Identity management is the process of managing the attributes of a user in the digital environment.

How is the SSO different from a Federated identity?

Attributes of a user can be common such as hair colour or gender; or unique like email id or social security number. Using such attributes, a user is identified, authenticated, and then authorised to access the resources and services provided by the sites over the Internet. The user must authenticate himself/herself each time a new application is accessed. This problem was then solved by Single Sign On (SSO) through which we can access any internal applications or a realm. A security realm is a circle of trust within which every component trusts each other.

However, multiple realms usually do not trust each other by default. This is when the concept of Federation or Federated identity comes into play.  

There are two terms that we need to understand before going further. A service provider is an entity that is accessed by the user to avail their services. An identity provider is the one that authenticates the user and stores the user attributes within themselves.

What is a Federation?

Federation consists of an association of identity providers and service providers of different realms. The binding force between them is the trust established which enables this cross-realm communication. Federation increases the user experience by allowing them to use their local identity provider and seamlessly access applications in any other realm. The Federation leverages the power of SSO with the help of shared principles, agreements and protocols. Some of the protocols used for federation are SAML 2.0 (Security Assertion Markup Language), OpenID, OAuth etc. 

Federation is presently used in various fields such as government agencies that use the SAML 2.0 protocol, and educational institutions that use Shibboleth. It is also used in banking and other enterprises. We can also see the use of Federation in our normal web activities. The following example would help you to understand the concept of Federation further: 

This image is taken from the GeeksForGeeks—a computer science portal for geeks—a website that is our service provider. It has a local authentication process that consists of a username or email and password which is stored within GeeksForGeeks or we can sign in using Google, Facebook, LinkedIn, or GitHub which are the trusted external/third-party identity providers who will authenticate the user on behalf of GeeksForGeeks and relay the authentication decision to GeeksForGeeks. 

Author: Kashif Baksh, Senior Technical Consultant, Fusion Practices