'

Standards group working on ID federation recipes to ease implementation

Goal is to cut complexity in rolling out federation for cloud-based identity and access management

A group building open identity standards is crafting recipes that help identity providers and application developers quickly configure infrastructure to support stronger access controls that provide a single sign-on to cloud-based and mobile applications.

The OpenID Foundation, which develops and promotes standards for internet-based identity, last week introduced an initiative called Fast Federation. The idea is to craft sets of directions to explicitly walk enterprises, identity providers (IdP), and developers through steps to build federation into their identity infrastructure and cloud-based or mobile apps. Fast Federation hopes to eliminate mistakes, ignite federation roll outs, and to cut the number of passwords a user needs.

"Federated identity is maturing as a strategic option for enterprise architects working on interoperability across disparate systems," said Don Thibeau, executive director of the OpenID Foundation. "The mission and membership of the OpenID Foundation "Fast Fed" Working Group reflects the high priority industry leaders place on a common approach to this complex challenge."

Identity federation supports the concept of single sign-on (SSO), which allows a user to log-in within their enterprise network or identity provider (IdP) and leverage that same authentication to gain access to any number of cloud-based apps and services.

Federation is a known identity concept with some lingering issues, namely that it can be tricky for enterprises and IdPs to configure and for developers to build into their applications. Fast Federation hopes to harness the collective wisdom gained by those that have already implemented federation. Noted identity expert Dick Hardt, who is the author and editor of the OAuth 2.0 identity standard, is leading the OpenID Foundation group.

With Fast Federation, prescriptive "recipes" will dictate the federation technologies that an app or IdP needs, including well-known identity standards such as the Security Assertion Markup Language (SAML), OAuth 2.0, OpenID Connect, and System for Cross-Domain Identity Management (SCIM). New apps that follow Fast Federation recipes will be able to plug into IdPs that have followed the same principals, therefore eliminating one-off integrations that slow federation adoption.

The group is still working on initial "profiles" that will ensure best practices are followed. The recipes will address configurations as simple as just knowing a user's identity and why they need to use an application to detailing permissions a user needs to access a resource. Other more sophisticated recipes will consider requirements for pre-provisioning a user before SSO can happen.

The recipes will guide users to the best federation technologies for the way an application operates. The group, however, is not creating a brand new specification, but intends to fill the gaps between existing specifications focusing on current technologies.