Federated Identity in IAM
September 30th, 2021

Identity and access management (IAM) is crucial for all organisations today, all identities must be carefully managed for customers, employees and B2B use-cases.

The challenge is that organisations often use a very high number of cloud based applications as service providers, as well as on-premise applications, and are required to ensure identity and access is securely managed for each application.

Federated identity management offers a solution to secure access by a pre-approved identity provider outside of your own organisation to cloud systems, on premise systems and lastly, improve and even optimise work flows.

Here we'll explore how federated authentication can manage authentication, seamless user experiences, and provide operational efficiencies.

What is Federated Identity in IAM?

Two important concepts to note in the world of Federated Identity are:

  • Identity Provider (IdP) e.g Google, the IdP authenticates the user and checks they are who the say they are
  • Service Provider (SP) e.g the Organisation authorizes to access services based on the user profile after the IdP has authenticated the user

Federated Identity is an agreement between an Organization (SP) and an Identity Provider, that the Identity Provide will authenticate the user in line with industry best practices, thus the Organization no longer has to manage the authentication process or end user credentials. Common examples in the customer identity world are services which allow end users to log in with their existing Social Network credentials e.g. Google and Facebook.

What does this look like for end users? In the example of customer identity above, the end user navigates to the service or website they wish to access, options are provided at the point where the end user is required to sign in e.g “log in with Google”, the user then enters credentials that they already own and are authenticated by the identity provider (Google in this example), finally the user will be able to access the desired service. The Organization plays no part in the authentication process, it trusts Google to manage this.

The Cloud Identity Management Conundrum

Around 84% of organizations use cloud applications, with substantial advantages including reduced operational costs and flexibility.

The problem is that the ever-increasing adoption of cloud applications is straining IT security infrastructures.

Central directory services and domain controllers are now inefficient since unfederated identities are not compatible with off-site IT resources and cloud applications.

IAM is vital to meet challenging security considerations impacting a considerable range of factors, such as: 

  • business-critical apps and data
  • evolving automated processing
  • changing compliance stipulations

Let's discuss the role that federated identity plays in an IAM strategy.

Federated Identity For Cloud Applications

Federated identity management allows applications to securely share identities. In simple terms, it means your users only ever have to log into one place – the service provider, and all of your applications in any location can trust the information that your identity provider asserts about your users. 

Federated Identity relies on trust relationships. Users will be able to access cloud applications after authenticating with the Identity Provider, the cloud applications the user will access post authentication trust the Identity Provider to authenticate the user, because of the trust relationship your Organisation has already configured in the background.

Federated IAM For On Premise Applications

Some on premise applications e.g Active Directory can leverage Microsoft’s ADFS to build a two way trust relationship between an Organisation and Active Directory user store.

SAML 2.0 authentication protocol is used to connect the Organisation to Active Directory , providing a smooth federation service for logging into cloud systems with existing Active Directory credentials.

In essence, it works like this:

  • Users can sign into cloud apps with their existing corporate identity (Active Directory Credentials).
  • The credentials are stored in Active Directory —meaning the management and authentication process is kept on-premises behind a firewall.
  • Organizations retain their current IAM, integrating new cloud applications without reinvesting in a new IAM structure.

While federated authentication isn't the only solution available, it fits most entities' needs in providing a simple, flexible option that can build upon existing security protocols.

Incorporporating Federated Identity as a Strategy

The integration of Federated Social login to an organisation can be done very quickly with the most up to date IAM protocols OIDC and OAuth 2.0.

Another advantage of federated identity is that when any new account is created within the identity provider, users can instantly access assigned cloud services simultaneously with other non-cloud applications.

Some considerations are, participating parties must agree on employed security measures and adapt their existing security structures as needed. This stage requires further planning and must involve all responsible parties in the organization.

Crucial elements to evaluate include:

  • the level of technical work required to incorporate a federated IAM model
  • the additional task of removing cloud access permissions when a user leaves or has changes to their privileges
  • licensing costs where applicable for user access accounts in both enterprise-based applications and cloud services

The Benefits Of Federated Identity

We've talked about the security and enterprise management advantages, but federated identity also enhances user experiences and productivity.

Some of the benefits are:

  • users only need to manage one set of credentials
  • password resets can be handled via the identity provider e.g. Google, there is no need for organisations to have an IT Helpdesk
  • lower user security exposure, often associated with multiple login credentials leading to lost time and an increased IT administration workload

Federated Identity vs Single Sign On (SSO)

Both federated identity and SSO require only one username and password to access multiple applications, however they are fundamentally different. 

SSO allows users to access multiple applications from an internal perspective and is more common in employee identity management e.g an employee logs into their workstation with one set of credentials, once successfully authenticated, the employee can access all applications already provisioned to them, without adding further credentials.

Federated identity allows external users to access a system or multiple applications after being authenticated by an external identity provider. This is more common in customer identity scenarios.

Federated Identity in a B2B Use-case

A very popular use case for Federated Identity is Business to Business. An example of this is an organisation working with a partner who may temporarily need access to some resources in your organisation. 

Instead of creating a new identity for the user and following the traditional onboarding process, typically involving Human Resources, the organisation can leverage the existing identity provider used by the partner organisation. After integration of the partner identity provider to the organisation, the partner organisation employees can log in with their existing credentials and will be authorized to access applications by the organisation..

Again, this means the organisation does not have to manage the user identity, password resets, user status or authentication process.

For further reading, check out our other articles like Understand Delegated Authentication vs. Federated Authentication.