Skip to main content

Network Federation

The notion that a network needs to be accessible to more than just a well-defined group of employees.

Organizations might need to open parts of it network to partners, suppliers, and customers. It's relatively easy to manager your own employees, but managing accounts for suppliers and/or customers might be a little harder. This is where federation comes in. Federation means that the company trusts and grants (limited) access to user accounts from other domains/networks. This is most commonly implemented by allowing account creation using a Google Workspace, Facebook (Meta), or Twitter account.

On-premises networks often use things like LDAP and Kerberos in tandem with Active Directory to centralize management of both user accounts and devices. However, using federation comes with other issues, because you're now implementing interoperability between different platforms. For example, web apps might not support Kerberos, and third-party networks might not support a direct federation implementation with LDAP or AD.

Claims-based Identity

This is where claims-based identity comes in. While technical implementation and terminology varies, the overall structure is similar to Kerberos' SSO

  • The principal tries to access a service, which redirects the principal to an identity provider (IDP).
  • The principal authenticates with the identity provider and obtains a claim in the form of a token/document signed by the IDP.
  • The principal presents the claim to the service provider, who validates the claim using a pre-configured trust relationship with the IDP.
  • The service provider now connects to it's accounts database to determine user attributes and permissions. It might even be able to query attributes of the user's profile held by the IDP if the principal has allowed this.

These claims are often written in SAML, which is based off of eXtensible Markup Language (XML). Communications are established using HTTP/HTTPS and something called Simple Object Access Protocol (SOAP). Secure tokens that need to be shared are signed according to the XML signature specification.

Back to top