Federated identity management (FIM) is an arrangement that can be made between multiple enterprises to let subscribers use the same identification data to obtain access to the networks of all the enterprises in the group. The use of such a system is sometimes called identity federation.
Identity federation links a user's identity across multiple security domains, each supporting its own identity management system. When two domains are federated, the user can authenticate to one domain and then access resources in the other domain without having to perform a separate login process.
Identity federation offers economic advantages, as well as convenience, to enterprises and their network subscribers. For example, multiple corporations can share a single application, resulting in cost-savings and consolidation of resources.
Single sign-on (SSO) is an important component of identity federation, but it is not the same as identity federation.
Identity federation involves a large set of user-to-user, user-to-application and application-to-application use cases at the browser tier, as well as the service-oriented architecture tier.
In order for FIM to be effective, the partners must have a sense of mutual trust. Authorization messages between partners in an FIM system can be transmitted using Security Assertion Markup Language (SAML) or a similar XML standard that enables a user to log on once for affiliated but separate websites or networks.
How federated identity management works
Under a federated identity management scheme, credentials are stored with the user's identity provider -- usually the user's home organization. Then, when logging into a service such as a software-as-a-service app, that user does not need to provide credentials to the service provider: The service provider trusts the identity provider to validate the user's credentials. Consequently, the user only has to provide credentials directly to the identity provider, which is generally the user's home domain.
Under identity federation, the user authenticates once through the home domain; when that user initiates sessions in other security domains, those domains trust the user's home domain in order to authenticate the user.
Here is how FIM works:
- Users log in to their home network, authenticating through the home security domain.
- After they have authenticated to the home domain, users initiate an attempt to log in to a remote application that uses identity federation.
- Instead of authenticating directly with the remote application, that application requests the user's authentication from their home authentication server.
- The user's home authentication server authorizes the user to the remote application and the user is permitted to access the app.
The user only needs to authenticate once, to the home domain; remote apps in other security domains that have agreed to cooperate are then able to grant access to the user without requiring an additional login process.
Benefits of federated identity management
Identity federation offers economic benefits, as well as convenience, to companies and their users.
Organizations working together on a project can form an identity federation so that all of their users can access and share resources easily. Doing so authenticates users once to access resources across all the domains, while administrators at each organization can still control the level of access in their own domains. This approach can save money, as well as consolidate resources.
In addition, identity federation aims to do away with the barriers that stop users from accessing the resources they need when they need them securely and easily. Users of systems in identity federations don't have to create new accounts for each domain, which means they can securely access systems in different domains without having to remember credentials for all of them. As they move from one domain to another, users don't have to re-enter their credentials.
Additionally, with identity federation, administrators can avoid some of the issues that go along with balancing multi-domain access, such as developing a specific system to make it easy to access the resources of an external organization.
Identity federation can also be useful when administering applications that need access to resources in multiple security domains.
Differences between FIM and SSO
Although federated identity management systems provide their users with a form of single sign-on, FIM and SSO are not the same. SSO generally enables users to use a single set of credentials to access multiple systems within a single organization, while FIM enables users to access systems across different organizations.
While federated identity management enables single sign-on for users, organizations that implement SSO do not necessarily use FIM. Identity federation, however, relies heavily on SSO technologies to authenticate users across domains.
Single sign-on offers users the ability to authenticate themselves and access multiple services with a single login. SSO is token-based, which means that every user is identified by a token rather than a password.
Federated identity management is the arrangement made between enterprises that enables subscribers to use the same identification information to gain access to applications, programs and the networks of all the group's members.
While SSO lets a single authentication credential access different systems within one enterprise, an FIM system offers single-step access to numerous systems across different organizations. Users, therefore, don't provide credentials directly to a web app, but rather to the FIM system itself.
Advantages and disadvantages of FIM
The main advantage FIM offers to users is convenience: each user only needs to remember one username and password to access websites and applications across multiple security domains. FIM frees users from the burden of having to remember login credentials for each organization they collaborate with regularly.
FIM also benefits systems administrators, as it simplifies the process of authenticating and authorizing users of their systems within the federation. With federated identity management, a system administrator can set permissions and access levels across different systems in different security domains for a user based on a single username. This reduces a system admin's work, makes identity and access management easier, and streamlines access to resources.
There are also some disadvantages to using federated identity management, including the upfront costs that organizations -- particularly smaller ones -- will incur to modify their existing systems and applications.
Another challenge when implementing federated identity management frameworks is the necessity for participating members of the federation to create policies that adhere to the security requirements of all the members -- an undertaking that can be complicated by different requirements and rules set by each enterprise.
Finally, because an organization can be a member of different federations, its policies should accurately reflect the rules of each of the federation members. Ensuring this is the case requires a commitment of time and effort that many enterprises may not be prepared for.