Federated Identities
Start course

This is the fourth course in Domain 3 of the CSSLP certification and covers the essential ideas, concepts, and principles that you need to take into account when building secure software.

Learning Objectives

  • Understand the process and controls available to secure your software
  • Learn about the main security technologies available

Intended Audience

This course is intended for anyone looking to develop secure software as well as those studying for the CSSLP certification.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


Now Federated Identities, as another form of authentication, provide the policies, processes, and mechanisms to manage identity and trusted access to systems across organizations and across the web. Now, one way to picture Federated Identity Management is to consider the phrase, "E pluribus unum." This phrase means, "Out of many, one." And in a sense, Federated Identity Management does much the same thing by allowing multiple sources to be able to validate a single identity and have trust built into the relationship in doing so.

This makes for a multi-system identity information for managing a global single sign-on type of an environment. It is based on trust relationships, commonly employing cross-certification between the various entities. And it is always standards-based, which ensures compliance and interoperability. In it, we have two primary entities, one being called the identity provider, which would hold all of the identities and in this case, generate a token for each valid known user whenever a validation transaction needs to be processed. The relying party would be the service provider and would be the consumer of these tokens. There has to be of course, a trust relationship between the identity provider and the relying party.

Now as mentioned, the relationship utilizes a token for the identity of the individuals seeking authorization. Now this process takes place in which a token is generated, and this is a form of a string of characters that will then be used to substitute sensitive information for the actual data of the entity being tokenized. And this of course, is then stored in a secured location, such as a database, which contains the relationship between the token and the subject, which it represents. We have of course, classic single sign-on. Now this is typically used for facilitating inter-organizational and inter-security domain access to resources by leveraging the Federated Identity Management system. Now classic single sign-on is basically, a one point of entry, which combines access to multiple resources behind it. Now this is often referred to as federation and indeed, this is the form that it takes in cloud and web environments.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics