Federation and Transitive Trust – CompTIA Security+ SY0-401: 5.2

Our networks rarely operate in a vacuum, and it becomes increasingly important that we provide the proper security posture to other parts of our network and to third-parties. In this video, you’ll learn how federation and transitive trust can give you more control over who goes out and who comes in.

<< Previous Video: Single Sign-onNext: Roles and Account Credentials >>

The concept of federation allows you to provide access to people who may not necessarily be part of your organization. You might need to provide access to people outside of your company. These might be partners, or suppliers, or customers, but you may not necessarily want to provide the authentication yourself. The way that we do this, is by creating a Federated network.

Someone would authenticate and gain access to your resources based on authentication that would come from somewhere else. For instance, you can go to a website and instead of creating a new account on that website, there might be a link that says that you could log into this website by using your Facebook credentials. And there would be a process in place to allow you to authenticate to Facebook, but still gain access to the resources on this third party site. That’s because a trust relationship has been created behind the scenes before you arrive between this third party site and Facebook. The degree of trust was also created because when you log in to the third party site, you may only allow that site to have certain rights and permissions to what you are doing with your Facebook credentials.

These trust relationships need to be put in place very early on when you’re establishing relationships between these organizations. Once they are in place, it becomes very difficult to change them so you want to really plan this out there’s something called a one way trust, where domain b would trust domain a, but the other way round doesn’t work. Domain a does not trust domain b. You might also find two way trust, where both domains are equal peers with each other, and they both will trust each other equally.

Some of these trusts are non-transitive. We may create a trust from domain a to domain b, but we would not allow domain b to extend that trust to other domains. Or the trust may be transitive, where domain a trusts domain b, domain b trusts domain c. Therefore, domain a would then trust domain c. These trust relationships are extremely important. They need to be well planned out, and they can be a very powerful tool to allow access to the resources in your environment.