Saturday, December 09, 2006

Federated Identity and Federated Authorization

I guess James McGovern got his wish via his multi-posted this comment across a number of blogs (Paul, Pat and Eve's in addition to mine):

Does Federated Identity sometimes require Federated Authorization? Would be a great topic for your next blog entry...

At first I had thought I was the only such person (that I was special in some way) and I had started working on an article around this subject, but alas that wasn't the case - this was just a SPAM comment sent out in a shotgun approach probably to even more people than I mentioned above. However, it did raise an interesting question.

Pat first responded with a nice summary of two models for authorization.

Paul later responded with a nice article talking about the P*P entities (although I had thought it was XACML that had popularized the P*P, not SAML).

While I like both of their answers and don't disagree with their content, neither of them explicitly answered the question (I think they did implicitly, but not explicitly).

So, I'll jump in there and say that the short answer to the question posed is "No". Federated identity never requires Federated Authorization. A resource owner may require remote policy decisions (which is what I would call federated authorization and fits into Pat's 2nd model) or they may simply require federated attributes (sometimes just an identity handle for the user). It's all an implementation decision for the owner of the resource that's being accessed.

That said, I would say that the reverse is true: Federated authorization does require some level of federated identity (the authorization statement is a piece of identity that is passing across to the relying party).

Tags : / / / /

1 comment:

James McGovern said...