Identity Federations

What are the Identity Federations?

An identity federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of the resources. 

Identity Federations (or Federations) are based upon the principle that a user's authentication is undertaken by their home organisation (their Identity Provider, or IdP), and that a resource (a Service Provider, or SP) trusts what the home organisation states about that user. 

A user is typically characterised by identity information (attributes) that is exchanged between the user's home organisation and the service the user requests. The service uses the information received from the user's home organisation in combination with other information (for example user ID and password) known about the user to authorise access. 

The most common use-case addressed by federations is the scenario  where a user requests access to a resource website using a web browser. In this case the user is redirected to his/her identity federation page to authenticate. If the authentication  succeeds, information  about the user (attributes)  and the result of the authentication are passed to the service for authorisation purposes. This process is transparent to users, who are only asked to enter their credentials (typically username and password). 

In the educational community, users belonging to different organisations often collaborate on research projects. These researchers create collaborative communities that span over different administrative domains.

There are different ways in which federations coexist and interact within the same country, or among different countries. The "classical"  inter-federation  scenario is one in which  users trust their IdP, which establishes relationships  with one or more SPs.  In other  cases, where a central policy might  not be needed, federations might decide to inter-operate in a less formal fashion, following an inter-federation model. 

What are Identity Federations available in Europe and the rest of the world?

 map of Identifies Federetions

An up to date list of Identity Federations in the world is maintained here

In Italy current information can be found here

Why are Identity Federations useful for accessing Digital Cultural Heritage through e-Infrastructures?

The relevance of Identity Federations for cultural heritage mainly resides in the fine-grained control of access rights to digital material. Data can reside on different systems, which can be geographically distributed, and located in different organizations. On the other hand, access should be granted to end-users belonging to different organizations, geographically located in any part of the world. Identity federations allow to manage and control the users' access privileges to resources, such as making changes, or accessing to confidential documents, or checking for payments. A key use case for federated identity is the collaboration of a research team, consisting of people from different organizations, and even countries, on a joint project involving access to multiple systems. Using federated identity, access control and authorizations on multiple systems is greatly simplified, both from the researcher's and from the Systems Administrator's point of view. The federated approach introduces the role of the Project administrator, a person who, through a unified administrative interface, can manage the permissions of the project participants in relation to different systems and services, without the need to assign new credentials and manage new identities. On the other hand, the key benefit for project participants consist in gaining the right of access to resources without the need to manage new credentials.


Service Provider: A Service Provider, or 'SP' is a resource or set of content available to users via a login.  This login may be to limit access to subscribers or specialist groups, or to provide personalisation features. In a federated environment, Service Providers do not hold identity information about users but instead rely on Identity Providers (i.e. the institution or organisation that a user belongs to) to send relevant information to them.

Identity Provider: An Identity Provider or 'IdP' is a term used to describe any institution or organisation that manages information about users and wants to provide access to resources (SP)  for these users.

Do you want to know more?

[This text has been produced in the framework of Indicate project]