SURFnet: Federated identity in practice

By Peter Clijsters, Senior Consultant at Everett

Based on the actual services provided by SURFnet, I would like to discuss the practical benefits and implications of federated identity for enterprises and provide some pointers for implementing federation successfully.

SURFnet’s mission is to facilitate groundbreaking education and research in The Netherlands through innovative computer network services. They combine the demand of around 160 institutions connected to SURFnet and in doing so create advantages of scale, innovation and collaboration from which all institutions can benefit. SURFnet network services comprise five focus areas: network infrastructure, security, authentication and authorisation, group communication and multimedia distribution. SURFnet can be compared to other national education and research networks like SWITCH in Switzerland, JISC in the UK and DFN in Germany. Connected institutions are universities, academic and teaching hospitals, institutes for higher professional education, research institutes, corporate R&D departments, scientific libraries and other organisations funded by the Ministry of Education, Culture and Sciences.

Increasingly, the users at SURFnet’s connected institutions have been using each others and SURFnet’s services. For example, students from one university make use of a digital learning environment from another university or want to search an external scientific library. In the past, the service providing institutions would need to register these students individually and give them a user ID and password, if they wanted to let them use their services. Also, the services SURFnet itself provides, like SURFspot which allows academic users to buy commercial software at a reduced price, needed to register all eligible users. Registering external users this way poses some practical and even legal and privacy issues. There was, for example, no way for SURFnet to know when a student graduated or when an employee left an institution. How could SURFnet guarantee that the registered users were still entitled to download the software at a reduced fee? This same issue arises when services from commercial scientific repositories like ScienceDirect (Elsevier), SAGE and EBSCO come into play. Many universities buy a subscription to these repositories for all their students and employees but it is not feasible for ScienceDirect to store and maintain all these accounts.

As part of the authentication and authorisation focus area, SURFnet has been working on this problem for over a decade. A national student chipcard project started in 1996, but could not provide for this functionality. In 2001 SURFnet started developing a national authentication project, leading to the SURFfederation in 2007. The SURFfederation is a service that offers all connected institutions access to federated identities and allows their services to be accessed by these same identities. In order to support open federation standards and straightforward connections to the SURFfederation, SURFnet chose PingFederate from Ping Identity as the best suitable product. Before we go into more detail on what SURFnet accomplished with the SURFfederation and PingFederate, we first need some more background information on what federated identity actually is.

What is federated identity?
Federated identity is “a collective term describing agreements, standards, and technologies that make identity and entitlements portable across autonomous domains”, according to The Burton Group. In simple terms, that means users from different organisations or organisational users that need to have both secure and convenient access to the same data can set up a “federation”. Identity federation standards identify two operational roles in a transaction: the identity provider (IdP) and the service provider (SP).

An IdP, for example, might be an enterprise that manages accounts for a large number of users who may need secure Internet access to the Web-based applications or services of customers, suppliers, and business partners. An IdP is typically the service or organisation in a federation scenario that is responsible for the authentication of a user’s identity for locally integrated services as well as services owned and controlled by external parties. Based on this role, the IdP is entitled to issue statements (often referred to as assertions) about the user’s identity (who), in which context the authentication has taken place (authentication), what the user is allowed to (authorisation) and what else is known about the user (attributes for personalisation). An example of an identity provider may be a bank portal that holds identity data on users and performs the authentication of users on behalf of a service offered by one of its insurance partners, who are the SP’s in this relationship. An SP might be a Software-as-a-Service (SaaS) or a business-process outsourcing (BPO) vendor wanting to simplify client access to its services. An SP is a specific service offered to users that relies on an identity provider for the authentication, authorisation (or authorisation properties) and attribute retrieval on its behalf.

Identity federation allows both types of organizations to define a trust relationship whereby the SP provides access to users from the IdP. This trust relationship is critical for the setup and success of a federation. The SP for example needs to trust the IdP to properly authenticate the user, possibly even authorising the user for specific services at the SP.

Now, let’s return to SURFnet’s SURFfederation and see how they used federation to solve the problems of their connected institutions. First of all, for all connected institutions that deliver services to others, SURFnet plays the role of IdP. Second, to all institutions offering identities to the SURFfederation, SURFnet plays the role of SP. This way, SURFnet acts as a hub and is in the middle of all federation communication which has a number of advantages. For example, each SP and IdP only needs to connect to SURFnet, not to each other. This drastically reduces the number of federation connections an SP or IdP needs to support. Furthermore, single sign-on between all connected services is achieved; a user’s login session can be re-used by each service without asking for credentials again. Also, in SURFnet’s diverse environment, not each SP and IdP supports the same federation protocol or version. The SURFfederation supports translation between these protocols such as SAML 2.0 or WS-Federation.

With PingFederate from Ping Identity as the selected product, it was easy to implement the SURFfederation based on open standards. With only a few modifications SURFnet was able to configure PingFederate as the central hub and the out-of-the-box supported range of protocols made protocol translation straightforward. The other functionalities like single login, logout and attribute exchange are all standard part of PingFederate. Since the SURFfederation was launched at the end of 2007, it has been a recognized example of a successful federation. By the end of 2008 40 higher education institutions, research institutions, academic hospitals and service providers were connected representing approximately 300.000 users. The forecast for 2009 is that 80 higher education and research institutions will be connected, including all Dutch universities. The success of the SURFfederation was reiterated when, on October 8, 2008 in Madrid, SURFnet and Everett (as the Systems Integrator) jointly received ISSE’s Excellence Award 2008, specifically for SURFfederation.

Federation in an enterprise context
The concept of federation is not limited to an educational context like the one SURFnet operates in, but is valid for any enterprise. The case for federation has been formulated by the Gartner Group as follows: “If the enterprise is managing access to its internal systems by a large number of external users – and if they belong to another organization or regularly authenticate to a third party – a strong case can be made for federation”. In today’s business world, enabling integrated access to services across business domains for clients, suppliers and partners has increasingly become a critical factor for success. The adoption of federated identity is the key to establishing a cost-effective and security and privacy aware solution for integrated service in the supply chain. Today, most organisations have implemented - or are currently working on the deployment of – internally focused identity and access management solutions. These solutions may vary from streamlining account provisioning processes up to the enablement of centrally governed access control to (web based) applications for employees. As these solutions are internally focused, organisations hold their own user data along with the management of access the user is privileged to. Once access to services across business domains comes in to play, this internal identity approach must be opened up to external parties for an integrated service offering. Federated identity provides the means to step up from this local identity approach. It does so by introducing concepts and solutions that simplify transporting identity related information across organisational boundaries, addressing management, security and privacy concerns. In addition, federation can also be used between different departments of the same enterprise.

As a service provider, federation makes it possible to extend the reach of your services to clients, suppliers or partners, without the need to store and manage all user identities that need access. Specific authentication methods required by suppliers or partners like hardware tokens, certificates or SMS authentication do not need to be supported as authentication is handled by the identity providers. Furthermore, offering services using identity federation relieves your enterprise not only from the associated extra costs, but also from the added risk and possible privacy and legal issues that storing credentials from customers or business partners can bring.

On the other hand, employees in your enterprise typically need to use ICT systems offered by suppliers or partners. Employees performing their daily tasks used to have numerous accounts and passwords at all kinds of different business partners, resulting in administrative overhead and delays in obtaining access to external services. This could be avoided by providing these partners with your organisations employee credentials, but this is an even less desirable method for a number of obvious reasons. Setting up a federation and assuming the role of an identity provider can solve these issues by allowing single sign-on for your employees to all connected external ICT systems with their credentials safely stored at your organisation. Federation prevents your partners from having to know your users’ passwords and user ID.

To summarize, enterprises benefit from federated identity when doing business across organisational boundaries, providing services fast, secure and cost efficient to clients, suppliers and partners.

Ping Identity is the market leader in federated identity management, delivering secure Internet Single Sign-On (SSO) software and services to more than 300 enterprise customers, government agencies and service providers worldwide. Ping Identity provides secure access to Internet applications through a single login to give organizations easy and rapidly deployed on-premise or on-demand Internet SSO. Visit www.pingidentity.com for additional information.

Everett is an international consulting firm, systems integrator and solution support services provider, specialized in Identity & Access Management and Portal solutions – domains of expertise that are subject to major new developments on a continuous basis. Everett delivers its services to more than 150 enterprise customers, government agencies and educational institutions within the EMEA region and is located in the Netherlands, the United Kingdom, Italy and India. Visit www.everett.nl for more information.