A federated ID model lets a user authenticate with one company or Web site, and get personalized content and services from any of the federated organizations in that "circle of trust." In other words, a financial services company and an online retailer, for instance, can share a customer's ID information during a transaction, rather than each having to store and manage separate credentials for each user account.
To really understand the Liberty Alliance's federated-security model, you first have to comprehend the alliance's jargon. A network identity is the conglomeration of your personal information--the bits and bytes that represent you in a myriad of databases scattered around the world. It can include your name, user name, phone number, Social Security number,
medical records, and identifying numbers from your
driver's license, passports and employee ID. It also may include personal preferences such as your airline seating habits, musical tastes, cell phones and wireless e-mail devices.
One Sign-On Fits All
With a federated network ID, a user's multiple network identities from different accounts--with an airline and a car-rental agency, for instance--are linked, not stored at one site. This is the beginning of the single sign-on paradigm for the Internet. An employee could book a flight with an airline and reserve a car with
a rental agency without having to sign on and
reauthenticate with the rental company site separately. This federated ID model offers business partners and employees more personalized online service, as well as more security and control over which personal information is used.
It works like employee provisioning and single sign-on systems, which reconcile disparate user names for an individual across various corporate systems. If a user authenticates as jsmith to the corporate domain, for example, but logs on to the HR system as John.Smith, a federated network recognizes that both IDs are tied to the same person. It can then log John Smith on to the HR system from the corporate domain automatically, and he doesn't have to log on to the HR system separately.