Delinea Blog > Federated Identity Management vs. SSO Show
Federated identity management (FIM) and single sign-on (SSO) are not synonymous— FIM gives you SSO, but SSO does not give you FIM. That minor detail is very important to understand, as you make the leap to the cloud and adopt more SaaS applications. While you will have some initial startup costs with FIM by building out an identity service provider (IDP), it is cheaper in the long run than using simple SSO with FIM. Why is that so? Well, let’s start by understanding what the difference between the two is. Single Sign-on (SSO) allows users to access multiple services with a single login. The term is actually a little ambiguous. Sometimes it's used to mean that a user only has to provide credentials once per session and then gains access to multiple services without having to sign in again during that session. Think your bank account -- you log in once but now you can access all your accounts such as savings, retirement, investment, mortgage, and so on without being prompted for credentials again. But in all reality, these individual accounts are all separate from each other. If you pay close attention to your browser bar as you click on the different accounts, you’ll most likely see something like this there: https://yourbankurl/switchaccount/SAML_Action... Some of the downsides with SSO are that you are reliant on the SaaS application's support for Multi-Factor Authentication (MFA) for additional protection. The user has to remember all the different logins or resort to a password manager. IT has to manage all the individual SaaS logins for all employees, which results in departed employees having access to confidential information long after they have left the company because IT or the LOB has not de-provisioned / deactivated their SaaS account. It also results in the company still paying for licenses that are assigned to former employees. All of the above make SSO without FIM costly and insecure. Now federated identity management (FIM) refers to a way to connect identity management systems together. With FIM, a user's credentials are always stored with a "home" organization (the "identity provider"). When the user logs into a service (SaaS application), instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials. So the user never provides credentials directly to anyone but the identity provider. You are federating your service providers (SaaS applications) with your FIM (identity provider). It’s a many-to-one mapping, many SaaS applications to one identity provider. FIM and SSO are different but are very often used together. Remember, FIM gives you SSO, but SSO doesn’t necessarily give you FIM. Identity federation offers economic advantages, as well as convenience, to enterprises and their subscribers. For example, multiple corporations can share a single application (B2B federation), with resultant cost savings and consolidation of resources. In order for FIM to be effective, the partners must have mutual trust. Authorization messages among partners in an FIM system can be transmitted using security assertion markup language (SAML) or a similar XML standard that allows a user to log on once for affiliated but separate websites or networks. Additionally, FIM systems (IDP’s) like Delinea provide automated account provisioning and de-provisioning into SaaS applications like Office 365, Salesforce, AWS, and ServiceNow. Automated account provisioning gives the IT department the benefit that a new user is automatically provisioned into all applications assigned to him automatically based on role or group membership in their user databases such as Active Directory or LDAP. The user has the benefit of having only to remember his “Domain Credentials.” In a nutshell, FIM is cheaper and much more secure in the long run because:
IntroductionFederated identity management is an arrangement that can be made between two or more trust domains, to allow users of these domains to access applications and services using the same digital identity. This is known as federated identity and the use of such a solution pattern is known as identity federation. Federated identity management is built upon the basis of trust between two or more domains. For example, a trust domain can be a partner organization, a business unit, a subsidiary, etc. In any digital organization today, identity and access management (IAM) is a specialized function that is delegated to a service provider known as an identity broker. This is a service that specializes in brokering access control between multiple service providers, and is also referred to as relying parties. Federated identity management is an arrangement made between two or more providers across organizations. Identity brokers could be known by other names depending on the role they play in federated identity management. These names are not standardized across the industry, although used in common parlance and may be used interchangeably. Therefore, it is important to specify these names with the relevant context whenever they are used and depending on the arrangement, an identity broker may play more than one role. These roles include:
Here is a quick description of each role. An identity provider is responsible for asserting digital identities with claims for service providers to consume. A resident identity provider is defined with respect to a digital identity, and is t responsible for asserting the digital identities within its trust domain. Sometimes this is also referred to as local identity provider or incumbent identity provider. A federated identity provider is defined with respect to a trust domain, and is responsible to assert digital identities that belong to a second trust domain. A trust relationship is established between the two. The term federation provider denotes an identity broker that specializes in mediating IAM operations between multiple service providers and multiple identity providers, based on trust relationships. A resident authorization server is defined with respect to a service provider, and is where the logical representation of the application or service provider resides. It is responsible for authenticating and authorizing the application or service provider for the requested access. Benefits of Identity Federation
Examples for Federated Identity Management Use Cases
Inbound and Outbound Identity FederationIdentity Federation is broadly categorized into two areas:
In an identity federation flow, one identity broker which receives an assertion from another is known as inbound identity federation. This allows you to provide access to your applications and services to identities that are outside your organization's traditional boundary/trust domain. Similarly, an identity provider which produces an assertion to be consumed by another identity broker is known as outbound identity federation. This allows identities that you manage to access applications and services that are outside your organization's traditional boundary/trust domain. Figure 1: Identity Federation between the Enterprise and SaaS Application Figure 1 illustrates an identity federation arrangement between an enterprise and a SaaS application. The SaaS application is hosted in Azure cloud and its authentication is delegated to a federation provider. The enterprise is a tenant in the SaaS application and the federation provider. The enterprise identity provider (ADFS) is configured as a federated identity provider in the respective tenant of the federation provider in Azure cloud. Thus, a trust is established between the cloud tenant's federation provider and the enterprise identity provider. Therefore, the users in the enterprise identity provider will be able to login to the respective tenant of the SaaS application using their identities in the enterprise identity provider. The flow described is with respect to authentication. However, in order for users to gain complete access they need to pass authorization as well. Authorization may or may not be part of this federation arrangement. Identity Federation vs. Single Sign-OnMost federated identity management solutions are implemented in a way in which users are not required to prove their identity more than once per logged-in session. Single-sign-on is not synonymous with identity federation. But, it is a by-product of the way it is implemented. On the other hand, not all single-sign-on implementations can be categorized as identity federation. For example, Integrated Windows Authentication (IWA) based on the Kerberos network authentication protocol, is an example of a single-sign-on implementation across applications and services, but not considered an example of identity federation because it is limited to a particular network. Bring Your Own IdentityThe phrase Bring Your Own Identity (BYOID) became popular following the trend of using social identities to gain access to applications and services. Although BYOID is commonly used in the context of social identities, the concept applies to any federated digital identity issued by government, non-governmental organizations, or enterprises. Use cases 3, 4, 5, and 6 are all examples of BYOID, and are commonly found in Customer IAM (CIAM). They can be further divided as BYOID for sign-up, sign-in, and to connect. Although all these 3 use cases follow a similar flow, there are subtle differences in the objectives of these use cases. The objective of “BYOID for sign-up” is to improve the user experience of the self sign-up process by retrieving a part of to complete profile information necessary to create an account for the user in the intermediary identity broker, using an identity managed by a third party. Conversely, the purpose of “BYOID for sign-in” is to make the login flow as smooth as possible to the end-user with minimal prompts for additional input as possible. BYOID for sign-in doesn’t necessarily require to have a local account provisioned in the intermediary identity brokers. Finally, the intention of “BYOID to connect” is simply to enrich/fill the local user profile with additional/missing information. Federated Account LinkingOne of the key features of a federation provider is linking digital identifiers of a single identity in multiple federated identity providers to a digital identifier in the resident identity provider. This is known as federated account linking. Without federated account linking, a federation provider will simply only mediate between a service provider and a federated identity provider. This mode of federation is commonly seen in non-critical applications and services such as public forums, downloading forms, whitepapers, reports, etc. This can be seen in Figure 2 below. Figure 2: Federated login without account linking However with federated account linking, in addition to mediating, the federation provider may also provide features such as account management, password management, and entitlements management, as illustrated in Figure 3. Figure 3: Federated login with account linking Just-In-Time Account ProvisioningThe Just-In-Time account provisioning technique is used to set up an account for the user in an intermediary identity broker on the fly. Just-in-Time account provisioning is a key part of Just-in-time account linking. This concept is better illustrated in Figure 4. Figure 4: Federated login with just-in-time account provisioning Just-In-Time Password ProvisioningJust-In-Time Password provisioning is an optional step of just-in-time account provisioning. The need for this type of provisioning generally depends on the combined account and password policies of the organization and the applications the user will be accessing. If you decide to provision a new password for the local account, it is also optional to allow the user to continue signing in using the federated identity. Home Realm DiscoveryFederating with a single identity provider is not sufficient for today’s enterprise needs. Typically there are multiple federated identity providers, known as realms, that are configured, due to the need of supporting multiple partners or multiple social login options. In such cases choosing the resident identity provider, commonly known as the home realm, for the particular user who is trying to access the application or service becomes a challenge, especially in terms of user experience. Home Realm Discovery (HRD) is the process of identifying the resident identity provider of a particular user in order to authenticate the user and assert the user's identity with claims. HRD was originally a Microsoft term but the concept applies to all modern identity federations. There are no standards around how HRD should be implemented. Each vendor has their own style and as such, it’s hard to support portability. HRD methods can be automatic or involve manual user interaction. Following are some commonly used methods for HRD:
Supporting IAM TransitionsIdentity federation can also be used as a transition strategy for IAM. It can facilitate transitioning from multiple decentralized source user directories to a single, centralized target user directory. In this case passwords will be provisioned. Once all the accounts are eventually migrated, you may decide to disconnect these federated identity providers governing the distributed directories from the ecosystem. SummaryThis article focuses on federated identity management and its usage. There are many identity federation protocols such as Security Assertion Markup Language (SAML2) Web SSO, OpenID Connect, WS-Trust, WS-Federation, etc. Although we haven't looked at any of the specific protocols used to implement federated identity management, the concepts that we discussed remain intact for any protocol that you may choose to implement it with. WSO2 Identity Server is an open source IAM product distributed under the Apache 2.0 license. It possesses a powerful identity management and identity federation framework, which gives it the ability to play any role of an identity broker, as described in this article, in a federated identity management system. What is passed from the service provider to the identity provider in a federated solution?SAML works by passing information about users, logins, and attributes between the identity provider and service providers. Each user logs in once to Single Sign On with the identify provider, and then the identify provider can pass SAML attributes to the service provider when the user attempts to access those services.
Which are commonly passed from the service provider to the identity provider in a federated solution instruction choose the option that best answers the question?Tokens are commonly passes from the service provider to the identity provider in a federated solution.
What are federated identity providers?Federated identity allows authorized users to access multiple applications and domains using a single set of credentials. It links a user's identity across multiple identity management systems so they can access different applications securely and efficiently.
What is federated identity solution?Federated identity is a solution that enables users from a group of linked organizations to share the same user verification method to various applications and resources. It does this by connecting users' online identities across multiple domains and networks.
|