Authentic — Administrator Guide : Different federation identity procotocols and standards : 俺約


Different federation identity procotocols and standards

There are a lot of them, often linked with each other. SAML (Security Assertion Markup Language) is for example the common base of ID-FF (Liberty Alliance Identity Federation Framework) and of Shibboleth. In addition a new layer came on top of the pile of existing standards: the "identity services". They are network distributed services which work with a user controlled identity. This controlled identity services defines which specific information (or attributes) can be used by those services to bring a customized and adapted answer. This allows an increased customisation of the services, intelligent transactions based on identity information.



The Security Assertion Markup Language designed by OASIS was the first standard allowing the exchange of protected assertion. Most of the big companies offering access management solutions took part in its development and it was explicitly conceived for the business-to-business relations. (SAMLにより守られたアサーション交換が可能になる。)

SAML 1.1 undoubtedly proposes less superfluous functionalities than other standards. It is a clean, simple and concise protocol. However this concision which makes it relatively easy to implement is a handicap when it comes to using SAML within another environment, business-to-consumer or business-to-employee for example. SAML 1.1 lack some functionalities concerning the confidentiality, the safety and mobile clients support. The release of SAML 2.0 should largely cure it. (SAML1.1では明らかに機能は不足していた。機密性、安全性、モバイルクライアントに対する機能が不足していた。)

SAML 2.0 is a form of convergence between SAML 1.1, Liberty ID-FF 1.2 and Shibboleth. The OASIS will was to take the best in each of these protocols and to include it in a single and coherent framework. (SAML2.0はSAML1,1,Lebery ID-FF 12. ShibbolethをOASISが1つにまとめた集約形である。)

Liberty ID-FF

Liberty Identity Federation Framework (ID-FF 1.2 and its predecessor ID-FF 1.1) was worked out by the Liberty Alliance consortium, founded mid 2001 by Sun, and joined by several hundreds of companies (France Telecom, Vodafone, VeriSign, Mastercard, etc). (ID-FF1.2 は LAコンソーシアムにおける多くの企業による成果物。)

ID-FF is based on SAML and allows more complex deployment scenarios. It introduces mainly: (SAMLをベースに、多くの複雑な配置シナリオに対応。)

  • the user control on the operated federations; (フェデレーションにおけるユーザーの制御)
  • true Single Sign-On and Single Logout; (SSO/SLO)
  • a true anonymisation (no unique username circulating between the Service Providers and the Identity Providers); (真の匿名性)
  • an authentication context (allowing to provide information on the authentication used itself and on what surrounds it, like the inscription procedure); (認証コンテキスト。)
  • the metadata exchange. (メターデータ交換)

Designed for companies, ID-FF allows to couple the requirements for a strong authentication with the respect of the users private life, this is why the ADAÉ very strongly encourages its use within the French administrations. (企業で使えるような強力な認証が可能。)


Like ID-FF, Shibboleth was based on SAML. The current version is now compliant with SAML 2.0. Shibboleth is an Internet2 project. Internet2 is a consortium leaded by american universities working in partnership with industry and the government. It is an open source implementation (Apache licence) authorising the inter-institutional sharing of web resources subjected to an access control. (ShibbolethもSAMLベース。)

Shibboleth provides a standardized gateway between the existing authentication on campuses and resources suppliers of all kind. It includes metadata exchange and privacy rules allowing agreements between small groups of partners. It is mainly used in higher education field. (メターデータ交換可能。プライバシールールによりパートナー間での同意が可能。)


Microsoft, IBM, and VeriSign work on a set of specifications (called "WS-Security roadmap" or "WS-*") for their next generation platform of Web services. (MS,IBM,Verisignによるスペック。)

WS-Federation is one of these specifications, it defines a model for the federation and the functions related to the identity.

WS-federation is designed for companies, the business-to-business and business-to-employee relations. The use of privacy is optional there and it misses the multi-client support, which makes it not very suitable with the business-to-consumer envorionment at the moment. (企業、ビジネス-ビジネス、ビジネスー雇用者 を想定。プライバシーの利用はオプショナルで、マルチクライアントがサポートされていないので、ビジネス-コンシューマーでは現在仕えない。)

Because it is relatively recent WS-Federation was not tested and deployed as much as other protocols, it is thus advisable to use it with caution.

Liberty ID-WSF

the Identity-based Web Services Framework (ID-WSF) of Liberty Alliance is on top of the pile of the federation protocols. The specificity of ID-WSF is the identity service discovery which allows attribute sharing under the user control. (フェデレーションプロトコルの上に作られている。IDサービスディスカバリであり、属性共有をユーザーが制御可能。)

ID-WSF gathers the following elements:

  • permission based attribute sharing (the user determines which attributes can be published and who can use them); (パーミッションベースの属性共有)
  • identity service discovery (determines how the Service Providers learn where to find identity information); (IDサービスディスカバr)
  • interaction service (allows the Service Providers and Identity Providers to interact in real time with the user to obtain its assent and the necessary authorisations); (インタラクションサービス。SPとIdPがリアルタイムで交換。)
  • Extended client support (gives the option for client devices to host their own identity service or act as an Identity Provider); (拡張されたクライアントサポート)
  • Identity service templates (a reusable mechanism for building new identity services that can leverage the web services framework); (IDサービステンプレート)
  • usage directives (which provide a means for including privacy directives in the attribute exchange); (利用宣言:属性交換においてプライバシー宣言が可能になる)

ID-WSF is well-suited for business-to-business and business-to-consumer deployments where it is crucial to share attribute information in a privacy-oriented manner. Relying parties in the transaction will be able to search and discover identity information from distributed identity services that the end-user has registered. Polices related to attribute release can be defined ahead of time or on the fly via an interaction service that can communicate with the end user to obtain permissions. (ID-WSFはB2B,B2Cに最適。RPはID情報を分散された多くのIDサービスから検索して発見できる。属性リリースに関するポリシーは事前に定義できるし、インタラクションサービスで動的に定義も可能。エンドユーザーにパーミッションの許可を聞くことができる。)

Authentic — Administrator Guide

カテゴリー: 未分類 パーマリンク


以下に詳細を記入するか、アイコンをクリックしてログインしてください。 ロゴ アカウントを使ってコメントしています。 ログアウト /  変更 )

Google+ フォト

Google+ アカウントを使ってコメントしています。 ログアウト /  変更 )

Twitter 画像

Twitter アカウントを使ってコメントしています。 ログアウト /  変更 )

Facebook の写真

Facebook アカウントを使ってコメントしています。 ログアウト /  変更 )


%s と連携中