Brief Description
More and more, universities, companies, and government agencies offer services and collaborate online.
The single most important security safeguard for those tasks is the authentication of the user's identity. That is, the service provider must ensure that the person who's performing those tasks is the authorized user, not an imposter. That's where user IDs and passwords come into play as credentials to prove identity and as a prerequisite for authorized access to applications.
Within an enterprise, Single Sign-On (SSO) for all its applications in one login pass makes logistical and economic sense. When users from multiple institutions need to access these applications, the SSO of each institution can be extended to allow access to these applications outside of institutional walls in a standardized way.
A federation is a set of agreements which allow an organization to trust the authentication provided by a separate organization and provide authorization based on that authentication result. The goal of federation is to allow users to access resources in multiple organizations in a seamless manner.
Combined together the federation and SSO allow for federated SSO with local credentials that allow access to remote services.
Generic Functional Requirements
Support for:
- Federation metadata repository
- Local user/password login
- Remote login
- Database, LDAP connectors for identity information
- Individual/collective relying party configurations
- Attribute mapping
- Assertion signing
- HTTP (Post, Post-SimpleSign, Redirect), and back channel attribute release
- Identity provider attribute push/pull
- Discovery/WAYF service
- Apache and other web servers
- Java based
Standards Support and Integration Considerations
Key Design Considerations
Technical Solutions
Shibboleth <http://shibboleth.internet2.edu/about.html>