Federated Identity Management refers to disparate organizations having a need to share information.  Security Assertion Markup Language (SAML) is a protocol that supports federation of identities (OAuth is also mentioned).  Federation can be considered a form of centralization.

The three SAML roles are:

Identity provider (IdP): makes an assertion about another identity based on information it has, basically asking the user for username/password pair.

Service provider (SP): also known as the relying party, service, or resource, the user is trying to access.

Subject or principal: the user or person who is being vouched for by the IdP..

The four components of SAML are:

Assertions: an identity provider makes statements about the user that the relying party uses to make access control decisions. The statement vouches for the login and can also specify authorization a statement related to permissions.

  1. Protocols: rules that specify the format and content of exchanges.
  2. Bindings: specifies encapsulation protocols in messages..
  3. Profiles: the three components above can be put together into a profile for a particular use case.

The OAuth roles are as follows:

  1. Resource owner – the entity controlling access to the resource.  This can be a user.
  2. Resource server – the resource host/server.
  3. Client application – as it states, the application that requests access to the protected resources.
  4. Authorization server – the entity that issues access tokens to the client.

Another related concept in the CBK is identity management as a service (IDaaS), which basically let’s the cloud take care of the core identity governance and administration (IGA).   

The three elements of IDaaS are:

  1. IGA – password resetting and user provisioning.
  2. Access – authentication, single sign-on, authorization, and federation standard/protocol support.
  3. Intelligence – identity access logging, monitoring, and reporting.