Report: ID Federation Specs Ready for Financial Services
Page 1 of 1
A group representing some of the financial services industry's heaviest hitters Wednesday issued its opinion that the OASIS Security Assertion Markup Language v1.0 (SAML) and Liberty Alliance Identity Federation Framework v1.1 specifications are both suited to the needs of financial institutions and open up new business opportunities.
The two technologies present opportunities to streamline and improve how financial institutions authenticate their customers and employees, while also providing "transparent and cohesive" access to internal and external network resources, the report, "Identity Management in Financial Services," found.
Published by the Financial Services Technology Consortium (FSTC) -- which counts both vendors and financial services institutions like Bank of America, Citigroup, Fidelity, JPMorgan Chase and Wells Fargo among its members -- the report found that the two technologies "hold special promise" as well as some risk for the financial services industry.
FSTC based its results on an in-depth analysis of business and technology requirements for three typical financial industry use cases: employee single sign-on to enterprise partners, business-to-business single sign-on, and business-to-consumer account aggregation.
Business to Employee to Partner
The consortium said the two technologies fit well with the employee to enterprise partner scenario, which explored both employee access to a 401(k) plan and employee access to corporate travel services.
"In many ways, this is a B2B2E authentication chain, with the business authenticating the employer (financial institution), which in turn authenticates its employee," the report said.
In this particular scenario either SAML 1.0 alone or Liberty 1.1 using SAML would provide single sign-on, allowing employees to log into their corporate portals and then utilize a 401(k) or travel site without having to provide additional authentication credentials. Liberty would be required to provide single log-out, since the capability is not provided for in SAML. Liberty would also power 'Authentication Context,' which is the ability of the service provider (i.e. the 401(k) or travel site) to make access decisions based upon the type of authentication mechanism used to authenticate the employee at the corporate portal.
Liberty 1.1 would also be required for actual federation, as it provides the ability to link a user's identity at a corporate portal with the user's identity at the service provider. Liberty accomplishes this through manual user interaction. It doesn't provide a bulk federation mechanism, though the employer and service provider can customize them for a given deployment of the specifications. Finally, Liberty provides for opt-out, or 'defederation,' providing the ability to terminate an existing link between the user's identity at the corporate portal and the service provider.
While it appears that SAML would be less of a fit than Liberty in B2E scenarios based upon this, FSTC said that would be misleading. For instance, SAML would be a good fit all on its own in scenarios based on simple interactions or one-time transactions.
"Consider the case when an FI [Financial Institution] has outsourced to an SP [Service Provider] the handling of employee discounts to a local business," the report said. "Since this type of transaction does not require any time of follow up, the SP can simply fulfill the request based upon the information in the SAML assertion and not retain any information about the transaction or employee."
But the report also noted that Liberty extends SAML for more complex authentication infrastructures.
"With the federation model, Liberty does offer some important benefits to protect the privacy of the user's identity between service providers and also allows the user some control over the linking that may or many not occur as the result of being an employee," the report said. "This can be important in cases where the employer automatically federates the user's identity to enable single sign-on services, but allows the user to opt-out in cases where the user does not wish to have this functionality. In our case, it is easy to imagine a scenario where a user does not want her 401(k) account single sign-on enabled with her corporate portal account. Liberty provides a mechanism to easily defederate or terminate this link."
Business to Business
The B2B use case revolved around two examples: federated identity in an affinity card supply chain, and federated identity in mobile financial services.
"Within the credit card industry, specifically the proliferation of affinity and co-branded cards, a financial data supply chain exists that has direct application and a value-additive quality through the use of the Liberty and SAML protocols," the report said. "In an affinity card environment, seemingly dissimilar business markets or those typically not involved in a partnered data exchange have found that critical financial and cardholder information must be exchanged."
The report noted that, to date, the business problem has been how to exchange this sensitive data between an affinity card sponsoring bank, the branding entity and the merchant services processor while still providing for security and privacy.
"Therefore, in a Liberty and SAML enabled affinity data passing transaction, a solution can be applied that enables the related parties to transfer data seamlessly, apply the appropriate security protocols, and dramatically reduce the cost model for exchanging data by reducing transaction complexity," the report said."
In mobile financial services, FSTC said the two protocols could help erase the barrier to adoption for services like checking bank transactions and balances, obtaining financial news and other relevant information, executing purchases from online merchants, and so on.
"The barrier to adoption of the services the user values is the inability to provide a means of access to services that considers the view of the mobile user supply chain," the report said. "Each mobile user has a unique set of services he/she would like to utilize, but has no way to 'federate,' at the mobile user's choice, his/her identity credentials across the set of applications. Adoption of these services is impacted due to mobile users spurning n+1 identity, authentication, and authorization processes for each business entity providing one application service. The ability to provide a federated set of credentials for a mobile user with a choice of when to federate dramatically increases the potential adoption of mobile comment, mobile commerce, and transaction-based services."
B2C Account Aggregation
Finally, FSTC said SAML, and possibly Liberty, may have a role to play in account aggregation, a new application that has been deployed at numerous financial institutions to allow consumers and other end-users to view and manage all of their accounts from a single location -- even accounts distributed across a variety of account types, financial instruments and financial institutions. But in order to access this protected information, the end-user typically shares credentials for each of their financial institution Web accounts with an aggregator, which in turn uses those credentials each time data is accessed from the financial institution. This places a great deal of risk on the aggregator's shoulders.
"To reduce risk in the aggregation space, there is great interest in exploring alternate authentication solutions that do not require the sharing of the authentication credentials with the aggregator," the report said. "The SAML specifications, and possibly the Liberty specifications, provide potential tools for implementing such an alternative authentication solution."
While the report forecasts great potential for SAML in this space, it also suggested a number of areas that need to be strengthened or addressed before it is a truly viable solution. For instance, the report suggested that an XML-based resource representation would be better suited to the financial services industry's needs that the current URI representation. It also suggested expansion of the authorization delegation framework, industry-specific vocabularies, and authentication information. Additionally, the report said performance needs to be improved and support for server-to-server interactions provided for.
In all, the report concluded that SAML and Liberty are excellent technical starting points, but they are not enough on their own.
"While both specifications are strong technical foundations for building network identity customer relationships, these technologies are only part of a complete network identity solution," said Zachary Tumin, FSTC executive director. "Financial institutions must pay as much attention, if not more, to traditional industry concerns such as risk exposure, liability, auditing, customer support, and compliance issues. We expect our findings to provide significant insights to FSTC members as well as standards setting organizations and consortiums, such as OASIS and the Liberty Alliance."
The Liberty Alliance, shared those conclusions, and has already begun to offer some answers. A day before the report was made public, the Liberty Alliance issued the first in a planned series of documents dealing with business issues associated with identity federation, including: mutual confidence, risk management, liability assessment and compliance.