Federation Networks

22 Nov Federation Networks

We have quite a few articles that discuss different aspects of federation. We’ve provided you with the basic information, talked about the differences between an older protocol (SAML) and the new(er) kid on the block (OAuth), and introduced you to the world of Mobile Connect. The idea of federation, moving between different online services without re-authentication, or using a third party issued identity to access applications, has been around for a while. And like any good technology, it has provided the world with some very nice examples how federation networks can make the life of the Average iJoe easier.

This blog article will introduce you to different implementations of federation networks and why they work. I will try to work them in a chronological order from the oldest to the newest, but I do apologise if I get the sequence wrong. I can’t hold everything in my head… yet. Still waiting for someone to invent the memory upgrade wetware for the human brain. Especially my significant other is screaming for it. And for the key, phone, charger, wallet, hairbrush, bathtub plug, and remote locator radar to become available. I can’t help if the location of a thing is stored to my RAM memory and gets wiped out each night I turn off. Or when I blink.

The Finnish BankID system

Some of the readers will remember a time before The Internet. People used these buzzing and beeping boxes to access important digital services, like usenet, irc, or Doom. Finnish banks launched their digital services early on, and almost immediately issued strong identities to their customers in the form of one time passwords. There were no dongles at that time, so the OTPs were printed onto paper and mailed to the customers. When the weird thing called WWW started to get more popular, the banks moved their services there. They also realised that there was a business opportunity here – they could provide these same identities to third parties, such as the government online services.

The Finnish BankID system was born. The finance authority created a simple protocol that allowed online services to authenticate their customers using the bank issued digital identities. As the registration process required a personal visit to the bank, and OTP was secure enough, it was also adequate for even egovernment services. When a user tried to access e.g. the tax admin online service, they were first redirected to their bank online site to authenticate themselves, and the response message after successful authentication included the required information (name, social security number) to grant access to the customer (citizen). Banks overtook the local strong authentication market in the early 2000’s, and they are still holding on tight.

University Federation Network(s)

When the federation standards started to mature, namely SAML, universities quickly adopted country-wide federation networks where identity information could easily flow between universities and institutions. They also facilitated easy access to multiple international scientific journals. Students were able to access thousands upon thousands of articles using their own digital identity issued by the university.

Social Media

The development of a new protocol, OAuth, enabled easy integration of external (third party) authentication to online services and apps. The social media giants quickly became a convenient capture mechanisms for online service providers. Integration of a social media authentication allowed customers to quickly activate new services, and in turn the social media companies increased their relevance across a spectrum of services. However, compared to most federation networks, the social media does not offer proper identity information. Social media identity federation works best in establishing first contact (not to be mistaken for the Starfleet protocol), and facilitating registration steps when converting captured visitors into paying customers.

Mobile Connect

Building on the newer authentication protocol, OpenID Connect, Mobile Connect is an initiative by the GSMA – an organisation representing the interest of mobile networks operators worldwide. Although it’s based on an essentially authentication protocol, Mobile Connect extends the functionality into the realm of federation by introducing something that can be described as home operator discovery. It allows a user from Sweden to use the digital identity issued by the home operator (in Sweden) in a digital service on the other side of the world. The authentication token is always a mobile device with a phone number. The home operator discovery is based on this number. When a user tries to access an online service, Mobile Connect takes care of finding out to whom the authentication request should be redirected. This is one of the most convenient, privacy oriented, and wide spread global digital identity to date – over 3 billion users worldwide have the ability to use Mobile Connect in their pocket, and the numbers keep increasing as mobile network operators are rolling out their Mobile Connect services.

Finnish Trust Federation Network

Country wide federation networks are forming all over the globe. Identity issuers such banks, mobile network operators and the local government create circles of trust where identities issued by third parties are trusted by the online services. One of these examples can be located in Finland, where a legislation enabling the creation of such a setup came into effect earlier this year.

One of the key aspect of a federation link is trust. But if a service provider needs to create a trust relationship with 9 banks, 4 mobile network operators and the government, it becomes a burden – usually a contractual burden. The Finnish trust federation network aims to eradicate this problem by introducing identity brokers, services that can offer a single point of cont(r)act and a technical interface for connecting to all the identity issuers – and their customers. This provides the online service a 99,9% coverage of all online users in a selected market. The brokers take care of the integration to the identity issuers.

eIDAS

The cross-border authentication of EU citizens has been a long time coming. With the harmonised regulatory framework it’s now becoming a reality. Through the STORK projects that started already during the last decade we will finally see real life implementations. Next year EU citizens travelling or living in another EU country can start using their own government approved digital identities to access services in another EU country.

Architecture

The federation network examples here use different approaches. The Finnish BankID uses a proprietary protocol and looks like a multiple star network, where each bank is in the centre. The university federation networks tend to use a hierarchical approach where a top level operator stores and manages the metadata of all participants. Social media federation is again a multi-star architecture, but using a more recent protocol. Mobile Connect has a single star type of architecture, where the GSMA discovery service is at the core. The Finnish trust federation network introduces the identity brokers as an extra level, making the lives of service providers easier. eIDAS is a mesh network on the member state level, but on the national level it’s a single star system.

The protocols used also play a role here. In many cases SAML is the chosen standard for identity federation. However, depending on the chosen architecture, the support for the standard only might make things unmanageable. Features like automatic metadata update (found in Ubisecure Identity Server) will keep the federation networks humming along even when participants have to change / update their metadata (e.g. when they need to update / renew their signing keys). Usually, without an automatic update function these changes introduce problems as quite a few organisations forget / neglect to inform other participants in the federation network.

Ubisecure Identity Server can facilitate (and is facilitating) all of the above federation networks. If your organisation is looking for a way to join as a service provider, or start offering identity services to online service providers in your market place, contact us now and let’s discover together how federation could benefit your business.