Cloud Computing Design Model (9) -- identity Federation

Source: Internet
Author: User
Tags cloud hosting
Cloud Computing Design Model (9) -- identity Federation

The authentication is delegated to the external identity Provider. This mode simplifies development, minimizes user management requirements, and improves the user experience of applications.

Background and Problems

Users usually need to work with multiple applications hosted by different organizations that provide and have business relationships with them. However, these users may be forced to use specific (and different) creden。 for each. This can be:
? User Experience due to disconnections. When users often forget their logon creden。, there are many differences between them.
? Expose security vulnerabilities. When the user leaves the company account, the setting must be canceled immediately. It is easy to ignore this in large organizations.
? Complex user management. The Administrator must manage all users of creden。 and other tasks that provide password prompts during execution.

Instead, users usually expect the same creden。 to be used for these applications.


Implements the authentication mechanism that can use the Federated identity. Assigning user authentication and authentication separated from application code to trusted identity providers can greatly simplify development and allow users to use a wider range of identity providers (internally displaced persons ), at the same time, minimize management overhead for identity authentication. It also allows you to clearly separate authorization authentication.

Trusted identity providers may include the company directory, the internal deployment of the joint identity authentication service, provided by other security token service (STS) business partners, or the social identity Provider can verify who owns the user, for example, microsoft, Google, Yahoo, or Facebook accounts.

Figure 1 shows how client applications access the Federation mode of services that require authentication. This authentication is performed by the identity Provider (IDP) in concert with the security token service (STS. Claims of internally displaced persons issues information security tokens for authenticated users. This information is called a claim, including the user's identity and other information, such as role members and finer-grained access permissions.



Figure 1-Overview of identity Federation

This model is usually called declarative access control. Application and service authorized access is based on the features and functions of the rights requirements contained in the token. Identity authentication is required to trust the services of internally displaced persons. The contact of the client application performs identity verification for internally displaced persons. If the authentication succeeds, the IDP returns a token containing the token used to identify the user's claim for STs (note that the IDP and STS can be the same service ). In STS, you can change and increase the number of requests in the token according to the predefined rules and return them to the client. The client application can then pass the token to the service as its identity.


In some cases, there may be additional STS trust chains. For example, after Microsoft Azure's scenario description, the internal deployment of STS to trust STS is another identity Provider responsible for access to authenticate users. This method is common in enterprises where there is a local STS and directory.

Federation provides a standard-based solution for Identity Authentication in different trusted domains, and supports single-point logon. It is becoming more and more common in all types of applications, especially cloud-managed applications, because it supports, without the need to directly connect to the identity of the network to provide single-point login. You do not have to enter creden。 for each application. This increases security because it prevents the spread of creden。 required to access many different applications and hides all creden。 of users, but the original identity Provider. The application only displays the authentication information contained in the token.

Identity Federation also has a major advantage, that is, identity and credential management of a person is the responsibility of the identity Provider. You do not need to provide identity management for applications or services. In addition, in the enterprise environment, the enterprise directory does not need to know about the user (the identity Provider that provides its trust). It removes all management overhead for managing the user identity in the directory.

Problems and precautions

Consider the following factors when designing an application that implements federated identity verification:
? Authentication can be a single point of failure. If you deploy an application to multiple data centers, consider deploying an identity management mechanism to use the same data center to maintain application reliability and availability.
? Authentication Mechanism. You can provide tools to configure access control based on claims contained in the role of the authentication token. This is often referred to as role-based access control (RBAC), and it allows control to access functions and more refined levels of resources.
? With the enterprise directory, the use of social identity providers generally do not provide an email address other than the user for identity authentication, maybe the name information is based on the declared identity. Some social identity providers, such as Microsoft accounts, provide only one unique identifier. Applications usually need to maintain some information about the registered user and be able to match the information, including the identifier of the claim in the token. Typically, this is the first time a user has accessed the application through a registration process, the information is injected into the token as an additional claim for each authentication.
? If it is configured as multiple STS identity providers, it must detect its identity provider and the user should be redirected to authentication. This process is called the discovery of the main field. STS may be provided by the user based on the email address or user name. When the user is accessed, the user's IP address range is a subdomain of the application, or the user content stored in the cookie is automatically executed in this browser. For example, if a user enters an email address in a Microsoft domain such as [email protected] and redirects the user to the Microsoft account logon page in STS. In subsequent access, STS can use cookies to indicate the Microsoft account used for last logon. If Automatic Discovery fails to determine the primary domain, STS will display a home domain discovery (HRD) page, which lists trusted identity providers and users must select the people they want to use.

When to use this mode

This mode is ideal for scenarios within the scope, such:
? Single Sign-on for enterprises. In this case, you need to verify that employees are hosted on enterprise applications outside of the Enterprise Security boundary in the cloud, instead of signing each time they access the application. The user experience is the same as using local applications. When they sign in to the company network, they first pass authentication and then get all the relevant applications, without having to log on again.
? Associate with multiple partners. In this case, you need to verify the employees and business partners of the two companies who are not in the company directory account. This is a common application of enterprises for Enterprise (B2B) applications, integration and third-party services, where they integrate or share resources with different IT system companies.
? Identity Federation in Saas applications. In this case, an independent software supplier (isV) provides an out-of-the-box service for multiple customers or tenants. Each tenant will use an appropriate identity Provider for authentication. For example, enterprise users want our own enterprise qualification certificates, while tenant consumers and customers may want to use their own social identity creden.

This mode may not be suitable for the following situations:
? All users of the application can perform identity authentication through an identity Provider, and no other identity Provider is required for identity authentication. This is a typical business application that uses only the enterprise directory for identity authentication, and the directory can be directly used in the application, or (in the case of cloud hosting ), connect the local directory and applications through the virtual network between the connections.
? The application was initially built to use different authentication mechanisms, perhaps with the ability to negotiate standards with Custom User storage, or without the rights required to process the techniques used. Modifying declarative authentication and access control to existing applications may be complicated and may not be cost-effective.


A multi-tenant software (SAAS) application is organized in azure. The application incudes is a website that tenants can use to manage applications for their own users. This application allows tenants to use the Active Directory Federation Service (ADFs) to access the tenant's website when a user uses a federated identity verified by the Active Directory of the Organization. Figure 2 shows an overview of the process.


Figure 2-how users access applications in large enterprise users

In the scenario shown in figure 2, the merchant authenticates its identity Provider (step 1), in which case ADFs. The token issued by ADFs after the tenant is successfully verified. The client browser forwards this token to the SaaS application's federated provider, and its trusted tenant's ADFs sends a token so that the retrieved token is a valid SaaS federated provider (step 2 ). If necessary, the right to execute the claim in the token on the SAAs Federation provider requires a change prior to the new token identified by the application returned to the client browser (Step 3. The token issued by the SAAs federated provider trusted by the application, and the authorization rule is applied for using the Token's right request (step 4 ).

Tenants no longer need to remember different creden。 to access the application, and the Administrator tenant's company will be able to access the list of users of the application in their own ADFs configuration.


Cloud Computing Design Model (9) -- identity Federation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.