Thanks to Phil Windley for the mention of my talk yesterday and my related post. His brief abstract may lead people to think something I didn’t intended, so herewith a bit of explanation. Phil’s summary says ‘Federated identity is about distributing identity information in the “right” way.’ I do have a slide that’s headed ‘When you “distribute” identity tasks and information in the right way…’, but this was not intended to be a value judgment about particular technologies — it was just intended to say that satisfying all the use cases at once can be a tricky proposition.
Maybe it’s worth expanding a bit on the point I made about federation yesterday. In its broad definition, federation (“federated identity”) is just the distribution of identity information and tasks across multiple software components, typically in different security domains (which is where much of the trickiness comes in). In that sense, we’re all doing federation, sort of. The narrow definition (“identity federation”) is about account linking, which you can do in the open (e.g., an OpenID relying party could have a local account for the user, which it links to the user’s identifier sent in the clear by the identity provider) or in a privacy-sensitive way (e.g., whenever an identity provider ever hands a relying party a version of the user’s identifier that only the IdP and RP can understand). Some people seem to have an allergy to the notion of a “circle of trust”, but since an RP is always in the position of trusting the IdP, there’s at least that much trust in a tiny “circle” like this.
Does Federated Identity sometimes require Federated Authorization? Would be a great topic for your next blog entry…
Hmm, I’m not quite sure what you mean by your question, but I was planning to write up some thoughts from a session I attended yesterday on “adding OpenID to existing applications”, which delved pretty far (and interestingly) into federation/account-linking use cases. Perhaps it will explore the topic you had in mind. So stay tuned for that!
Looks like Pat got there first, talking about two typical models for distributing authorization using the Sun-BIPAC example.