Implementation of Identity Federation for SAML 2.0
This blog describes the enhanced SAML 2.0 features for identity federation. It also gives a link to a Wiki page that describes the configuration of such features. The Wiki would help you with some example scenarios that show the applicability of the new features.
The identity federation provides the means to share identities between partners which are usually identity providers and service providers. However, to be able to share the identity of a user, these partners must know how to identify the user. For that purpose SAML 2.0 defines name identifier (ID) as a means of establishing a common identifier. The features that this blog characterizes relate to the configuration of identity federation for a partner that uses trusted identity provider(s). Such partner is usually a service provider.
The enhanced federation allows administrators to set three types of federation that do not depend on the selected name ID format: Persistent Users, Persistent Users (Advanced), and Virtual Users. It also allows administrators to specify what attribute of the assertion the system must use for the identification process and how to identify the user in their system. In addition, the administrators can set a filter, prefix and/or suffix to restrict the users, to use only part of the user ID, or to make the user ID unique.
I am glad that I already got a comment on this blog. I am looking forward to hearing from many others. Don’t forget to review the linked Wiki page. Ho do you find the scenarios there? Any feedback is appreciated.