Sun OpenSSO Enterprise 8.0 Developer's Guide

Understanding Federation

The umbrella term federation encompasses both identity federation and provider federation. The concept of identity federation begins with the notion of a virtual identity. On the internet, one person might have a multitude of accounts set up for access to various business, community and personal service providers. In creating these accounts, the person might have used different names, user identifiers, passwords or preferences to customize, for example, a news portal, a bank, a retailer, and an email provider. A local identity refers to the set of attributes that an individual might have with each of these service providers. These attributes uniquely identify the individual for that particular provider and can include a name, phone number, passwords, social security number, address, credit records, bank balances or bill payment information. After implementing a federated identity infrastructure, a user can associate, connect or bind the local identities they have configured with multiple service providers into a federated identity. With a federated identity the user can then login at one service provider's site and move to an affiliated (trusted) service provider site without having to reauthenticate or re-establish their identity.

The concept of provider federation as defined in a federation-based environment begins with the notion of a security domain (referred to as a circle of trust in OpenSSO Enterprise). A circle of trust is a group of service providers (with at least one identity provider) that agree to join together to exchange user authentication information using open standards and technologies. Once a group of providers has been federated within a circle of trust, authentication accomplished by the identity provider in that circle is honored by all affiliated service providers. Thus, federated single sign-on can be enabled amongst all membered providers as well as identity federation among users. For more information on the federation process in OpenSSO Enterprise, see the Sun OpenSSO Enterprise 8.0 Technical Overview.