Identity Landscape Overview
There has been a lot of discussion about the shape of the identity landscape for a while now. On this page we are trying to create a map of existing technologies, try to find a unifying mechanism to characterize these technologies and systems, and discuss social, regulatory and business aspects of them. In addition, we list known open source projects and commercial products that are relevant in the identity landscape.
This paper is licensed under the Creative Commons Attribution License 2.5. Please see the section on licensing at the end for details.
Goals and Scope
The goal of this paper is providing an overview and a "map" to the emerging identity landscape. In order to achieve this, we develop a system to classify and evaluate existing identity systems and emerging technology. Based on these findings, we discuss policy, business, and regulatory ramifications of a decision for or against a particular identity system or technology.
In the second part of the paper, we identify current solutions and present their benefits. The intend is here to give stakeholders of particular solutions to provide a space to present their solution, as well as give other parties to comment on the relationship of that solution to others. This section will also cover organizations and community efforts focusing on identity, as well as technologies such as specifications and open protocols.
Throughout the paper we will often not discuss the particular subject in all detail. Instead, an introduction will be given, as well as links to more information.
Technology professionals interested in getting a better understanding of the current trends in the identity community are the primary audience for this paper. This includes IT professionals and decision maker in enterprises, students and researchers, and open source developers. Policy decision makers in regulatory bodies will also find this paper quite useful.
Terms used in this Paper
The field of identity technology is not really new, yet there are a lot of different terms being used thoughout the various projects and technologies. In this short section we will define some terms and explain how they are used in this paper.
- Authentication (AuthN)
- Authentication is the process of confirming a particular digital identity - a party that claims to be itself provides some sort of proof. The type of proofs are quite different. Typical examples include pre-shared secrets (e.g. username/password), access to cryptographic private keys (e.g. certificates), access to special tokens (e.g. one-time password cards), or ownership of internet resources (e.g. by putting data at a specific web location).
- Authorization (AuthZ)
- Authorization is the process of evaluating identity attributes (such as e.g. email address or manager role) and making an access decision based on the value of such attributes. In most cases authorization requires initial authentication, so that the identity attribute information can be trusted.
- Deployment (of an Identity System)
- This term is used to identify a particular deployment of an identity system.
- Digital Identity
- A Digital Identity can be thought of as a "bag of attributes". These attributes can be very different between identity systems and may or may not be guaranteed (i.e. cryptographically signed) by someone. A user may have more than one identity, such as e.g. a corporate user account, an internet email login, a credit card account, or as a mobile phone subscriber. A Digital Identity can be created on the fly when a particular identity transaction is desired, or persisted in a data store to provide a referenceable representation
- Identity Provider (IdP)
- Typically a service on a network that has a user database and offers to verify authentication to Relying Parties. Quite often IdPs can also provide additional identity information (attributes) about their users which in turn can be used in authorization decisions. Different identity systems sometimes have another of different names for the IdP, such as e.g. Secure Token Service (STS).
- Identity System
- A set of technologies that enable the management of digital identities. This includes specifications, protocols, schemas, sometimes code, and best practices. Note that "Identity system" in this paper does not refer to a deployment, or even a particular implementation.
- Relying Party (RP)
- A service or web site that trusts an Identity Provider to authenticate a user on its behalf. Again, different identity systems may have different or additional names for RPs such as e.g. Consumer (of an IdP).
- User Agent
- The software that acts on behalf of a user. For internet transactions this is quite commonly a web browser, which is often referred to as a "dumb" client. A "smart" client is most often some software specifically tailored to a particular application. Quite often a smart client provides more or better functionality than a browser client.
It should be noted that these definitions are not necessarily shared by all stakeholders in the identity community. Sometime different terms are used for the same idea, and sometime the same term is used with differing semantics. While this is unfortunate, it is somewhat unavoidable in a relatively new field like digital identities. For a lexicon of some terms, as used by the Identity Gang, see their lexicon. Another excellent source for definitions is the Liberty ID-WSF 2.0 Authentication, SSO, and Identity Mapping specification, Section 3. "Terminology".
Since this paper is written in a community effort, the opinions in this paper do not necessarily reflect those of the Liberty Alliance or any of its members.
- Gerald Beuchelt (Sun Microsystems, Inc.)
- Jeff Broberg (CA)
- Scott Cantor
- Johannes Ernst (NetMesh Inc.)
Contributors to the Related Projects page (now included in this paper):
Authors whose material has been used:
- Eve Maler (Sun Microsystems, Inc.)
- Brett McDowell (Liberty Alliance)
Content that violates any copyright will be deleted. You agree to license your contributions under the Creative Commons Public License Attribution 2.5. When quoting, reproducing or re-using the entire documents or parts thereof, attribution shall include the name of the paper and an link to the location of the paper (where possible).
This content is copyright Liberty Alliance.