Ok partner, all analogies break down. But before you draw that six-shooter, hear me out. We hear a lot about identity federation today, it’s a very hot initiative as well it should be. The ability to utilize authentication based on a trust relationship between federation members is a powerful tool to speed access to service providers. Not to mention the side-benefits of reducing the number of credentials one has to remember, and we can all agree on that. Single Sign On is certainly a beautiful thing, but it’s not the same as Identity Management.
So here’s the scenario. Your standing on the main street looking down the perspective view of many attractive facades. Service providers whom you look forward to visiting. And you’re a member of the Federation of Old West Towns (FOWT) so you have the master skeleton key to open the doors of all of them.
First the Saloon to wet your whistle from a long ride. You open the door and walk up to the counter, the proprietor says “howdy stranger what’ll you have?” That’s odd, you did have a key to the place after all, but he doesn’t know you. You’ve been granted access based on your federation membership. He’ll serve you, but he doesn’t know what you drink and certainly will require a credit application if you want a house account. No big deal though, so you go ahead and fill out his application, a little miffed that you have to enter all of the same info that you had given to the Federation when you joined.
Next the Hotel for that premium FOWT room. Opening that door you are welcomed by the front desk clerk “Howdy Stranger”. Odd, the federation knows your name… “do you have a reservation?” Bummer, you sort of expected that, as a federation member, you’d have a room waiting. Oh well, you fill in the necessary information… again.
After you settle in to your room you head down the street to the finest eatery. Looking forward to what you have been told is the best meal in the county. Opening the door the maître d’ greets you, “howdy stranger, do you have a reservation?” Not again, really? Federation members don’t get special treatment? Unfortunately not, and in this swanky place, he won’t even seat you until you’ve been granted a table by the owner who won’t be back for a while. You’ll have to wait in the lobby.
Now imagine a different experience, the one you really want. When you open the door to the Saloon, the proprietor says “Hello Sam L.! Want your regular? I’ll put it on your tab. Your seat’s right over here, I can’t wait to catch up on your latest travels, how’s the family?”. It’s nice to drink where ‘everybody knows your name’. At the Hotel, the clerk greets you “Hello Sam L.! Your room is ready and stocked with your favorite snacks. You’re already checked in and your FOWT key works on your room.” At the Restaurant the maître d’ greets you, “Hi Sam L! Mr. Jones has approved your seat at the front table for all of his inner circle. Your food will be out shortly!”
Certainly identity providers and federation technologies provide for some level of attributes to be passed in the authentication assertions, and light provisioning can take place in real time, but this only works with the most rudimentary service providers. And it get’s really complicated when some kind of delegated administration or approval is required. The more complicated the assertion becomes the more likely that authentication has troubles. Then, more importantly, if the federation authorization stands but the account has been deprovisioned a user conundrum or security breach looms.
The solution is integrated Identity Administration where provisioning provides an uniform user experience across all systems. Membership in the federation allows the Identity Management architecture to unify authorization while still providing secure and fine grained account creation, monitoring, changing and ultimately deletion. Users and service providers enjoy federation authentication, reducing the credentials and vetting process, while also controlling authorization by having a custom set of attributes inserted into that application giving a customized user experience and ensuring up-to-date information security.
Federation works best when role and attribute based identity management is in place providing the automated, even real-time provisioning of accounts, removal of accounts, audit reporting and self service infrastructure that is the mark of a complete solution.