Identity propagation is the replication of authenticated identities through multiple business systems and processes. The problem of how to propagate identities is a part of service- oriented architectures (SOA), Web services and other multitiered applications. They are all different parts of an IT system that each requires their own authentication, but they still must communicate with each other.
Now, that sounds like a mouthful, so let's bring it back down to earth with an example.
Take a portal application that consists of a Web-based front end, a database back end and maybe some Enterprise Java Beans (EJB) or other middleware. Each of these pieces of the application may require their own individual authentication before they can hand off the user to the next component in the system. In a closed architecture, where all the application components might have been developed in-house at a single company, equally proprietary ways can be used to propagate an authenticated user between different tiers of the application.
But in a mixed environment, using SOA with a diverse collection of services from many vendors, say, a collection of MQSeries, SOAP, .NET and JMS, a universally accepted standard needs to be used for propagating identities between the different components of the application. This diversity of architectures and components is quite common in many companies.
Further, identity propagation has to be granular enough to allow not only different users to be authenticated through all layers of the application, but also to be authorized only for their specific level of access.
There are many different approaches to identity propagation. Going back to our EJB example, there are ways to configure the security property files for EJBs and their containers to securely communicate with each other and securely pass through authenticated users.
Other approaches involve passing a token in the XML files of various SOAP headers. The token could be a digital certificate, a Kerberos ticket or a Security Assertion Markup Language (SAML) assertion.
There are also ways to propagate user identities in SOA with IBM Tivoli Federated Identity Manager, which is used for single sign-on implementations.
Obviously, this is a very complex issue beyond the scope of this brief answer. But this should give you a high-level idea of the overall concept of identity propagation.
For more information:
This was first published in December 2007