Federation and IdP
Seamless login to all digital resources
For IT security to be secure, it must be used. Complicated and time-consuming processes often end up with users finding shortcuts. By combining smart card based login with so called federation, your end users can log in to all cloud based services, applications and digital resources with the same smart card and PIN. One code - That´s IT!
With a federation or IdP, you get full IT security in the cloud while simplifying the workflows for the individual employee who only needs to log in once to access all their applications. They get single sign-on (SSO) for all services and digital resources that are behind the federation or IdP by using the smart card and PIN as a strong authentication for login.
You can apply a federation to a uniform IT security policy completely without any unsafe passwords that apply to all users, all types of devices for all types of cloud-based and local applications. With Net iD and jointly designed regulations for levels of trust, identity management, authentication and authorization, you build solutions that guarantee secure, cost-effective and easy access to services both internally and externally.
How it works
SAML Identity Provider along with Single Sign On
The desirable idea of being authenticated once is one important service justifying the use of an Identity Provider along with Single Sign On (SSO). Without necessarily being aware of it you want to work across different security domains and preferrably your one and only authentication should be valid. This is where Security Assertion Markup Language (SAML) enters the arena. SAML is developed to provide you the possibility for exchanging authentication and authorization data across different security domains. It is also a language that is a common way for Identity Providers (IdPs) to communicate with each other and other web service providers.
An Identity Provider works in a domain doing "the hard work" in a SSO authentication where SAML is used. What happens in the authentication process is essentially the following:
- The Identity Provider receives an authentication request from a Relying Party (RP), via a web browser.
- The user principal of the web browser is authenticated.
- The RP gets a reply with a SAML authentication assertion for the user principal.
In the trusted federation the Identity Provider is responsible to show that a requesting device is who it claims to be, to pass along relevant information whenever a connect request is made, and to keep record whether a user or a requesting device was given access to the online resource.
The data communication between the Identity Provider and the application contains a signature for the RP to verify the authentication ticket actually originates from a trusted IdP. It enables the user to be securely authenticated to the target application through a Single Sign On procedure. For providing identity services many social networks use SAML exchanges.
Identity Provider from a security point of view
First of all, one has to emphasize that when it comes to security regarding login, the most important is that the user logs on provided with an identity not possible to copy. It should not be feasible to fake it, hack it or in any way distort it. The Public Key Infrastructure (PKI) solution provided by SecMaker provides high resistance from obstruction as it by a Certificate Authority is a trusted identity.
Seen in the perspective of a user, a great and convenient benefit is the avoidance of multiple logins having to remember all different login credentials. For the provider, the benefits are more related to security. For example:
- The protection of personal information that is detailed enough to identify people is the responsibility of the Identity Provider, not the service provider.
- Avoidance of the security hazard keeping track of and administrating multiple user credentials for different systems and platforms. All possible through the use of Single Sign On (SSO). Less logons means less possibilities for attackers to steal user credentials.
- It will also create relief for your IT organization as it doesn't have to take care of as much "lost-password-and-credential-work".
- All access events are logged by the Identity Provider. This makes it easier to keep track of and prooving who is doing what and when.
An Identity Provider requires high security measures and careful attention since there is always a risk of it being hacked resulting in sensitive personal data leak. A sale of the data contained in an Identity Provider can be outstandingly lucrative.
Using a centralized federation model with only one Identity Provider has some undeniable risks. If this part fails or being hacked, the entire identity management system will fail. Hence, to achieve redundancy a decentralized federation model using at least duplicated Identity Providers can be used.
SecMaker's products are already used for logging in to all the most used services such as School Federation, Sambi and Swedish e-identity. Thanks to open standards such as SAML, OpenID Connect and Radius, Net iD can also be used against other products and services in the area. SecMaker's product portfolio expands continously so that you can count on getting the most out of your investment. Find all of our partners»