This presentation discusses new concepts, patterns and technologies emerging around the notions of “Identity 2.0” and “User-Centric Identity”:
It emphasizes their relationship with directory systems (Identity 2.0 = Directory 2.0?)
It presents a vendor’s view upon these initiatives
It not meant to be a product marketing presentation
The overall work tasks are (looking at the side of consuming authentication):
Verify identifiers, credentials and PoP. Details depend on the employed authentication protocol. Mechanics are largely handled by WS-stacks.
Enrich authn information to please application needs (don’t mandate the authentication infrastructure to address subject information-needs of all applications)
Propagate this information to applications (for use in e.g. authz or other purposes such as application personalization)
The federated approach does not change the list of overall work tasks. It changes the allocation of these work tasks:
Task 1 (with different kind of credentials as on the left) and task 3 remain to be done at RP side.
Task 2 can be outsourced within a federated environment
This obviously addresses the use case of serving foreign user populations better than the traditional approach. However, it is also represents an important architectural trick when serving own user populations. This means that a federation-enabled SOA security system would:
Assign an RP-only role to services
Rely on internal (for an own user population) or external (for external user populations) IdPs
CardSpace information cards:
Issued by identity providers
Consumed by identity selectors i.e. on user-side
Support users in selecting and interacting with identity providers
CardSpace security tokens:
Issued by identity providers - based on user authentication
Consumed by resource providers
Support resource providers in authorizing access requests