An identity federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access to and use of the resources. Many organisations use Authentication and Authorisation Infrastructures (AAIs) to build a trusted environment where users can be identified electronically using a single identity. These systems can also contain information about a user's access rights based on attributes characterising their role. Resource owners (service providers) may use these federated environments to control federation participants’ access to the provided resources.
In simple terms, Identity Federations are an identity management systems that gathers national education and research institutions, through their databases integration. This means that the user can access the services of their institution and the ones offered by other participating organizations from wherever they are, through a single sign-on account. This authentication eliminates the need for multiple access passwords and registration processes, generating a trusting relationship. Distance learning services, access to scientific publications and collaborative activities are among the biggest beneficiaries of the infrastructure offered by federations.
Institutions belonging to a national Identity Federation may act as identity providers (IdP) and as service providers (SP). The National Research and Education Networks (NRENs) are responsible for managing and keeping the centralized repository with data on federation members.
Benefits
- It is not necessary to register in different systems or manage different passwords;
- Steadier navigation, without the need to authenticate every step;
- Control over data privacy;
- For the identity provider, the service infrastructure (database and software) may be used to control the access to internal services of the institution, creating a single point for the many offered resources (libraries, academic management systems etc.);
- For the service provider, the register used can be managed by other institutions (identity providers), with the guarantee of information reliability and updating. They undertake explicitly to maintain the information provided updated, contrary to what happens with solutions in replicated registers.
How it works
A federated authentication and authorization infrastructure (AAI) is consisted of two main elements: the identity providers, responsible for maintaining information about users and their authentication; and service providers, which offer access to a specific feature or service. The interaction between both is a relationship of trust, because one needs to believe in the quality of data provided by the other, to ensure that these are only used for the agreed purposes.
When accessing a certain service provider, the user is redirected to a page that presents a list of identity providers. The user then choose his home institution and the browser is redirected to this institution’s identity provider. After the user is authenticated, the identity provider sends this authentication result to the service provider and creates a session associated to the user, so that accesses to new services within a given time interval do not generate new authentication requests.