Identity is the most basic element in a high-value relationship with customers, employees, citizens, or business partners. It has to be managed with great care to proactively fight fraud and identity theft. In the online world, many services require a principal, such as a human operator or a computer entity (e.g., web service client), to supply some credentials (e.g., a principal name and password) in order to be identified. As the principal navigates from site to site, this process repeats itself over and over forcing the principal to re-submit its credentials. Even in the case of a single corporation, if the principal is navigating from one department website to another department website, the principal may be required to re-supply its credentials frequently.
In any client/server relationship, single sign-on (SSO) is an authentication process that permits a principal to supply credentials only once in order to access multiple applications or resources. SSO, which is requested when the principal initially requests access to an application, authenticates the principal and/or authorizes the principal to access multiple applications to which the principal is entitled, and eliminates future authentication prompts when the principal switches applications during that particular session, unless stronger or different credential-checking is required.
The Liberty Alliance Project (a trademark of Sun Microsystems, Inc., a Mountain View, Calif. Company) co-founded by Sun Microsystems, Inc. is a set of protocols and guidelines for a SSO environment that uses the idea of “federation”. Federation is the act of establishing a relationship between two entities (e.g., a relationship between a Service Provider and an Identity Provider). This relationship may be a business relationship, such as a contract, or an operational agreement, or some other type of trust relationship that forms the basis for SSO to exist in the first place. The Liberty Alliance Project uses federation to implement scalable, efficient, user-friendly cross-domain identity management on a network.
A circle of trust is a group of service providers and at least one identity provider that have a trust relationship and with which principals can transact business in a secure and apparently seamless manner. Service providers and identity providers within a circle of trust may implement one of a variety of architectures for federation, including Liberty developed in part by Sun Microsystems, Inc. or WS-Federation developed in part by the Microsoft Corporation. In general, circles of trust implemented with different architectures for federation are not compatible. Therefore, a principal identified in a particular circle of trust may not have its identity information shared with another circle of trust, if the two circles of trust are implemented using different federation architectures. Thus, if the principal attempts to request a service from a service provider that is not in the circle of trust in which the principal has been identified, then the principal may need to re-supply credentials in order to be identified in the new circle of trust. Identity information may include proof of the principal's identity, profile attributes associated with the principal, and access rights.