Identity Federation

Jump to: navigation, search

Identity Federation is the process of creating associations between different accounts belonging to the same principal, usually on different systems. It's a core part of the Liberty Alliance specifications.


For an example let's assume that Alice has accounts with her bank and her favourite discussion forum. On her bank's website she is identified by her account number 0815F00B4R while she's registered with her email address alice@wonderland.example on the discussion forum. Let's suppose that both systems support the Identity Federation Framework (ID-FF) standards where the banking system acts as the Identity Provider (IdP) while the forum system is a Service Provider (SP).

Through Identity Federation Alice can then associate both accounts. During this process the bank creates an opaque identifier for Alice that is communicated to the forum software where it will be associated with Alice's account. Note that there is no more information in this identifier than "This is the same principal that completed the identity federation procedure", especially Alice's bank account number will not become known to the forum system.

After the federation took place Alice might take advantage of the Single Sign-On service: She only needs to log in on her bank's website and will also be able to be recognized by the forum website.