How to Choose a GFIPM Identity Provider Product

From GFIPM Implementation Wiki
Jump to: navigation, search
Main Page Up Previous Next


This article lists the requirements for products that may be considered for a GFIPM Identity Provider (IDP). It also briefly describes the IDP products for which GFIPM implementers currently have some amount of knowledge and implementation experience.

As you work through the process of choosing an IDP product, consider which product best meets your organization's needs, and keep in mind that the best product for you may not necessarily be included in this document. For those organizations that have an existing enterprise identity management platform, the best choice may be to implement a GFIPM IDP via that existing platform - especially if the existing identity management platform conforms to the GFIPM IDP technical requirements (listed below).

An IDP authenticates an end user and creates a SAML assertion for that user in a trusted fashion to a Service Provider (SP). When a user attempts to access an SP, the user's IDP collects local attribute information about the user and uses it to generate a SAML assertion for the user.

A GFIPM IDP must meet the following minimum requirements:

  • Conform to the SAML 2.0 Web Single Sign-On (SSO) Profile [SAML2].
  • Support SP-initiated Web Browser SSO.
  • Be compliant with the IDP requirements in [GFIPM U2S Profile].

Typically, an IDP consists of several components that include the following:

  • User authentication
  • Local user repository
  • SAML assertion generation

An IDP product may address one or more of these components, but in any case, it must perform the SAML assertion generation. It is likely that your organization already supports several of these components, including user authentication and a local user repository. Any IDP product must support interfaces to these existing systems.

While an IDP generates a SAML assertion that provides attributes about a user, an SP handles access to protected resources based on information given to it by an IDP. To perform their respective roles, an IDP and an SP need to communicate with each other, and the protocol through which this communication occurs in GFIPM is the Security Assertion Markup Language [SAML2].

SAML is a product of the OASIS Security Services Technical Committee (SSTC). It is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user, but may also be an application or system) to other entities, such as a partner company or another enterprise application.

Any IDP product chosen for a GFPIM federation must be SAML 2.0 compatible. The product must also have support for looking up GFIPM Metadata attributes in a local data source, so they can be assembled into a SAML assertion.

The following is a non-exhaustive list of products that provide SAML-based identity provider capabilities. You should evaluate these and other products to determine which best meet your needs within your budget.


Main Page Up Previous Next