Web Services Contraptions - Federated Authorization?

Tuesday, December 12, 2006

James McGovern asks whether federated identity might require (at least sometimes) federated authorization. I think this is a pretty good question and one that is not easy to answer. My initial take on this would be that federated identity should not require federated authorization, assuming that I understand correctly what federated authorization really is.

For simplicity's sake, let identity be just a bag full of attributes (e.g. e-mail address, names, phone number, etc.). An indentity provider is then nothing more than a service that asserts that certain attributes have a particular value for a given digital identity. A relying party (i.e. a service provider like e.g. AmazingBookStore) can choose to trust such an assertion - either in full, or just certain parts of it. At the end of the day, the relying party will have to determine the level of access based on the type of assertion and the content of the "attribute bag". As such, in this case authorization is local.

If authorization is to be delegated to another point (as in e.g. the XACML model), the relying party forwards it to a policy decision point, where the contained attribute information and additional attributes the PDP might obtain are evaluated according to a set of policies.

Now what is federated authorization? If I understand it correctly, it would be a scenario where you trust access level decisions to your resources to a third party (e.g. you would let YahaPortals.COM decide whether or not a user can get access to data you own). I am tempted to say that the risk that YahaPortals has about a false negative or false positive decision is quite substantial, particularly in our age of increased liability.

While there might be some use cases that do (or will) require such a model, I would argue that XACML provides a pretty substantial technology base for a federated authorization system, should the need arise. Some additional elements for such a system (e.g. trust establishment, crypto, etc.) could be either profiled or application specific.

UPDATE: As usual (at least in the last couple of weeks), I am quite behind things. James apparendly commented on quite a few blogs (hmm, was that related to IIW tagging ... noooo, can't be) and got some pretty substantial answers from Pat, Conor, and Paul.

Identity | Interoperability

Tuesday, December 12, 2006 2:37:31 PM (Eastern Standard Time, UTC-05:00)

Comments [3] |

Messages

Calendar

December 2006

Sun

Mon

Tue

Wed

Thu

Fri

Sat

Email Subscription

Blogroll

Constantin Gonzalez' Weblog

Adventures of an Eternal Optimist

Anyway

Conor's Web Log of Esoterica

del.icio.us/beuchelt

Don Box's Spoutlet

Enterprise Architecture: Thought Leadership

Harold Carr's Blog

Identity for All - On bits and bytes

James Gosling: on the Java Road

Jamie Lewis - CEO and Research Chair

Johannes Ernst's Blog

Kim Cameron's Identity Weblog

Kirill's notes

Links

Marc Hadley's Blog

meta-douglasp

Mike Jones: self-issued

Nicholas Allen's Indigo Blog

ongoing

Phil Windley's Technometria

Pushing String

Robin Wilton's esoterica

TechEd Iron Architect Contest

The Aquarium

Web Services Contraptions

xmldap

Links

Technorati Profile

On this page

Federated Authorization?

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

In addition, my opinions can change. This weblog provides a momentary snapshot of such opinions. Existing posts that were written in the past do not necessarily reflect my current thoughts and opinions.

For the purposes of attribution, the author is "Gerald Beuchelt" and attribution shall provide a (clickable, where possible) URL to this site.

E-mail