Cross Domain Identity Patterns: Mapped Federation

With Mapped Federation users need to exist in both the identity provider and the service provider. As per transient federation a metadata exchange contract is defined between the identity provider and the service provider. With Mapped Federation further attributes for uniquely identifying the user are required. This may be the UID (e.g. email address) that identifies the authenticated user in the identity provider’s IdP Identity and the service provider’s Local Identity

fed3

Advantages:
User record can be mastered externally while still controlling access to a limited number of resources (e.g. seat based licensing model)
Model is suitable for splitting authentication from authorisation in legacy applications

Disadvantages:
Mapped Federation often needs a joiners and leavers process such as Just In Time User Provisioning or SCIM

Examples:
Salesforce.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s