In a previous post, we discussed how lax password management is putting organizations at risk. A recent Ovum study found that most organizations rely on employee education and self-monitoring to ensure the use of strong passwords. Few organizations have automated tools for password management, creating a burden on employees and help desk personnel.
Identity and access management (IAM) technology can relieve this burden by enforcing password policies and providing self-help tools for password resets. A robust IAM platform can also propagate password changes throughout the enterprise, minimizing the number of passwords that users must create and manage.
Federated identity management (FIM) takes this a step further by enabling the secure exchange of identity data with external systems. The entities involved agree to a system of mutual trust so users can access external resources with a single credential. FIM streamlines identity provisioning and management across distributed resources.
Organizations are increasingly interested in FIM as they adopt more cloud-based services and distributed computing models that span supply chains, brokers, and other networks. They are grappling with a new definition of “identity” — one contained not only within internal applications and data.
FIM provides the mechanism for handling this new identity paradigm by making identities portable. While traditional IAM solutions are designed to operate within the enterprise security framework, FIM enables organizations to provision users, roles, and entitlements using open-standard protocols such as Security Assertion Markup Language (SAML) and Web Services Federation (WS-Federation).
These protocols, which are platform-agnostic, allow independent parties to securely share identity information. The parties need not be concerned with the operating systems, software, or other technologies implemented on either end of a federated relationship. Organizations can easily accept federated assertions of identity, allowing business partners to log in seamlessly without the need for a native user ID and password. This improves productivity for users, increases the appeal of the organization’s services, and eliminates the need for partners to maintain another set of IDs and passwords.
FIM isn’t the same as single sign-on (SSO), a vague term that simply means that the same credentials can be used to access multiple resources. However, FIM provides SSO by allowing internal user credentials to be transformed and accepted by cloud and partner applications. Upon clicking a link within an enterprise portal, the user can be seamlessly logged into the external application or resource — no user ID or password required.
The end result is a seamless SSO experience for the user. Whether external applications are private (such as a distributor’s warehousing application) or cloud-based (such as SalesForce.com), federated SSO can help improve user productivity, reduce help desk calls for forgotten passwords, and improve identity lifecycle management.
Organizations that use cloud-based solutions or integrate extensively with third parties must deal with an increasing number of user accounts maintained on those external applications and services. As a result, managing identities outside the enterprise boundary is becoming a priority. Federated identity management can help streamline and standardize the process by enabling organizations to securely share credentials and facilitate single sign-on for access to external resources.
For more information about Federated Identity Management, please send us an email at (firstname.lastname@example.org).