Federated Identity flourishing

Federating to mobility

Madyax

Synovus Bank, with 30 banks on the East Coast, didn't want to manage the identities of its approximately 100,000 commercial and 200,000 home-based customers. It also wanted its identity management to occur outside its firewall. So Synovus recently started using Crosscheck Network's Forum Sentry XML Gateway service between these users and their applications.

“Users and their sessions authenticate on the Forum structure, their SAML assertions are signed by Forum, and Forum also issues their secure tokens,” says Santosh Kokate, lead technical analyst with Synovus. “The beauty is I have online banking sitting safely behind the identity gateway and the identities and authentication are established there. I don't have to manage those identities or write a single line of code to make federation happen.”

Synovus also supports authentication for mobile users through REST (Representational State Transfer), which supports HTTPS-based assertions for what Kokate estimates are 8000 mobile banking customers at this point (and more planned in the future). Because Synovus' intermediary, Crosscheck, supports these and other standards, Synovus can adapt to different types of identity federation requirements as needed.

In “Architecting a Cloud-Scale Identity Fabric,” a report to IEEE, the world's largest professional association dedicated to advancing technological innovation, Eric Olden, CEO and chairman of Symplified, discussed two additional standards needed to extend SAML for more granular provisioning (through Service Provisioning Markup Language or SPML), and user authorisation and access management (through Extensible Access Control Markup Language or XACML).

“Here's a news flash for you: Federated Identity 1.0 is dead,” Olden says during a follow-up interview with SC Magazine. “Long live Federated 2.0 to support SSO, multifactor authentication and identity management in an increasingly mobile user base – all essentially accessing through the cloud.”

There are even more standards supporting federation at the 2.0 level, say experts. Specifically is Open Authentication (OAuth) 2.0, which is flexible, lightweight and can be used when SAML is not available by taking assertions over HTTPS. As such, OAuth, along with OpenID, another standard, facilitates access by mobile devices through unique forms of authentication, such as using SMS to issue secondary authentication tokens, or using the phone itself as an identifier.

To make access painless for its nearly six million end-users and 60,000 businesses, the cloud content management platform at Box, a Palo Alto, Calif.-based online content management and file storage business, needs to enable sharing and collaboration from anywhere on any device, while also providing the security, visibility and reporting capabilities required by IT departments. The only way to meet those needs is to support all popular federation standards, says Tomas Barreto, engineering manager at Box.

“Our customers are going to need SSO for all of their applications internally, and for all their clouds – not just our Box cloud,” Barreto says. “To enable SSO use with multiple clouds, we need to support multiple standards, including legacy SSO standards, current SAML standards and new standards as required.”

Next: Federating to the consumer