Identity federation can be defined as the set of agreements, standards and technologies that enable a group of service providers to recognise user identifiers and entitlements from other service providers within a federated domain. These agreements include policy and technology standards, resulting in a single virtual identity domain. Federation refers to mechanisms for cross-domain authorization, while provisioning refers to the provisioning of users from authoritative systems to subsidiary systems. In addition to federation, provisioning may be necessary in the backend systems. The automatic registration initiated by an authoritative system is provisioning.
The paper briefly reviews applicable (European) laws and concludes with a series of recommendations for those designing identity management systems.
All in all, an excellent primer for security architects and CISOs with an interest in this area - which means all of them, surely?