Skip to main content

Network Federation

Unit: 10 Lesson: 1

what if people that aren't exactly employees need to access the company network

This idea is called federation. While the company can manage it's own accounts easily enough, managing accounts for everybody else that might need to access specific parts of it networks will be harder. Using federation, we can tell our network to trust certain accounts that were created and are managed by a different network as a sort of a crossover event (e.g. Google Workplace and Facebook Meta).

While we manage our company accounts centrally using something like Active-Directory or Kerberos, not everyone supports both of these protocols. What do we do then?

Claims-based Identity

CBI refers to a collection of interopable federation protocols that is similar to Kerberos SSO.

  1. A service provider (SP) establishes a trust relationship with an identity provider (IDP).
  2. The principal attempts to access a service provider.
  3. The service provider redirects the principal to the IDP.
  4. The principal authenticates with the identity provider.
  5. If authentication is successful, the principal obtains a claim, in the form of some sort of token or document signed by the IDP.
  6. The principal presents the claim to the service provider. The SP can validate that the IDP has signed the claim because of its trust relationship with the IDP.

Using this trusting process, we can now connect the external account to our system and determine account attributes and permissions according to our standards. We might be able to even query their home network for their account's properties if our organizations are close like that.

But, how do we communicate all of this information? Using Security Assertation Markup Language (SAML). Communications are established over HTTP/HTTPS and something called SOAP.

#Netplus

Back to top