What is Federated Identity Management and how to secure it

SDO Marketing Staff | October 17, 2017

Federated identity management (FIM) is an arrangement that can be made among multiple enterprises that let subscribers use the same identification data to obtain access to an application, program, and even the networks of all members of the group.

Identity federation offers economic advantages, as well as logistical ones, to enterprises and their network subscribers. Anyone who has had the experience of working in a small to medium-sized company employing complex cyber tools has probably encountered this phenomenon.

For example, multiple users, and for that matter, multiple corporations can share a single application, with the resultant cost savings of not having to pay for several accounts on the same program. This can mean a major consolidation of resources and funds for a company.

It’s all about Trust

The ultimate goal of federated identity management is to secure a situation in which multiple users are accessing multiple services with a single login, otherwise known as Single Sign-On or SSO. This is an incredibly vital component for the efficient management of companies relying on collaboration on multiple web platforms, especially when those collaborators are off-site, or third party contractors.

Of course federated identity presents a slew of security risks.

First off, in order for FIM to be effective, the partners, especially when dealing with multiple companies and organizations, must have a strong sense of mutual trust. Each party using the federated identity credentials are essentially allowing all the other members to access information contained on, and track activities of the shared application. This risk is exponentialized when dealing with sensitive applications such as data management software and other programs that deal with personal data.

Addressing the challenges of managing federated identities has spurred an entire industry within broader IT security field, with each solution addressing specific issues associated with FIM.

Secure Management

One major problem is the need for all of the partners in a shared identity to be able to transfer authentication messages to each other in a secure fashion. A common practice is to use security assertion markup language (SAML) or a similar XML standard that allows a particular user to log on once for affiliated but separate websites or applications.

Another FIM solution comes in the form of the Web Service (WS) Federation system, developed in the early 2000’s by some of the biggest names in the tech industry including Microsoft and IBM. In WS-Federation, when a user attempts to access, the managing web application sends a query to a centralized identity provider (IDP) that is the sole point of reference for all partners. Once the user’s identity is verified, the identity provider returns a Request Security Token Response (RSTR) that grants the user access to the application or site.

While these systems do allow for the efficient managing of federated identities, they leave open serious security risks. Systems based on centralized identity providers really on the constant communication back and forth by individual users and the IDP in order to authenticate and grant authorization. If for some reason the metadata used to authenticate a user to the IDP was compromised, through unintended leaks, or more classical hacking methods such as phishing attacks, a criminal would be granted the same access to the federated identity provides to all other partners. In addition to data access, the hacker would be able to manipulate the FIM system modifying the signing or encryption key, allowing for man in the middle or related attacks. Furthermore, they can modify the administrator settings, disrupting access for all other partners.

The New Paradigm

The SSO solution of Secret Double Octopus is a paradigm shift in managing multiple users to the same web platforms and applications. Unlike other authentication tools, it does not really on metadata that a user needs to remember and then submit in order to be authenticated. Additionally, communication between the user’s device and the platform sends data via Secret Sharing. Only partial information using multiple layers and routes is transmitted, preventing the interception of any usable data by an adversary.