Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

Concept of Federation

Federation is defined as ”an association formed by merging several groups or parties”. In the Liberty Alliance Project specifications, federation encompasses both identity federation and provider federation.

Identity Federation

Federation, as it has evolved with regard to the World Wide Web, begins with the notion of identity. Sending and receiving email, checking bank balances, finalizing travel arrangements, accessing utility accounts, and shopping are just a few online services for which a user might define an identity. Now, in order to access the service, the user logs in to the service provider, a networked entity that provides services to other entities.

If a user accesses these services, many user accounts have been configured separately. This virtual phenomenon offers an opportunity to fashion a system for users to federate their disparate service provider identities.

Identity federation allows the user to link, connect, or bind the local identities that have been created for the multiple service providers. The linked local identities, referred to as a federated identity, allow the user to log in to one service provider site and click through to an affiliated service provider without having to reauthenticate or reestablish identity.

Provider Federation

The concept of federation as defined by the Liberty Alliance Project begins with a ”circle of trust.” A circle of trust is a group of service providers who contractually agree to exchange authentication information using a Liberty-enabled architecture. Each circle must also include at least one identity provider. An identity provider is a service provider that maintains and manages identity data, and provides authentication services.

Note –

The establishment of contractual agreements between providers is beyond the scope of this guide. For information, see the Liberty Trust Model Guidelines.

After the contracts and policies defining a circle of trust are in place, the specific protocols, profiles and security mechanisms being used in the deployment are distilled into a metadata document that is exchanged between the members of the circle of trust. Access Manager provides the tools necessary to integrate the metadata and enable the circle technologically as an authentication domain. Authentication within this virtual federation is honored by all membered providers of the authentication domain. For more information, see Authentication Domain.