Federated Identity Management
What is Federated Identity Management?
Organizations store data across multiple locations and often multiple domains. Complicating things further, each data store is protected separately, requiring the end user to enter (and remember) numerous logins. Password reuse is a common habit, which makes it easier for adversaries to compromise multiple systems in a single attack
Federated Identity Management (FIM) solves that issue. The public-facing portion of FIM, called Single Sign-On (SSO), is a commonly known and used product. However, the SSO in FIM is different.
What is Federated Identity Management?
Federated Identity Management allows the end user to use a single set of credentials to log in to multiple domains, referred to as a trust domain. Each system maintains a separate identity management system but are all linked by a third party, known as an identity provider, which stores the credentials and verifies the user’s identity.
The systems within a trust domain send each other authorization messages as the user moves between them, typically written in Security Assertion Markup Language (SAML). However, other standards are used, including OAuth and OpenID Connect.
Why is Federated Identity Management important?
FIM simplifies the authentication process for end users who frequently move between domains to complete their work. It also increases productivity since the user doesn’t have to stop to re-authenticate.
System administrators experience a dramatic decrease in the amount of work required to grant (or revoke) access. Combined with a passwordless authentication system, it can dramatically improve your security posture.
Key concepts in Federated Identity Management
A digital identity is the online persona of an individual, organization, or device. This identity consists of attributes such as usernames, biometric data, and behavior patterns. In FIM, a digital identity is used to authenticate and authorize a user across various systems in the trust domain.
Single Sign-On (SSO)
Single Sign-On (SSO) is a user authentication process where a user logs in with a single set of credentials and gains access to several applications or systems. In a federated environment, SSO allows users to log in once and access resources across all systems in the trust domain without needing to re-authenticate.
Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties. It enables web-based authentication and authorization scenarios, including cross-domain SSO, which makes it an essential part of FIM. Once a system receives a SAML assertion, it can trust the information it contains because the identity provider digitally signs it.
These three concepts form a secure and streamlined method for managing digital identities across different systems.
Components of Federated Identity Management
Here’s how digital identity, SSO, and SAML are used within FIM.
Identity Providers (IdPs)
Identity Providers, or IdPs, are trusted entities that manage digital identities and authenticate users using an SSO platform. Once the user is authenticated, the IdP sends a message (often a SAML assertion) to the service providers within the trust domain, verifying the user's identity.
Service Providers (SPs)
A SP is an entity or service that relies on an IdP. When a user tries to access an SP’s service, the associated IdP is used for authentication. Once the IdP verifies the user's identity, the user is redirected back to the SP.
Identity federation protocols
Members of a trust domain need a method to communicate, so protocols have been developed specifically for this purpose. These protocols enable the exchange of identity information between the IdP and the SPs (called assertions) and are typically written in SAML.
Benefits of Federated Identity Management
The dramatic improvement in the authentication experience for the end user is one of FIM’s most visible benefits. Users spend a lot of time just logging in and often have to do it multiple times a day. Each time that happens, they must stop what they’re doing, which reduces productivity.
Since there is one login for multiple services, password reuse and credential fatigue is lessened. In passwordless systems, these issues are eliminated.
There are significant benefits for system administrators too. Because there is one account per user with FIM, management is easier, including supporting users should something go wrong.
Federated Identity Management streamlines user access and enhanced security. With a single set of credentials, users can seamlessly navigate through multiple systems, eradicating the need to remember multiple passwords and significantly reducing credential fatigue.
The advent of protocols like SAML, OAuth, and OpenID Connect means the implementation of FIM is now more accessible than ever. These standardized protocols enable a uniform language for communication among systems within the trust domain, improving interoperability and reducing system complexity.