Introduction to Identity Federation
&&TODO&&-1
Token expiration and renewal
After using the token, the application can at any time revoke the oAuth token. At that time, the token
will not be allowed anymore.
On the other hand, the application can extend the token validity period by requesting a new token. to
get it, the client application can use the renewal token received along the oAuth and Openid-connect
ones.
&&TODO&&-2
https://confluence.soffid.com/display/SOF/Web+services+reference
&&TODO&&-3
https://confluence.soffid.com/display/SOF/Connecting+Office+365
What is Identity Federation?
A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
It is related to single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability and it would not be possible without some sort of federation.
With the identity federeation we get to separate the applications and, the login and get permissions process. Currently, there are two mainstream identity federation standards: SAML and OpenID-Connect.
SAML (Security Assertion Markup Language)
It is an identity federation protocol, born in 2001 and published in 2005. The design of SAML is highly secure and based on the technologies used at the beginning of this century. It uses XML tokens, signed and optionally encrypted using XMLdSig standard, and uses SOAP as its transport protocol.
SAML is an important component of many SSO systems that allow users to access multiple applications, services or websites from a single login process. SAML allows sharing security credential across systems.
Visit the SAML Chapter for more information.
OpenID-Connect
It is identity layer on top of the OAuth 2.0 protocol. OpenID-Connect is based on most modern protols. It uses JSON tokens, signed and optionally encripted using JWT standard, and uses simple REST as its transport protocol.
Sometimes referred as OpenID, must not be confused with an older and deprecated standard named OpenID.
Visit the OpenID-Connect Chapter for more information.
The main differences between SAML and OpenID-connect
- OpenID-connect uses simple form encoding or JSON rather than complex XML documents.
- OpenID-connect does not encrypt or sign requests or responses. Instead, it uses simple username/password authentication leveraging HTTPS transport security.
- OpenID-connect requires server to server communication to transfer security tokens. SAML allows this kind of communication, but does not need it.
Federation members
Entity Group
An entity group is just like a folder that allows you to manage different kinds of federation members. One of the most common ways to group federation members is by trust level.
Identity Provider
An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.
An Identity Provider is responsible for identifying users. Also, it is responsible for giving service providers information regarding the identifed use.
To create an identity provider, it is advisable to install a dedicated sync server. It can be configured as a proxy sync server as it does not need direct access to Soffid database. Instead, it will connect to main sync server to get users and federation information.
For more information about how to config a dedicated sync server you can visit the Install Sync server page.
Virtual Identity Provider
A single identity provider usually offers different profiles or service levels to diffeferent service provider. To be able to define this behavior, any Identity Provider can be split into many virtual identity providers. Those identity providers will be served by the same actual identity provider, but they will have different profile configurations.
Service Provider
The Service Providers are standard application servers that relays on Identity Providers to let the users log in.