At the recent Cloud Identity Summit in Napa I presented on approaches to scale up federation. I’d like to highlight the concept behind those approaches in this post.
The basic idea is to separate connection/trust management from the protocol message handling stack as depicted in the following image.
As you probably know, in most federation stack implementations today the two concepts are already “internally” separated in to out-of-band trust establishment and in-band protocol message handling So this proposal makes that distinction explicit and separates the two functions into different components. The reason for that is as follows:
By separating out connection management we can outsource it to a specialized component or service that is able to deal with it in a more efficient and scalable way. More importantly, this connection management service can be shared between different parties and implementations. Outsourcing can be done to an external party (e.g. InCommon, WAYF.dk) or an internal component (e.g. company-wide SAML proxies, local metadata services). Also notice that this idea could work across different SAML implementations, if only these implementations know how to leverage a connection management service. This gives way to upgrade federated connection management from a peer-to-peer process to a multi-party process that is shared between the “subscribers” of the connection management service.
This is something that I have referred to as the next step in federation architecture evolution: it takes us one step up from the old-fashioned model where the federation stack is tightly integrated in to applications, to a model that externalizes the federation stack from the applications themselves as much as possible…