12.4 Federated Administration

Federated administration is a method for one administrative domain to provide authentication and user attributes to other domains that are willing to trust that information source. It is similar to the approach taken by the Liberty Alliance (http://www.projectliberty.org/). Federated administration provides a means for users to be identified at multiple institutions or service providers based on initially having identified themselves via authentication at their 'home' institution or provider. This approach allows users to access multiple services without authenticating with each service and without having to register with some 'global' identity manager. A particularly interesting component of the federated administration model is the Shibboleth software (http://shibboleth.internet2.edu/) which delivers user attributes to points in a network where authorization decisions (permission to access) are made. Shibboleth allows any number of authentication schemes to be used by institutions (e.g. username / password, Kerberos, or PKI) while standardizing the transport of attributes. Using Shibboleth, Debra Wesner can authenticate at University XYZ using the authentication scheme of choice there, while her conferencing endpoint can send a message stating "Debra Wesner from University XYZ is calling" in a manner that can be verified at any other location that trusts University XYZ to properly identify its community of users. The first version of Shibboleth supports web applications only. However, the Shibboleth developers are working on a more general API that could be used by non-web applications such as videoconferencing and VoIP.

A recent document by Jon Peterson entitled "Session Initiation Protocol (SIP) Authenticated Identity Body (AIB) Format" (IETF RFC 3893) describes how federated identity management can work in SIP. The proposed Authenticated Identity Body (AIB) is a means of sharing authenticated identity among parties in a network. Using a special MIME body format, a party in a SIP transaction can cryptographically sign the SIP message headers to assert the identity of the person who originated the message. This could be the signature of the sender himself / herself or it could be the signature of an institution or provider authentication service.

Unlike some other protocols, H.323 faces some significant challenges for making use of user identity. Security for H.323 is described by ITU-T H.235 "Security and encryption for H-series (H.323 and other H.245-based) multimedia terminals". As evident in the title, security was developed with identification of devices rather than people in mind. This approach is not surprising in an organization closely identified with the telephony industry, but it does serve as a serious obstacle to making use of federated identity in H.323. For now, H.350 straddles this problem by using enterprise credentials to access videoconferencing credentials as described in Chapter .