Introduction to Identity Federations
March 7, 2017




Repository ID:​ TI.26.1
Authors: David Walker <​https://orcid.org/0000-0003-2540-0644​>
         Ann West
Sponsor:​ Internet2
Superseded documents:​ (none)
Proposed future review date:​ December 1, 2018
Subject tags:​ policy, service




                                                                                                  © 2017 Internet2
                            This work is licensed under a​ ​Creative Commons Attribution 4.0 International License​.
        Introduction to Identity Federations
        An identity federation is​ a coalition of organizations, called P
                                                                        ​ articipants, that share information
        about their community members according to mutually agreed and usually legally binding
        policies, processes, and technologies. The purpose of this information sharing is to enable
        collaboration among community members and provide access to resources offered by the
        Participants for the federation’s community members.

        The Security Assertion Markup Language (SAML) is the basis for the technology standards
        used by InCommon and other identity federations established to support research and
        education internationally. It defines a common format for the information about community
​       members (called ​Identity Provider Assertions) that is exchanged, as well as a protocol for
        accomplishing that exchange.

        In the SAML protocol, Participants​ operate network services called I​ dentity Providers (IdP) that
    ​   respond to requests for ​ ​Identity Provider Assertions from ​Service Providers (SP). These SPs
        provide collaboration tools and access to resources of interest within the federation. Identity
        Provider Assertions contain information about individuals for the purpose of personalizing the
        service and making authorization decisions; they include such elements as group memberships,
        roles, friendly names, contact information, and identifiers. e​ duPerson​ is a community standard
        that defines Identity Provider Assertion content that is commonly used within research and
        education.

        When an IdP receives a request for an Identity Provider Assertion from an SP (as the result of
        its user’s request for service), it assesses the request in light of its policies concerning the
        release of each requested element of information for that specific user to that specific SP. The
        IdP will release only information that is allowed by its policy. When the SP receives the resulting
        Identity Provider Assertion, it will then make decisions about how to address the user’s request
        for service. Those decisions might include tailoring the user’s experience within the service,
        requesting more information like name or email address from the user, restricting the user’s
        access to certain operations within the service, or completely denying access.
The following diagram illustrates the SAML protocol.