Federated access has become a widespread access control paradigm, of particular importance to the academic library community. How did it reach this position, and what is its future?

Single sign-on and the origins of federated access Management

Early work in federated access management grew out of work in the 1990s to create single-sign-on (SSO) services, both for the web and for other protocols, and in commercial and academic settings. In this chapter, the term is used interchangeably with federated identity management (FIdM), which is generally used in the commercial sector for similar technology.

Commercial single sign-on

Two companies founded in 1999 were among the first to produce software which allowed FIdM (Pang, 2005). NewCo, soon renamed Covisint, was set up by as a co-operative venture by several US car manufacturers, and developed FIdM in the context of commercial electronic data interchange (EDI) – which at the time principally used non-internet networking – for the management of the supply chain, allowing suppliers access to their customers’ systems and vice versa. A second company, Yodlee, introduced a form of single sign-on through its consumer financial software, allowing users to manage multiple financial accounts through a single interface.

A third important single-sign-on product was Microsoft Passport, launched in 1999. The aim of this product was ambitious even then: to provide a singlesign- on service which would cover the whole of web commerce (Microsoft, 1999). This has an architecture based on central Microsoft-run identity providers, and provides an authentication service similar to those available from Facebook and other major websites more recently (described in Chapter 7). The main difference is that Passport went beyond authentication and was able to pass sensitive data such as physical addresses and credit card details, which was then intended to be used for purchases, to requesting servers. Passport was heavily criticized over privacy and security, and suffered embarrassing problems when the domain name for the authentication service was not renewed on time, resulting in the failure of authentication worldwide, until a user paid the modest fee on their behalf (Chaney, 2000). Between 1999 and 2012, Passport underwent five name changes, and the 2012 equivalent is known as Microsoft Account (more details are available on the Wikipedia page, https://en.wikipedia .org/ wiki/ Microsoft_Passport).