-FF 1.2 helps businesses build and manage relationships without requiring a third party to validate identities. Identity management reduces costs in automated management of single sign-on and self registration.
The accompanying diagram shows the user experience and administrative simplification of a user logging on to a service to which he subscribes. He federates his identity upon discovery of eligible services and proper consent from that affiliate subscribing information. The user, Jay Jeff, has opted in to receive information from a bank regarding his eligibility for a mortgage. Based on his eligibility and pending approval of the consent agreement the bank has sent him, Jeff now can use the services of the bank’s mortgage-approved service provider.
Using ID-FF 1.2, Jeff now can manage his identity across trusted boundaries. He can manage the privacy of his data and enable/disable services with organizations in the federated relationship with the bank. Because his bank and the mortgage provider share federated ID management, Jeff’s username and profile have been distributed without loss of trusted boundaries. This provides cost containment, comprehensive auditing of records of user interactions and enhanced security and customer privacy.
Embracing Liberty ID-FF 1.2 would help businesses provide more-complex federated identity-based services through partnerships, helping businesses grow without compromising trust or privacy. Customers can benefit from the services knowing their personal data is protected.
Sodhi is product manager for eTrust Security Management Solutions at Computer Associates International Inc. He can be reached at [email protected].
