Understandably over the last couple of years there has been a slow shift in the access management community to talk more about identity management than access management. The two definitely come hand in hand, but I think we need to be careful about what we actually mean when we use the terms. A trend has started which takes the term federated access and replaces it wholesale with federated identity. I think this is a mistake, as I think the two are actually very different things.
Federated access is all about allowing disparate systems to make use of the same access credentials. It makes use of identity information to ensure that the correct authorisation decisions are made – but at the end of the day its primary focus is on ensuring that users are effectively connected to the resources and services that they require access to.
The entry on wikipedia for federated identity is interesting:
In information technology, federated identity has two general meanings:
- The virtual reunion, or assembled identity, of a person’s user information (or principal), stored across multiple distinct identity management systems. Data are joined together by use of the common token, usually the user name.
- A user’s authentication process across multiple IT systems or even organizations.
I don’t agree with this. I think the first point describes federated identity very well. I think the second point describes federated access. The main difference is that federated access as currently used tends to a) rely on one identity source and b) focuses on access provision rather than identity information. A federated identity system should take us in to the world of multiple identity sources providing both access and identity solutions – such as managing personalisation features, loyalty schemes, recommmendations etc.
Whilst we have federated access in place within the UK, federated identity is definitely the next step. We need to be able to allow users to call identity information from different places and we need to be able to effectively combine user-managed identities with affiliation-managed identities. Technologies like Information Cards are an interesting step on this path – but are still complex for end-users to navigate. I still think there is a different technological solution around the corner that may help us more effectively tackle this challenge…and will wait with interest to see it!
In the meantime, don’t forget that JISC is looking for projects under its latest innovation call. These could tackle both federated access and federated identity and who knows, may produce that illusive new direction!
5 comments
Comments feed for this article
Trackback link
http://access.jiscinvolve.org/wp/federated-access-or-federated-identity/trackback/
September 17, 2009 at 9:13 am
Rhys Smith
Agree with your points here, Nicole.
Have to say though, Federated Identity management conceptually presents no new challenges to those seen in “standard” identity management, since an IDM system that connects to multiple sources of identity information (e.g. student records and HR systems) is essentially federated identity already – just within a single organisation.
Compare how the definition of federated identity – assembled identity of a person’s user information stored across multiple distinct identity management systems – to what IDM within an organisation usually involves – the assembled identity of a person’s user information stored across multiple distinct authoritative identity sources .
So the challenges of federated identity and IDM are the same – matching identity of records in different systems as belonging to the same person, mapping of identity information stored in different types and formats between these systems, propagation of changes, calculating which system is authoritative, etc etc.
The obvious main difference may be that now each IDM system is run by separate organisations, rather than each back end data source being run by a single organisation – and getting cooperation between different organisations to get federated identity set up may be more difficult than getting cooperation between (for example) different departments within the same organisation. On the other hand, seeing how internal politics often hampers this kind of thing within a university/college, maybe even this difference isn’t all that big!
September 17, 2009 at 7:38 pm
David Harrison
Thanks Nicole and Rhys, very helpful. Presume you’re now going to “correct” wikipedia?
September 18, 2009 at 2:34 pm
David Harrison
Thanks to both Rhys and Nicole on this one. I’m presuming that you’ll now be submitting an edit to wikipedia ??
September 18, 2009 at 3:44 pm
David Harrison
However, I ought to also add a link to this recent briefing paper from Educause
September 23, 2009 at 11:55 am
nicole
Thanks for the link David. I don’t disagree with anything the educause briefing says, but what they describe is in my mind only well managed federated access. It assumes that there is a single identity domain for the user, and that the user is willing for this to be their institution. In very simple usecases within the ‘edu’ world we can manage this well, and I can see a path for better management of current distributed identity silos within the academic arena working well. What concerns me is multiple identity silos in multiple domains both inside and outside the edu world. How and where does the user establish their preferred domain and manage all of the relevant affiliated and non-affiliated authorisations from this domain?