Federation doesn’t have to be a behind-the-scenes interaction between big companies. Lately, an idea called “user-centric identity” has gained traction. It revolves around a few core principles, most notably the idea that users should be allowed to choose which identity credentials to present in response to an authentication or attribute request.
A number of user-centric identity systems are available now, and more are in the works. These range from simple, URL-based systems such as OpenID and LID (Light-Weight Identity), to such commercial offerings as Sxip and Microsoft InfoCard. Harvard’s Berkman Center, IBM, and Novell jointly announced a new user-centric system, the Higgins Project, in February.
The idea of choice appeals to most people, but what are the implications of this change?
Suppose I work for WidgetCo, which has federated its employee portal with RetireCo, a provider of 401(k) investment services. Under a standard federation scenario, I would log in to the employee portal, and when I linked out to RetireCo, WidgetCo would send a SAML token asserting my identity to RetireCo’s server. If RetireCo needed other data about me, it could request it from WidgetCo.
In this scenario, my involvement is limited to logging in and clicking the link. In fact, the only things that tie those actions to the transfer of my identity data are the policies and security of the employee portal. There’s nothing in the structure of the federation that requires my involvement; WidgetCo and RetireCo could exchange information about me anytime they wanted, and I would be none the wiser.
User-centric identity models solve this problem structurally by inserting the owner of the identity data into the transaction. In the user-centric model, when RetireCo needs identity information, the request comes to me. I then choose which credential to present, much like you choose which credit card to present when asked to pay for a purchase.
I might choose to use my WidgetCo identity, or possibly some other credential acceptable to RetireCo. I could set up defaults or rules to process the request automatically. But, in any case, I would choose who has access to my identity attributes and how that identity data is presented.
This change doesn’t just benefit the user. There are real advantages for RetireCo and for WidgetCo as well. For instance, in the classic federation scenario we imagined earlier, if WidgetCo mistakenly sends my identity attributes to RetireCo, resulting in a financial loss, WidgetCo has to accept some of the responsibility. But in the user-centric scenario, any such request has been approved by me -- significantly reducing the risk to both companies.
Read more about software development in InfoWorld's Developer World Channel.
Get the independent advice and expertise you need to support a virtual workforce.
The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now »
Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
Download now »
A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.
Download now »
4 Recommendations
