SOA patterns: proposal for federated identity

Goal: to enable single-sign-on for services and applications residing in different enterprises and in the cloud.

How can one achieve single-sign-on for services and applications residing in different enterprises and in the cloud?

The proposed solution, Federated Identity, is another candidate SOA pattern submitted and being considered by the SOA patterns community process. If approved, it will be added to the established SOA patterns outlined at and in the book SOA Design Patterns (coordinated by Thomas Erl).

Candidate SOA pattern: Federated Identity

At issue: Direct authentication is impractical to use when consumers need to access a large number of services within an enterprise. Brokered authentication effectively solves that problem by creating an enterprise resource that handles authentication on behalf of the rest of the services. By so doing the business services are relieved from the task of identifying users and it is possible to get a single-sign-on for the enterprise. However, in many cases users need to use services across enterprise borders and even services that reside in the cloud. These services do not accept tokens (or credentials) issued by your authentication broker.

Solution: Establish a trust relationship between your Authentication Broker and the Authentication Broker of the business services that your users needs to access. Use tokens issued by your own Authentication Broker to obtain tokens from the other Authentication Broker and send those obtained tokens to the business services that doesn't accept your tokens.

Application: The kind of Authentication Broker that is normally used for this kind of setting is a Security Token Service (STS) that issues SAML tokens. Since SAML is a widely adopted technology agnostic standard it will be possible for STS's that trust each other to understand the tokens (SAML ticket) of the other party and thereby being able to create a new token based upon the token of the other party.

SOA proponents, enterprise architects, and IT professionals are invited to submit patterns they have identified for potential inclusion. SOA design patterns typically represent field-tested solutions, and organize intelligence into referenceable formats, and are intended to be repeatable by IT professionals.