How to Choose a NIEF Identity Provider Product: Difference between revisions

From NIEF Wiki
Jump to navigation Jump to search
(Created page with "{| !class="gfipmnav"|Main Page !class="gfipmnav"|Up |} This article lists the re...")
 
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{|
{|
!class="gfipmnav"|[[Welcome to the GFIPM Implementation Portal|Main Page]]
!class="gfipmnav"|[[NIEF Implementers Wiki|Main Page]]
!class="gfipmnav"|[[How to Implement a NIEF Identity Provider|Up]]
!class="gfipmnav"|[[How to Implement a NIEF Identity Provider|Up]]
|}
|}




This article lists the requirements for products that may be considered for a GFIPM Identity Provider (IDP). It also briefly describes the IDP products for which GFIPM implementers currently have some amount of knowledge and implementation experience.
This article lists the requirements for products that may be considered for a NIEF Identity Provider (IDP). It also briefly describes the IDP products for which NIEF implementers currently have some amount of knowledge and implementation experience.


As you work through the process of choosing an IDP product, consider which product best meets your organization's needs, and keep in mind that the best product for you may not necessarily be included in this document. For those organizations that have an existing enterprise identity management platform, the best choice may be to implement a GFIPM IDP via that existing platform - especially if the existing identity management platform conforms to the GFIPM IDP technical requirements (listed below).
As you work through the process of choosing an IDP product, consider which product best meets your organization's needs, and keep in mind that the best product for you may not necessarily be included in this document. For those organizations that have an existing enterprise identity management platform, the best choice may be to implement a NIEF IDP via that existing platform - especially if the existing identity management platform conforms to the NIEF IDP technical requirements (listed below).


An IDP authenticates an end user and creates a SAML assertion for that user in a trusted fashion to a Service Provider (SP). When a user attempts to access an SP, the user's IDP collects local attribute information about the user and uses it to generate a SAML assertion for the user.
An IDP authenticates an end user and creates a SAML assertion for that user in a trusted fashion to a Service Provider (SP). When a user attempts to access an SP, the user's IDP collects local attribute information about the user and uses it to generate a SAML assertion for the user.


A GFIPM IDP must meet the following minimum requirements:
A NIEF IDP must meet the minimum requirements expressed in the [https://artifacts.trustmarkinitiative.org/lib/trust-interoperability-profiles/nief-minimum-interoperability-tip-for-saml-idp/1.0/ NIEF Minimum Interoperability TIP for SAML IDP].  
 
* Conform to the SAML 2.0 Web Single Sign-On (SSO) Profile [SAML2].
* Support SP-initiated Web Browser SSO.
* Be compliant with the IDP requirements in [GFIPM U2S Profile].
 
Typically, an IDP consists of several components that include the following:
 
* User authentication
* Local user repository
* SAML assertion generation
 
An IDP product may address one or more of these components, but in any case, it must perform the SAML assertion generation. It is likely that your organization already supports several of these components, including user authentication and a local user repository. Any IDP product must support interfaces to these existing systems.
 
While an IDP generates a SAML assertion that provides attributes about a user, an SP handles access to protected resources based on information given to it by an IDP. To perform their respective roles, an IDP and an SP need to communicate with each other, and the protocol through which this communication occurs in GFIPM is the Security Assertion Markup Language [SAML2].
 
SAML is a product of the OASIS Security Services Technical Committee (SSTC). It is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user, but may also be an application or system) to other entities, such as a partner company or another enterprise application.
 
Any IDP product chosen for a GFPIM federation must be SAML 2.0 compatible. The product must also have support for looking up GFIPM Metadata attributes in a local data source, so they can be assembled into a SAML assertion.


The following is a non-exhaustive list of products that provide SAML-based identity provider capabilities. You should evaluate these and other products to determine which best meet your needs within your budget.
The following is a non-exhaustive list of products that provide SAML-based identity provider capabilities. You should evaluate these and other products to determine which best meet your needs within your budget.
Line 36: Line 18:
* [[Ping Identity PingFederate IDP | Ping Identity PingFederate IDP]]
* [[Ping Identity PingFederate IDP | Ping Identity PingFederate IDP]]
* [[CA Federation Manager IDP | CA Federation Manager IDP]]
* [[CA Federation Manager IDP | CA Federation Manager IDP]]
* [[Sun OpenSSO IDP | Sun OpenSSO IDP]]
* [[Microsoft ADFS 3.0 | Microsoft ADFS 3.0]]
* [[Oracle Identity Federation IDP | Oracle Identity Federation IDP]]
* [[SimpleSAML PHP | SimpleSAML PHP ]]
 


{|
{|
!class="gfipmnav"|[[Welcome to the GFIPM Implementation Portal|Main Page]]
!class="gfipmnav"|[[NIEF Implementers Wiki|Main Page]]
!class="gfipmnav"|[[How to Implement a NIEF Identity Provider|Up]]
!class="gfipmnav"|[[How to Implement a NIEF Identity Provider|Up]]
|}
|}

Latest revision as of 17:54, 22 January 2019

Main Page Up


This article lists the requirements for products that may be considered for a NIEF Identity Provider (IDP). It also briefly describes the IDP products for which NIEF implementers currently have some amount of knowledge and implementation experience.

As you work through the process of choosing an IDP product, consider which product best meets your organization's needs, and keep in mind that the best product for you may not necessarily be included in this document. For those organizations that have an existing enterprise identity management platform, the best choice may be to implement a NIEF IDP via that existing platform - especially if the existing identity management platform conforms to the NIEF IDP technical requirements (listed below).

An IDP authenticates an end user and creates a SAML assertion for that user in a trusted fashion to a Service Provider (SP). When a user attempts to access an SP, the user's IDP collects local attribute information about the user and uses it to generate a SAML assertion for the user.

A NIEF IDP must meet the minimum requirements expressed in the NIEF Minimum Interoperability TIP for SAML IDP.

The following is a non-exhaustive list of products that provide SAML-based identity provider capabilities. You should evaluate these and other products to determine which best meet your needs within your budget.

Main Page Up
Retrieved from "https://wiki.nief.org/index.php?title=How_to_Choose_a_NIEF_Identity_Provider_Product&oldid=28"