RapidIdentity Administrators' and Users' Guide

RapidIdentity Federation Overview

Use RapidIdentity Federation Partners to exchange secure identity information across two or more federated domains. When an application or service is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application or service. These secondary credentials represent the user's identity in the realm where the application or service resides.

Identity federation management provides single access to multiple systems across different enterprises. In such a system, users do not provide credentials directly to a web application, only to the Federated IdP, RapidIdentity, itself. This requires both parties to engage in cryptographic key exchange.

RapidIdentity Federation uses various security realms to perform the mandatory operations to facilitate secure information exchange between requesting and relying parties across different domains. A requestor and the relying party must exchange configuration metadata before beginning to exchange protocol messages that specify unique identifiers to indicate the security realms represented and distinguish them from other possible federation partners and applicable URLs that indicate where protocol messages are to be sent.

Federation Terminology Used in this Guide

  • Attributes: User account information and associated values used to authenticate the users/principals

  • Federation: Identity Federation is the process of delegating an individual's or entity's authentication responsibility to a trusted external party. Each partner in federation plays the role of either an identity provider or a service provider.

  • FQDN (Fully Qualified Domain Name): The complete domain name for a specific computer, or host, on the internet and consists of two parts, the hostname and the domain name.

  • IdP (Identity Provider): Provides attributes to identify and authenticate the end user and sends that data to the service provider along with the user’s access rights for the service to enforce the Service Provider's authentication policies.

  • LDAP (Lightweight Directory Access Protocol): Application protocol for querying and modifying directory services running over TCP/IP. A directory consists of a set of Entries and their attributes, typically organized hierarchically.

  • Relying Party: Relies on authentication and identification services provided by the IdP

  • SAML (Security Assertion Markup Language): Allows identity providers (IdP) to pass authorization credentials to service providers for SSO. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

  • SAML Assertion: The XML document which the Identity Provider sends to the Service Provider that asserts if the user has authenticated successfully. Usually contains attributes about the authenticating user which the Service Provider uses for various identification and authorization purposes.

    • Authentication Assertions: Asserts that the user identified by the assertion successfully authenticated at a particular timestamp and with a particular method.

    • Attribute Assertions: Passes SAML attributes (provides information about the user) to the service provider

  • SP (Service Provider): Requires authentication from the identity provider to grant access rights for a service to the user.

  • SSO (Single Sign-on): Allows users to log in once and those same credentials are reused to log into other service providers.