Understanding 'Authentication’ and ‘Identity Federation' Naohiro Fujie MVP for Enterprise Mobility
Confusion… •Identity = Authentication ?? •Authentication = Single Sign On ?? •Federation ??
What is ‘Identity’ – Johari Window • We want to recognize existence of ‘Entity’ like person, computer, other physical things. • But we cannot recognize ‘Entity’ directly since the ‘Entity’ is different from ourselves. • Also we cannot recognize all part of own ‘Entity’. Source: Wikipedia https://en.wikipedia.org/wiki/Johari_window
Recognize ‘Entity’ through ‘Identity’ • ‘Identity’ is not only an ‘Identifier’ but a set of attributes. • Identifier is one of attribute or a set of attribute of the entity to separate it from other entities. • Ex) If there is no ‘Fujie-san’ around here, surname can be used as identifier, but at my home, we cannot use surname as identifier. • We recognize ‘Entity’ through recognizing attributes. Identity - Set of attributes Name Entity to recognize Company Hair Style Height Loves Heavy Metal
Identity related keywords • Authentication • Federation • To check entity is valid or not. • To federate(pass) identity related Major protocols information to other entities. are RADIUS, • By federate AuthN result attribute Authentication Kerberos OpenID to other entity(system), user can Computer system A Attributes of the user Single Sign On between entities. - Entity which need Name to validate a entity Attributes of the user Computer system B Company 2.Verify - Federate with Name 5.Federate Password system A AuthN result 3.Generate AuthN result Major protocols are SAML, OpenID 1.Name/Password Connect User 4.Access - Entity to be verified 6.SSO Federation
Role of Identity & Access Management Identity Management System’s role - Provide trustworthy identities to other systems. Trust means… How? - Externalize and Identity Trust Trust ex) by import data from HR delegate feature to Management other system, and System trust the response App admins from the system. Provide Provide Common App specific Credentials attributes Attributes Application’s role Authentication Trust/Federation - Authorize user’s access. Applications System How? Applications Provide AuthN Result ex) Change user’s role align to the department and title attributes of the user Authentication System’s role Note) - Verify the validity of the user. User can SSO across apps if these apps trust the same authN system. How? ex) Password + SMS notification Federation is based on inter-system ‘Trust’