DOCSLIB.ORG

A Guide to Claims-Based Identity and Access Control

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Second Edition A G UIDE TO C LAIMS -B ASED I DENTITY AND A CCESS C ONTROL Authentication and Authorization for Services and the Web Dominick Baier Vittorio Bertocci Keith Brown Scott Densmore Eugenio Pace Matias Woloski • • • • • • • • • • • • • • • • • • • • • • • • • • a guide to claims-based identity and access control a guide to Claims-Based Identity and Access Control second edition Authentication and Authorization for Services and the Web patterns & practices Microsoft Corporation This document is provided “as-is.” Information and views expressed in this document, including URLs and other Internet website references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. ©2011 Microsoft. All rights reserved. Microsoft, Active Directory, MSDN, SharePoint, SQL Server, Visual Studio, Windows, Windows Azure, Windows Live, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are the property of their respective owners. Contents foreword Kim Cameron xvii foreword Stuart Kwan xix foreword Steve Peschka xxi preface Who This Book Is For xxiii Why This Book Is Pertinent Now xxiv A Note about Terminology xxiv How This Book Is Structured xxv About the Technologies xxviii What You Need to Use the Code xxix Application Server xxx ADFS xxx Active Directory xxx Client Computer xxx Who’s Who xxxi acknowledgements xxxiii 1 An Introduction to Claims 1 What Do Claims Provide? 1 Not Every System Needs Claims 2 Claims Simplify Authentication Logic 3 A Familiar Example 3 What Makes a Good Claim? 5 Understanding Issuers 5 ADFS as an Issuer 5 External Issuers 7 User Anonymity 9 Implementing Claims-Based Identity 9 Step 1: Add Logic to Your Applications to Support Claims 9 Step 2: Acquire or Build an Issuer 10 Step 3: Configure Your Application to Trust the Issuer 10 Step 4: Configure the Issuer to Know about the 11 Application A Summary of Benefits 12 Moving On 12 Questions 13 2 Claims-Based Architectures 15 A Closer Look at Claims-Based Architectures 16 Browser-Based Applications 17 Understanding the Sequence of Steps 19 Optimizing Performance 23 Smart Clients 23 SharePoint Applications and SharePoint BCS 25 Federating Identity across Realms 26 The Benefits of Cross-Realm Identity 26 How Federated Identity Works 28 Federated Identity with ACS 29 Understanding the Sequence of Steps 31 Combining ACS and ADFS 32 Identity Transformation 32 Home Realm Discovery 32 Design Considerations for Claims-Based Applications 35 What Makes a Good Claim? 35 How Can You Uniquely Distinguish One User from Another? 36 How Can You Get a List of All Possible Users and All Possible Claims? 36 Where Should Claims Be Issued? 37 What Technologies Do Claims and Tokens Use? 38 Questions 41 3 Claims-based Single Sign-on for the Web and Windows Azure 43 The Premise 43 Goals and Requirements 45 Overview of the Solution 46 Inside the Implementation 49 a-Expense before Claims 49 a-Expense with Claims 52 a-Order before Claims 59 a-Order with Claims 59 Signing out of an Application 60 Setup and Physical Deployment 61 Using a Mock Issuer 61 Isolating Active Directory 62 Handling Single Sign-out in the Mock Issuer 63 Converting to a Production Issuer 63 Enabling Internet Access 64 Variation—Moving to Windows Azure 64 Questions 68 More Information 69 4 Federated Identity for Web Applications 71 The Premise 71 Goals and Requirements 72 Overview of the Solution 72 Benefits and Limitations 77 Inside the Implementation 77 Setup and Physical Deployment 77 Using Mock Issuers for Development and Testing 78 Establishing Trust Relationships 78 Questions 79 More Information 80 5 Federated Identity with Windows Azure Access Control Service 81 The Premise 82 Goals and Requirements 82 Overview of the Solution 83 Example of a Customer with its Own Identity Provider 84 Example of a Customer Using a Social Identity 86 Trust Relationships with Social Identity Providers 88 Description of Mapping Rules in a Federation Provider 89 Alternative Solutions 91 Inside the Implementation 93 Setup and Physical Deployment 94 Establishing a Trust Relationship with ACS 94 Reporting Errors from ACS 95 Initializing ACS 95 Working with Social Identity Providers 96 Managing Users with Social Identities 96 Working with Windows Live IDs 97 Working with Facebook 98 Questions 99 More Information 100 6 Federated Identity with Multiple Partners 101 The Premise 101 Goals and Requirements 102 Overview of the Solution 103 Step 1: Present Credentials to the Identity Provider 104 Step 2: Transmit the Identity Provider’s Security Token to the Federation Provider 104 Step 3: Map the Claims 105 Step 4: Transmit the Mapped Claims and Perform the Requested Action 105 Using Claims in Fabrikam Shipping 107 Inside the Implementation 109 Setup and Physical Deployment 117 Establishing the Trust Relationship 117 Organization Section 118 Issuer Section 118 Certificate Section 118 User-Configurable Claims Transformation Rules 119 Questions 119 7 Federated Identity with Multiple Partners and Windows Azure Access Control Service 123 The Premise 124 Goals and Requirements 125 Overview of the Solution 127 Step 1: Present Credentials to the Identity Provider 128 Step 2: Transmit the Identity Provider’s Security Token to the Federation Provider 129 Step 3: Map the Claims 129 Step 4: Transmit the Mapped Claims and Perform the Requested Action 130 Step 1: Present Credentials to the Identity Provider 131 Step 2: Transmit the Social Identity Provider’s Security Token to ACS 131 Step 3: Map the Claims 132 Step 4: Transmit the Mapped Claims 132 and Perform the Requested Action Enrolling a New Partner Organization 132 Managing Multiple Partners with a Single Identity 133 Managing Users at a Partner Organization 134 Inside the Implementation 135 Getting a List of Identity Providers from ACS 135 Adding a New Identity Provider to ACS 137 Managing Claims-Mapping Rules in ACS 137 Displaying a List of Partner Organizations 138 Authenticating a User of Fabrikam Shipping 139 Authorizing Access to Fabrikam Shipping Data 140 Setup and Physical Deployment 141 Fabrikam Shipping Websites 141 Sample Claims Issuers 142 Initializing ACS 142 Questions 143 More Information 144 8 Claims Enabling Web Services 145 The Premise 145 Goals and Requirements 146 Overview of the Solution 146 Inside the Implementation 148 Implementing the Web Service 148 Implementing the Active Client 150 Implementing the Authorization Strategy 153 Debugging the Application 154 Setup and Physical Deployment 155 Configuring ADFS 2.0 for Web Services 155 Questions 156 9 Securing REST Services 159 The Premise 159 Goals and Requirements 160 Overview of the Solution 160 Inside the Implementation 162 The ACS Configuration 162 Implementing the Web Service 163 Implementing the Active Client 167 Setup and Physical Deployment 172 Configuring ADFS 2.0 for Web Services 172 Configuring ACS 172 Questions 173 More Information 174 10 Accessing Rest Services from a Windows Phone Device 175 The Premise 176 Goals and Requirements 176 Overview of the Solution 177 Passive Federation 177 Active Federation 179 Comparing the Solutions 181 Inside the Implementation 183 Active SAML token handling 183 Web browser control 185 Asynchronous Behavior 187 Setup and Physical Deployment 191 Questions 191 More Information 193 11 Claims-Based Single Sign-On for Microsoft SharePoint 2010 195 The Premise 196 Goals and Requirements 196 Overview of the Solution 197 Authentication Mechanism 197 End-to-End Walkthroughs 199 Visiting Two Site Collections in a SharePoint Web Application 199 Visiting Two SharePoint Web Applications 200 Authorization in SharePoint 201 The People Picker 202 Single Sign-Out 204 Inside the Implementation 205 Relying Party Configuration in ADFS 205 SharePoint STS Configuration 206 Create a New SharePoint Trusted Root Authority 206 Create the Claims Mappings in SharePoint 207 Create a New SharePoint Trusted Identity Token Issuer 207 SharePoint Web Application Configuration 209 People Picker Customizations 210 Single Sign-Out Control 212 Displaying Claims in a Web Part 214 User Profile Synchronization 214 Setup and Physical Deployment 215 FedAuth Tokens 215 ADFS Default Authentication Method 216 Server Deployment 216 Questions 217 More Information 218 12 federated identity for sharepoint applications 219 The Premise 219 Goals and Requirements 220 Overview of the Solution 220 Inside the Implementation 224 Token Expiration and Sliding Sessions 224 SAML Token Expiration in SharePoint 225 Sliding Sessions in SharePoint 228 Closing the Browser 232 Authorization Rules 232 Home Realm Discovery 232 Questions 234 More Information 236 appendices a using fedutil 237 Using FedUtil to Make an Application Claims-Aware 237 b message sequences 239 The Browser-Based Scenario 240 The Active Client Scenario 252 The Browser-Based Scenario with Access Control Service (ACS) 258 Single Sign-Out 273 c industry standards 285 Security Assertion Markup Language (SAML) 285 Security Association Management Protocol (SAMP) and Internet Security Association and Key Management Protocol (ISAKMP) 285 WS-Federation 285 WS-Federation: Passive Requestor Profile 286 WS-Security 286 WS-SecureConversation 286 WS-Trust 286 XML Encryption 286 d certificates 287 Certificates for Browser-Based Applications 287 On the Issuer (Browser Scenario) 287 Certificate for TLS/SSL (Issuer, Browser Scenario) 287 Certificate for Token Signing (Issuer,
Recommended publications
  • Dod Enterpriseidentity, Credential, and Access Management (ICAM)

    Dod Enterpriseidentity, Credential, and Access Management (ICAM)

    UNCLASSIFIED DoD Enterprise Identity, Credential, and Access Management (ICAM) Reference Design Version 1.0 June 2020 Prepared by Department of Defense, Office of the Chief Information Officer (DoD CIO) DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors (Administrative or Operational Use). Other requests for this document shall be referred to the DCIO-CS. UNCLASSIFIED UNCLASSIFIED Document Approvals Prepared By: N. Thomas Lam IE/Architecture and Engineering Department of Defense, Office of the Chief Information Officer (DoD CIO) Thomas J Clancy, COL US Army CS/Architecture and Capability Oversight, DoD ICAM Lead Department of Defense, Office of the Chief Information Officer (DoD CIO) Approved By: Peter T. Ranks Deputy Chief Information Officer for Information Enterprise (DCIO IE) Department of Defense, Office of the Chief Information Officer (DoD CIO) John (Jack) W. Wilmer III Deputy Chief Information Officer for Cyber Security (DCIO CS) Department of Defense, Office of the Chief Information Officer (DoD CIO) ii UNCLASSIFIED UNCLASSIFIED Version History Version Date Approved By Summary of Changes 1.0 TBD TBD Renames and replaces the IdAM Portfolio Description dated August 2015 and the IdAM Reference Architecture dated April 2014. (Existing IdAM SDs and TADs will remain valid until updated versions are established.) Updates name from Identity and Access Management (IdAM) to Identity, Credential, and Access Management (ICAM) to align with Federal government terminology Removes and cancels
  • What Is an Identity Provider? Why Does My Company Need to Become One?

    What Is an Identity Provider? Why Does My Company Need to Become One?

    WHITE PAPER WHAT IS AN IDENTITY PROVIDER? WHY DOES MY COMPANY NEED TO BECOME ONE? Tame Mobile and Cloud Security Risks: Become an IdP Executive Overview Enterprises face security threats from all directions. According to the Identity Theft Resource Center, there were 189 known breaches from January 1 of this year through the beginning of June. Those breaches exposed approximately 13.7 million records. Meanwhile, trends intended to benefit the enterprise, such as cloud computing and mobility, often introduce unintended risks. The weak link in our online economy is trust. If you boil that down further, much of the lack of trust stems from the inability to verify online identities. It is increasingly difficult to know whether people (or companies) on the Internet are who they say they are. To address today’s security risks and to embrace new technology trends such as cloud, mobility and SaaS, enterprises must rethink how they handled their employees’ identities. Fortunately, the industry has been moving towards federated Single Sign On (SSO) solutions, and has been standardizing building blocks like SAML and OpenID. Enterprises should build on these standards in order to become Identity Providers (IdP). By becoming an IdP, companies can better control, enforce and extend security standards to all on-premise and cloud-based applications in their organizations, as well as to mobile devices. This paper will discuss the reasons enterprises should become IdPs, what becoming an IdP involves, and why you should automate as much of this process as possible. Introduction: New Security Risks Undermine Online Business In August 2012, a hacker crafted a wickedly specific social engineering attack to target Wired writer Mat Honan.
  • What Is ASP.NET?

    What Is ASP.NET?

    Welcome to the ASP.NET QuickStart Tutorial Getting Started Introduction The ASP.NET QuickStart is a series of ASP.NET samples and What is ASP.NET? supporting commentary designed to quickly acquaint Language Support developers with the syntax, architecture, and power of the ASP.NET Web programming framework. The QuickStart ASP.NET Web Forms samples are designed to be short, easy-to-understand Introducing Web Forms illustrations of ASP.NET features. By the time you have Working with Server Controls completed the QuickStart tutorial, you will be familiar with: Applying Styles to Controls Server Control Form Validation ● ASP.NET Syntax. While some of the ASP.NET Web Forms User Controls syntax elements will be familiar to veteran ASP developers, several are unique to the new Data Binding Server Controls framework. The QuickStart samples cover each Server-Side Data Access element in detail. Data Access and Customization ● ASP.NET Architecture and Features. The Working with Business Objects QuickStart introduces the features of ASP.NET that Authoring Custom Controls enable developers to build interactive, world-class Web Forms Controls Reference applications with much less time and effort than ever before. Web Forms Syntax Reference ● Best Practices. The QuickStart samples demonstrate the best ways to exercise the power of ASP.NET Web Services ASP.NET while avoiding potential pitfalls along the Introducing Web Services way. Writing a Simple Web Service Web Service Type Marshalling What Level of Expertise Is Assumed in the Using Data in Web Services QuickStart? Using Objects and Intrinsics If you have never developed Web pages before, the The WebService Behavior QuickStart is not for you.
  • City Research Online

    City Research Online

    Li, F. (2015). Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment. (Unpublished Doctoral thesis, City University London) City Research Online Original citation: Li, F. (2015). Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment. (Unpublished Doctoral thesis, City University London) Permanent City Research Online URL: http://openaccess.city.ac.uk/11891/ Copyright & reuse City University London has developed City Research Online so that its users may access the research outputs of City University London's staff. Copyright © and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders. All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages. Versions of research The version in City Research Online may differ from the final published version. Users are advised to check the Permanent City Research Online URL above for the status of the paper. Enquiries If you have any enquiries about any aspect of City Research Online, or if you wish to make contact with the author(s) of this paper, please email the team at [email protected]. Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment A Thesis Submitted to City University London, School of Engineering and Mathematical Sciences In
  • Exam Ref 70-482: Advanced Windows Store App Development Using HTML5 and Javascript

    Exam Ref 70-482: Advanced Windows Store App Development Using HTML5 and Javascript

    Exam Ref 70-482: Advanced Windows Store App Development Using HTML5 and JavaScript Roberto Brunetti Vanni Boncinelli Copyright © 2013 by Roberto Brunetti and Vanni Boncinelli All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. ISBN: 978-0-7356-7680-0 1 2 3 4 5 6 7 8 9 QG 8 7 6 5 4 3 Printed and bound in the United States of America. Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/ en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respec- tive owners. The example companies, organizations, products, domain names, email ad- dresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the author’s views and opinions. The information con- tained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
  • Beyond X.509: Token-Based Authentication and Authorization for HEP

    Beyond X.509: Token-Based Authentication and Authorization for HEP

    Beyond X.509: Token-based Authentication and Authorization for HEP Andrea Ceccanti, Marco Caberletti, Enrico Vianello, Francesco Giacomini INFN CNAF CHEP 2018 Sofia, July 12th 2018 The current WLCG AAI In operation since ~2003, and still working nicely: • X.509 trust fabric provided by IGTF (tells services which CAs are trusted) • X.509 certificates provided to users for authentication • Proxy certificates for Single Sign-On (SSO) and delegation • VOMS attribute certificates for attribute-based authorization (issued and Slide by Ákos Frohner signed by VO-scoped VOMS servers) Beyond X.509: Token-based Authentication & Authorization for HEP - CHEP 2018, Sofia 2 Current WLCG AAI: the weak points Usability • X.509 certificates are difficult to handle for users • VOMS does not work in browsers Inflexible authentication • Only one authentication mechanism supported: X.509 certificates • Hard to integrate identity federations Authorization tightly bound to authentication mechanism • VOMS attributes are inherently linked to an X.509 certificate subject Ad-hoc solution • We had to invent our own standard and develop ad-hoc libraries and central services to implement our own AAI Can we do better today? Beyond X.509: Token-based Authentication & Authorization for HEP - CHEP 2018, Sofia 3 A novel AAI for WLCG: main challenges Authentication Delegation • Flexible, able to accomodate • Provide the ability for services to various authentication mechanisms act on behalf of users - X.509, username & password, • Support for long-running EduGAIN, social logins
  • ASP.NET 4 and Visual Studio 2010 Web Development Overview

    ASP.NET 4 and Visual Studio 2010 Web Development Overview

    ASP.NET 4 and Visual Studio 2010 Web Development Overview This document provides an overview of many of the new features for ASP.NET that are included in the.NET Framework 4 and in Visual Studio 2010. Contents Core Services .....................................................................................................................................3 Web.config File Refactoring ...................................................................................................................... 3 Extensible Output Caching ........................................................................................................................ 3 Auto-Start Web Applications .................................................................................................................... 5 Permanently Redirecting a Page ............................................................................................................... 7 Shrinking Session State ............................................................................................................................. 7 Expanding the Range of Allowable URLs ................................................................................................... 8 Extensible Request Validation .................................................................................................................. 8 Object Caching and Object Caching Extensibility ...................................................................................... 9 Extensible HTML, URL, and HTTP Header
  • Contents Contents

    Contents Contents

    Contents Contents ........................................................................................................................................................ 1 1 Introduction ............................................................................................................................................... 4 Samples and Examples .............................................................................................................................. 4 2 Prerequisites .............................................................................................................................................. 4 3 Architecture ............................................................................................................................................... 4 Direct to On-Prem ..................................................................................................................................... 4 Azure Cloud ............................................................................................................................................... 5 Service On-Prem ....................................................................................................................................... 6 4 Why Choose the Microsoft Technology Stack? ......................................................................................... 7 Rapid Application Development ............................................................................................................... 7 C# .........................................................................................................................................................
  • Microsoft CRM – Typical Customizations

    Microsoft CRM – Typical Customizations

    Microsoft CRM – Typical Customizations by Andrew Karasev Microsoft CRM was designed to be easily customizable. Microsoft CRM Software Development Kit (MS CRM SDK) which you can download from Microsoft website contains descriptions of the objects or classes, exposed for customization. It has sample code in C# and partially in VB.Net. In Visual Studio.Net you can analyze all the classes, used by Microsoft developers to create MS CRM - you will discover that most of them are not documented in MS CRM SDK. Microsoft will not support your customization if you use undocumented class or do direct SQL access to CRM database. Let us describe you - programmer, software developer typical cases of MS CRM Customizations. 1. Integration with SQL Server application. If you have legacy system on MS SQL Server - let's say you are transportation company and have in-house developed cargo tracking database. Now in MS CRM you want lookup the shipments for the customer (or account in CRM). This is SDK programming and calling SQL stored proc to retrieve cargo info. Instead of SQL Server you can have other database (ORACLE, MS Access, PervasiveSQL to name a few) - you can access multiple Database platforms via ADO.Net connection from your .Net application, which is easily integrated into MS CRM Account screen. 2. Email capturing in MS CRM. You have customer with email [email protected]. Now you want all the emails that you receive from customer.com domain to be attached to Bill who is account in CRM. This is more difficult customization - you have to create MS CRM SDK web service, that one will be creating email activity and call it from COM+ application - Microsoft Exchange event handler (ONSYNCSAVE database event sink).
  • Moving Applications to the Cloud, 2Nd Edition Patterns & Practices

    Moving Applications to the Cloud, 2Nd Edition Patterns & Practices

    Moving Applications to the Cloud, nd 2 Edition patterns & practices Summary: This book demonstrates how you can adapt an existing, on-premises ASP.NET application to one that operates in the cloud. The book is intended for any architect, developer, or information technology (IT) professional who designs, builds, or operates applications and services that are appropriate for the cloud. Although applications do not need to be based on the Microsoft Windows operating system to work in Windows Azure, this book is written for people who work with Windows-based systems. You should be familiar with the Microsoft .NET Framework, Microsoft Visual Studio, ASP.NET, and Microsoft Visual C#. Category: Guide Applies to: Windows Azure SDK for .NET (includes the Visual Studio Tools for Windows Azure), Windows Azure SQL Database, Microsoft SQL Server or SQL Server Express 2008, Windows Identity Foundation, Enterprise Library 5, WatiN 2.0, Microsoft Anti-Cross Site Scripting Library V4, Microsoft .NET Framework version 4.0, Microsoft Visual Studio 2010 Source: MSDN Library(patterns & practices) (link to source content) E-book publication date:June 2012 Copyright © 2012 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious.
  • Federated Identity and Trust Management

    Federated Identity and Trust Management

    Redpaper Axel Buecker Paul Ashley Neil Readshaw Federated Identity and Trust Management Introduction The cost of managing the life cycle of user identities is very high. Most organizations have to manage employee, business partner, and customer identities. The relationship between the business and these individuals can change frequently, and each change requires an administrative action. For the individuals also the situation is unsatisfactory, because they need to create separate accounts at all the businesses that they access. A federation is defined as a group of two or more business partners who work together. This federation can be formed to provide a better experience for their mutual customers, to reduce identity management costs, or both. For example, a financial institution might want to provide seamless access for their high-value clients to financial market information provided by a third-party research firm. Government departments might want to collaborate to provide a single citizen login for their government services. A small online store might not want to manage large numbers of customer records and instead prefer to partner with a financial institution to provide that service. In all of these cases, the businesses need to work together to create a business federation. Business federations are built on trust relationships. These trust relationships are created using out-of-band business and legal agreements between the federation participants. These agreements must be in place before a federation can begin to operate.1 After the business and legal agreements are in place, these partners can begin to operate together using technology that supports the federation arrangements.
  • The 7 Things You Should Know About Federated Identity Management

    The 7 Things You Should Know About Federated Identity Management

    THINGS YOU SHOULD KNOW ABOUT… FEDERated IDENTITY Management What is it? Identity management refers to the policies, processes, and technologies that establish user identities and enforce rules about Scenario access to digital resources. In a campus setting, many information Gillian’s graduate work in oceanography involves enormous systems—such as e-mail, learning management systems, library da- amounts of water-quality data from many sources along the tabases, and grid computing applications—require users to authen- Atlantic seaboard as well as the West Coast. From her insti- ticate themselves (typically with a username and password). An tution in Florida, she collects and analyzes data sets from authorization process then determines which systems an authenti- laboratories and oceanographic facilities affiliated with oth- cated user is permitted to access. With an enterprise identity man- er colleges and universities, government agencies, and even agement system, rather than having separate credentials for each some private organizations. Not only do these entities share system, a user can employ a single digital identity to access all re- data with Gillian from their underwater instrumentation, but sources to which the user is entitled. Federated identity manage- some also allow her to remotely access specialized applica- ment permits extending this approach above the enterprise level, tions they have developed. creating a trusted authority for digital identities across multiple or- ganizations. In a federated system, participating institutions share Enabling this level of collaboration to take place in a man- identity attributes based on agreed-upon standards, facilitating ageable way is a federated identity system that includes all authentication from other members of the federation and granting of the organizations in Gillian’s research as members.