Federation Architecture Evolution

At the recent Cloud Identity Summit in Napa I presented on approaches to scale up federation. I’d like to highlight the concept behind those approaches in this post.

The basic idea is to separate connection/trust management from the protocol message handling stack as depicted in the following image.


As you probably know, in most federation stack implementations today the two concepts are already “internally” separated in to out-of-band trust establishment and in-band protocol message handling  So this proposal makes that distinction explicit and separates the two functions into different components. The reason for that is as follows:

By separating out connection management we can outsource it to a specialized component or service that is able to deal with it in a more efficient and scalable way. More importantly, this connection management service can be shared between different parties and implementations. Outsourcing can be done to an external party (e.g. InCommon, WAYF.dk) or an internal component (e.g. company-wide SAML proxies, local metadata services). Also notice that this idea could work across different SAML implementations, if only these implementations know how to leverage a connection management service. This gives way to upgrade federated connection management from a peer-to-peer process to a multi-party process that is shared between the “subscribers” of the connection management service.

This is something that I have referred to as the next step in federation architecture evolution: it takes us one step up from the old-fashioned model where the federation stack is tightly integrated in to applications, to a model that externalizes the federation stack from the applications themselves as much as possible…

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s