Blog archive

Recently we have many times come across some level of misconceptions regarding identity federation.

Identity federation, that is, the "technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration." <http://en.wikipedia.org/wiki/Federated_identity_management>

The often heard misconception is that, typically, e-service providers or application owners fear that they would totally loose the control of the identity and the users who are accessing their services.

Why is this not quite so? Because, they are thinking of one of the very many use-cases found, that are categorized under "Identity Federation". Identity federation is not one single way to do things and not only about allowing masses of new users and customers enter their services, just by having the "doors" wide open.

In fact, you could also turn the claim around totally and state that, in fact, Identity Federation is in the end about having control and trustworthy security -- while allowing masses of new users and a huge flow of new customers enter their services, without hassle and without unnecessary obstacles. And that’s what’s so nice about it: it is the ultimately positive segment of security, where new business is created and new business and service concepts can flourish.

And now is exactly the right time to do it: there are mature technologies, widely-accepted common standards, infrastructure, services, innovation, competence, experience, services to benchmark against etc etc.

Inbound identity federation lets your local systems accept the credentials of customers from third-party services, such as popular social networking sites, partner organizations, or commercial identity providers such as banks and government institutions. Trust is established and controlled through an on-line interface.

User-driven federation is one use case in Inbound identity federation, where first-time federated users are asked to authenticate or register with a local identity, which is then registered as a new local identity in the target domain. Ubisecure offers various ways to link accounts from disparate systems using Ubisecure Trust and Ubisecure CustomerID.

Where existing user community identities are federated from one trusted system to another, account linking can be streamlined by pre-sharing user identifiers – the so called out-of-band pattern. Using a common attribute, a lookup can be performed and accounts mapped to each other. When no pre-existing account exists with either party, the user can be directed to the quick registration workflows and create a local account and self-provision appropriate credentials. User-driven federation can also be configured to enable the user themselves to even from a selection of partner accounts which they want to link with a target service.

The key thing for applications and e-services is, that for all users, local and remote, the application always sees the local identity. And, that means that control is not lost and logging etc can take place on equal terms as with "fully-local" identities (locally initiated). 

Outbound identity federation, in turn, enables your user community to access external services such as SaaS applications, cloud providers and partner services using their existing single sign-on session – no username, password or other credentials required. User authorization information, roles and attributes are controlled according to your local security policy. This eliminates the administrative overheads of account management and increases overall system security.

Outbound identity federation has become particularly interesting, due to the huge demand for SaaS and cloud-based services for which one could say that Identity Federation is a prerequisite.

-- Charles Sederholm, Chairman and Founder, Ubisecure,  Keith Uber, Product Manager, Ubisecure

My friend Christian Lindholm at Fjord (www.fjordnet.com) yesterday evening sent out Fjords Digital Trends 2012, that is, their vision of what we will experience this year.

It was truly interesting and inspiring reading indeed which I recommend. Not so astonishingly we share many views.

Fjord and Christian of course according to their business scope center their story around the mobile or mobility market. But what was particularly interesting for us at Ubisecure, was the predictions they come up with, many which very much relate to identity issues or are based on Identity and Access Management.

I’ll briefly write down some thoughts here.

First, the issue with BYOD or as here BYOT (here ‘Bring Your Own Tools’, instead of ‘Bring Your Own Device’) is something we at Ubisecure have given some thought and put some development efforts in. In our world of Identity and Access Management, it means that you should not require something with respect to authentication, which glues you tightly to any one device or any one location. Security and the identity of the user must be applicable in any device and to any service or piece of information that the user or consumer needs and wants to use at any point in time. So, when your co-worker is out there doing whatever his profession is, he must be able to use the best and easiest tools around. Also, including those exact same tools and services - or similar ones supporting his professional work - which he has now already for some time been using in his private domain. Identity and Access Management is of course key here, for security reasons obviously, but also for the sake of superior user-experience.

IT departments and CIOs must now react rather as enablers, instead of blockers, to the process that will make their business flourish. So I agree with Christian and his colleagues: consumerization can either be made an opportunity or it will become a threat.

The second theme, which I strongly could relate with, was the identity as “currency” or means for business. We have been working hard at Ubisecure, enabling that authentication - or rather, identification in this sense - done at various social or Cloud services, can be the authentication mechanism chosen by the user or one of the allowed mechanisms for services protected with Ubisecure. Why? Because the users (the consumers and the pros) spend time in those services on a daily basis or more or less continuously; and, because they put valuable information about themselves in those services. Information, which can be put to work in other related services, providing them with more great services and tools. And because the ease-of-use becomes so great, as they can use the same authentication mechanism or at its best, experience Single Sign-On. So identities are valuable Assets that should be used actively to create and grow business, not to become lost opportunities.

The third exiting theme was about how Retail and how Retailers must change, in order not to become massive “3D-catalogs” to 3rd party light weighted and fast-to-react web-shops that benefit as parasites from the Retailers. Some of the forward looking retail chains, such as Finland’s leading retail group, the S-Group (www.sok.fi/en/), have already been working hard to react on this change and will surely survive and prosper. Others must also act now. Again, Identity and Access Management done right is the key here, along with payment and order confirmation mechanisms. IAM can offers the key linking mechanisms for joining forces with partners and quickly creating and setting-up new innovative business concepts also building on the traditional strengths of the retailers, and leading to a growing, e.g. an 100-time increase, inflow of customers.

The last area that for us at Ubisecure was particularly interesting to read, was the area of banking, financing and the payment card industry. In the Nordics, the banks, such as Nordea (www.nordea.com) have since many years already discovered the importance of Identity and Access Management, with TUPAS in Finland and the different flavors of BankID in Sweden, Norway and Denmark. Now they must take the next steps in making business-use of Identity and Access Management, and create (I on purpose did not write ‘build’ here…) communities and domains around them, that create more value for the consumers and their customer companies. Also, other more forward looking players in the Nordics, such as Lokalförsäkringar (www.lokalforsakring.fi), Etera (www.etera.fi), FIM (www.fim.com) and Luottokunta (www.luottokunta.fi) have already started working heavily to reinvent or reshape their businesses, creating and enabling new business models, user-centricity and customer value based on using Identity and Access Management as one of the key means for them and their business partners.

So, I must say, it was truly an inspiring moment reading what Christian Lindholm and his colleagues at Fjord had put together. I recommend visiting www.slideshare.net/fjordnet/fjord-digital-trends2012final.

-- Charles Sederholm, Chairman and Founder, Ubisecure

Today most or all companies, or organizations, are so called extended enterprises to some extent, at least. This means that they on one hand, for companies obviously, have customers or clients that they interact with; and on the other hand that they have partners that they co-operate closely with. So, their operations involve and embrace these important stakeholders that they work together with, on a daily basis within their corporate processes.

This co-operation requires supporting tools and services from IT, which today typically very strongly involves communication and the internet. Some extended enterprises have gone so far, that to define and deploy intertwined or at lest inter-connected business processes. We see companies working together to provide the best business and service concepts together with partner companies, in a way that they could not manage on their own. This is of course all very positive.

This trend is a start to something even bigger and it is a sign of what is even more strongly yet to come, that is that partners create new business concepts and co-operation models and want to get them out in practice and "production" rapidly.

Many of the e-services created in this way, require and rely on knowing who the end-user or customer is, and being able to share that identity information in a secure manner. What is now happening and ever so more in the near future, is that the pace at which these kind of new joint business concepts are created and deployed in production is increasing rapidly.

Therefore IT and identity and access management should not be in the way as the new concepts are very key to success in the future. Instead IT should be an enabling and supportive tool and a platform for the new blooming business concepts. IT should be part of the joint efforts to create the best user-experiences. The typical user of today is impatient and demanding. There is no longer place for clicking one-self here and there and entering tedious information left and right to reach some service. Services and the information must appear instantly, securely and be to-the-point.

In all this Identity and Access management (IAM) plays a very essential role. IAM can successfully be used as an integration mechanism to help link scattered services, creating the successful user-experiences and increasing the in-flow of new customers and new users securely and well-managed. It is an exciting opportunity for business. Grab it!

-- Charles Sederholm, Chairman, Founder, Ubisecure

In order to emphasise this business perspective on IAM, Ubisecure has decided to rename its four products with less technically-oriented names:

The new product names were announced at the IAM Conference in Stockholm 27 Sept 2011 and will be used with immediate effect. Product material has already to a large extent be updated and will continue to be updated in the very immediate future.

It is easier to start discussions with Partners and Customers about the business benefits and the opportunities, when the names and less "cryptic" and communicate better what the products deliver and do.

We are really excited about the change and the initial feedback has been very positive!

• Ubisecure CustomerID (formerly known as Ubilogin eIDM) with which customer and partner identities can be more efficiently managed.
• Ubisecure SSO (formerly known as Ubilogin SSO) which offers the full flexibility of a variety of authentication methods, flexible and thorough access control, as well as SSO (Single Sign-On).
• Ubisecure Trust (formerly known as Ubilogin Federation Manager), which increases and simplifies the inflow of users to the e-services by creating and managing federation networks with its customers and partners.
• Ubisecure Confirm (formerly known as Ubilogin Confirm) for applications which need the user's explicit approval of a transaction being carried out while the user is already signed in.

-- Charles Sederholm, Chairman, Founder, Ubisecure