Federation for Scaling Federated Identity
Most federated identity today consists of direct transactions between a single identity source and an application using it. Many use cases present the opportunity to scale further and faster by use of a federation, which consists of a set of identity providers and service providers that agree to work together under a common policy framework and the technical underpinnings required to make it run. Creation of a federation takes real consideration, but the time and expense involved in maintenance and operation after establishment is minimal, and the collective, cumulative workload for participating providers is considerably decreased.
Federations are most often used to solve the so-called “handshake problem”, whereby in typical trust creation, each provider would need to establish a bilateral relationship with each other. The number of connections, and thus the amount of configuration, increases exponentially even as the number of interacting providers grows linearly. In a federation, each provider only needs to register and prove its identity once, and then all other federation members can rely on this information for fast and reliable connection creation and assurance that a provider achieves a set of standards and norms.
Federations offer other benefits. They can consolidate trust information for providers, keeping a distributed system coherent and allowing for rapid change, such as would be required if a keypair were compromised. They can operate as governing bodies for federated transactions, ensuring that there are mechanisms for dealing with conflicts between providers and, if need be, the exclusion of rogue operators. They can define attributes and, where required, limited vocabularies for those attributes, ensuring that all providers understand the meaning and purpose of data and valid values.
A typical federation will only track basic trust information, but many federations offer services above and beyond the bare necessities. These include maintenance of the attributes required by services and associated rationale, the attributes an identity source is equipped to provide, documentation of configuration necessary for interaction with specific members, facilitating the organization of federation members into categories or groups, or the operation of testing providers to facilitate the onboarding of new providers. They can also offer centralized discovery services, allowing users of shared applications to select their identity provider once for all the services in the federation, or perform routine availability and uptime checks.
A federation should also act as a vetting authority for providers, ensuring that any provider that is registered is actually authoritative for an organization or application that it claims to represent. A federation inherently advertises the services that are available to its members, ensuring each provider gets the most value from the created network effects.
Federations have found the most traction in distributed, collaborative environments, most prominently in higher education and law enforcement. However, other deployment cases also lend themselves naturally to federation:
- Large and distributed organizations, or conglomerates and complex enterprises
- Industry or trade groups
- Dedicated collaborations or specific projects that span administrative boundaries
You can maximize the power of your federated identity by creating a federation. Signet’s principals have directly created or assisted in the formation of over a dozen federations serving different needs and communities, and we would be eager to help you explore whether a federation is a useful construct for your own deployment. Just contact us to get started.