Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

Federated Identity Management Systems

In a federated identity management system, authentication of a party X by one member of the community (or a trusted 3rd party identity broker) ensures that party X is authenticated to all members of the community.

In these situations, a client wishing to access a server could also request the server to authenticate itself to a particular identity broker. The broker then performs authentication as necessary and re directs the client to the appropriate server. The identity broker could also provide the server with a secret previously provided by the client, so that the server can display this to the client in order to authenticate itself.

One advantage of this model is that it can take advantage of situations where communities of trust have already been established. Additionally, if an identity broker performs the task of forwarding an end user to the correct website, this averts the possibility that the user may be exposed to a man in the middle attack.