Thursday Dec 10, 2009

Federated Identity for Electronic Medical Records

Many thanks to my good friend Jonathan Gershater for sending me the link to another excellent post about Identity and Healthcare.  I particularly like his illustration of using Federated Identity to facilitate trusted exchange of medical records between different medical service providers. 

A user of any (Healthcare) ServiceProvider, who has been issued a digital identity by the trusted IdentityProvider, may seamlessly interact with the healthcare providers (SPs). The user will present the digital identity issued by the IdP, the SP will verify the Identity, and the user will be granted access to the Service Provider’s application. However, based on the user’s attributes and role, the functionality available to the user will vary.  A physician may alter a medical record but only within their specialty ( a dermatologist cannot alter a prescription for spectacles). A pharmacist may view but not alter the prescription for insulin in a healthrecord.  A patient may only view but not alter their medical record.

Federated Identity for Electronic Medical Records

Friday Oct 23, 2009

Identity Trend 6: Identity Federation

This post is the sixth in a series of eleven posts I am writing about important trends in the Identity Management industry.

imageIdentity Federation refers to the “technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration.” (Wikipedia – Federated Identity)

At the present time, Identity Federation technology has been well-proved is in production in many enterprises and government agencies.  As the most broadly deployed standard for enabling cross-domain federation, SAML is well supported by a wide array of software vendors.  Several successful business models have emerged to support federation technology, and implementation of this technology is becoming less complex.  This growth in adoption will most likely continue, both within and beyond enterprise boundaries.

For several vertical markets, such as health care, the need for broad, integrated networks comprised of many interrelated enterprises (e.g. National Health Information Network) is accelerating the demand for federation deployment.

However, business challenges associated with federation are often more difficult to address than technology challenges and continue to be the primary impediment to broader adoption of this technology.  Unless understandable and enforceable trust relationships exist between business entities, the technology to support such trust relationships is meaningless.  Just like technology standards have emerged to enable the technical side of federation, I expect that more standardized legal agreements will be developed to simplify the establishment of legal trust relationships.

As cloud computing gains momentum as an alternative or complementary means to deploy systems and applications, federation can be a key technology to enable integration between various cloud systems or components.  Discussion of how employ federation in cloud systems has led to interesting statements such as proposed by Symplified, Inc., at the recent Digital ID World Conference: “Federation is Dead. Long Live the Federation Fabric.”

The essence of Symplified’s argument is that using Identity Federation for point-to-point system integration is too complex and expensive.  Therefore a web or fabric of federation is needed to simplify and extend current federation models.  I expect that we will see “Federated Service Bus” technology to emerge to address this need, much like Enterprise Service Bus technology is currently employed to simplify complex integration challenges within enterprise systems.


To determine how you should address Identity Federation, consider questions such as these:

  • Where have you already employed Federation?
  • Where can federation simplify integration within your enterprise?
  • Where would Federation enable more business value for your customers and your partners?
  • Which of these relationships is highest priority for you?
  • What trust relationships have you already established with other enterprises? 
  • What must you do to establish new trust relationships?

Tuesday Sep 01, 2009

Cloud Computing: Identity and Access Management

csa While listening this morning to Glenn Brunette’s excellent webinar entitled, “Safety First: Protecting Your Services in the Cloud,” I was introduced to the Cloud Security Alliance, of which Glenn is a founding member.  I was intrigued by the document published by the Alliance in April 2009, entitled, “Security Guidance for Critical Areas of Focus in Cloud Computing.”  This initial report from the Alliance outlines “areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers.”  The report outlines 15 domains or areas of concerns that should be addressed by stakeholders in cloud computing initiatives.

I focused primarily on the section entitled “Domain 13: Identity and Access Management, “ authored by Subra Kumaraswamy, Senior Security Manager, Sun Microsystems and Jim Reavis, Co-founder & Acting Executive Director, Cloud Security Alliance.  The executive summary of the document provided five key recommendations regarding IAM in the cloud:

  • The key critical success factor to managing identities at cloud providers is to have a robust federated identity management architecture and strategy internal to the organization.
  • Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation
  • Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed cloud customer internal policies.
  • Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary.
    Consider implementing Single Sign-on (SSO) for internal applications and leveraging this architecture for cloud applications.
  • Using cloud-based “Identity as a Service” providers may be a useful tool for outsourcing some identity management capabilities and facilitating federated identity management with cloud providers. For example, they may be useful for abstracting and managing complexities such as differing versions of SAML, etc. Be aware that they become a critical new cloud provider for your organization and must be vetted with this broad guidance document.

Some of the key points I gleaned from the IAM section include:

Supporting today’s aggressive adoption by the business of an admittedly immature cloud ecosystem requires an honest assessment of an organization’s readiness to conduct cloud-based Identity and Access Management (IAM), as well as understanding the capabilities of that organization’s cloud computing providers. …

Standards support for achieving IdM federation with your cloud providers is crucial. … It appears as though SAML is emerging as the leading standard that enables single sign-on (SSO). …

You should understand the cloud provider's support for user management processes including user provisioning, de-provisioning and overall lifecycle management of users and access in the cloud in an automated way. …

You also need to perform due diligence to assure that the cloud provider's password policies and strong authentication capabilities meet or exceed your own policies and requirements. …

As a long term strategy, customers should be advocating for greater support of XACML-compliant entitlement management on the part of cloud providers, even if XACML has not been implemented internally. …

A good strategy towards the maturation of your own IdM in order to make it “cloud friendly” is to start enabling SSO within your own enterprise applications, for your existing user base of employees, partners and contractors. …

One of the investments you may consider is an Identity as a Service solution to bridge between cloud providers or even outsource some Identity Mgt functions. …

I will join Sun colleagues on a conference call tomorrow to explore the topic: “What is the same and what is different about the task of integrating a new app when it is in the cloud vs. internal?”  I’ll report back on what we learn from each other.

Wednesday Jan 23, 2008

SSOCircle Federating to Google Apps

As my colleague Pat Patterson reported earlier today, we are holed up in a windowless conference room in the Tropicana Hotel in Las Vegas for the FAMFest 2008 event. There is immense brain power in this room!

During a few minutes of downtime, Pat showed me the good work done by SSOCircle in leveraging OpenSSO to establish federated linkages to a wide variety of service providers. To test the system, I established an SSOCircle account and linked directly to the suite of Google apps as "" OpenSSO handled all the heavy lifting behind the scenes.

I verified that I could send and receive email as "" via Google email and link my calendar to my personal Google calendar. Great little demonstration of the power of federation to provide SSO to multiple SaaS applications.

Technorati Tags: , , , , , ,

Wednesday Dec 12, 2007

Circles of Trust - without Federation

Sometimes we in the Identity Management market like to think the world revolves around us. But, alas, something will come along to jolt us back to reality and remind us that we are still a fairly obscure bunch.

Today, I googled "circle of trust," thinking I might find some pertinent wisdom for an Identity Federation presentation I am preparing. It was interesting to note that on the first Google page, precisely zero out of ten responses had to do with Federated Identity Management. The first link referred to a Warhammer Online: Age of Reckoning (WAR) regiment, followed by the Gun Blast magazine, the Center for Courage & Renewal, a Recreational Vehicle group, child sexual abuse resources, an article about search engine optimization, a pro-child, anti-crime organization, a Lord of the Rings kinship, an article about laptop security and the Frat Pack.

It appears that Robert DeNiro's explanation of the "circle of trust" to Ben Stiller in the film "Meet the Parents" is much more well known and understood than the stuff we discuss in the dark annals of Identity Management lore.

A mention of Federated Identity Management and circles of trust was not to be found until page 4, item 6: an IT Week article, "Building a circle of trust." . I guess it is fair to say that Circles of Trust in the Federated Identity context are far removed from popular social consciousness.

Technorati Tags: , , , ,


Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« February 2017