Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

Concept of Federation

Federation is defined as ”an association formed by merging several groups or parties”. In the Liberty Alliance Project specifications, federation encompasses both identity federation and provider federation.

Identity Federation

Federation, as it has evolved with regard to individual users and the World Wide Web, begins with the notion of identity. (See Concept of Identity.) Sending and receiving email, checking bank balances, finalizing travel arrangements, accessing utility accounts, and shopping are just a few online services for which a user might define an identity. If a user accesses all of these services, many different identity accounts have been configured. This virtual phenomenon offers an opportunity to fashion a system for users to federate these identities.

Identity federation allows the user to link, connect, or bind the local identities that have been created for each service provider (a networked entity that provides services to other entities). The linked local identities, referred to as a federated identity, allow the user to log in to one service provider site and click through to an affiliated service provider without having to reauthenticate or reestablish identity.

Provider Federation

The concept of federation, as defined by the Liberty Alliance Project, begins with a ”circle of trust.” A circle of trust is a group of service providers who contractually agree to exchange authentication information using a Liberty-enabled architecture. Each circle of trust must also include at least one identity provider, a service provider that maintains and manages identity data, and provides authentication services.

Note –

The establishment of contractual agreements between providers is beyond the scope of this guide. See Concept of Trust for an overview.

After the contracts and policies defining a circle of trust are in place, the specific protocols, profiles, endpoints, and security mechanisms being used in the deployment are collected into a metadata document that is exchanged amongst the members of the circle of trust. Access Manager provides the tools necessary to integrate the metadata and enable the circle of trust, technologically, as an authentication domain. Authentication within this virtual federation is honored by all membered providers of the authentication domain. For more information, see Authentication Domain.