Contents    

Federation Management Concepts

The Federation Management module built into the Identity Server is designed to be compatible with the Liberty Alliance Project’s specifications. A number of concepts are derived from these specifications. For clarification, definitions of these concepts are provided in this section.

Authentication Domain (Circle of Trust)

An authentication domain, also known as a circle of trust, is a federation of service providers and identity providers that have business relationships based on Liberty architecture and operational agreements and with whom users can transact business in a secure and apparently seamless environment.

Entity Descriptor

An entity descriptor represents an entity in the Federation metadata. In Identity Server’s Federation implementation, there are two types of entity descriptors:

Affiliation

An affiliation is a set of one or more entities, described by Provider IDs, who may perform Liberty interaction as a member of the set. An affiliation is referenced by one Affiliation ID and is managed by one entity. Members of an affiliation may invoke services either as a member of the affiliation (using the Affiliation ID), or individually (using the Provider ID).

Service Provider

A service provider is an entity that provides services and/or goods to principals.

Identity Provider

An identity provider is a Liberty-enabled entity that creates, maintains, and manages identity information and authentication for principals to other service providers within a circle of trust.

Principal

A principal is an entity that can acquire a federated identity, is capable of making federation decisions, and to which authenticated actions are done on its behalf. Examples of principals include an individual user, a group of individuals, a corporation, other legal entities, or a component of the Liberty architecture.

Remote Provider

A remote provider is a service provider or identity provider that is not hosted by the current installation of Identity Server, but is Liberty-enabled, either by another (remote) installation of Identity Server, or by another implementation of the Liberty specification.

Hosted Provider

A hosted provider is either a service provider or an identity provider that is Liberty-enabled by the current, or present, installation of Identity Server.

Metadata

Metadata is the set of required data for configuring the policies that govern the behavior of a service provider or identity provider. Liberty specifications define the metadata attributes for service providers and identity providers.

Federated Identity

A federated identity refers to the amalgamation of the account information in all service providers accessed by one user (personal data, authentication information, buying habits and history, shopping preferences, etc.). The information is administered by the user yet, with the user’s consent, their privilege to access information is securely shared with their providers of choice.

Federation Termination

Users have the ability to terminate federations. Federation termination (or defederation) results in the cancellation of affiliations established between the user’s identity provider and federated service provider accounts.

Name Identifier

To help preserve anonymity, identity federation maps a user’s account information across a number of service and identity provider organizations. The user’s identity is exchanged between the identity and service providers using a pseudonym or name identifier. Neither the identity provider nor the service provider should have knowledge of the user’s actual identity.

Single Logout

When a user logs out from an Identity Provider or a Service Provider, they will effectively be logged out from all service providers or identity providers in that authentication domain.

Single Sign-on

Single sign-on is established when a user with a Federated Identity authenticates to an Identity Provider. Because they have previously opted-in for federation, they are now able to access affiliated service providers without having to re-authenticate.


Contents