Article

What is federated identity?

Security
Time to read: 6 minutes

Federated identity is a solution that simplifies secure user access by combining several components, including authentication, authorization, access control, intrusion detection and prevention systems (IDPS), and service providers. With federated identity, authorized users can access multiple domains, applications, and numerous distinct identity management systems with a single set of login credentials. This eliminates the need for separate logins, which increases productivity, reduces user frustration, and streamlines password management for users and IT.

The federated identity function is handled by third-party services that vouch for the identity of users. These third-party federation identity services are positioned between users and resources, acting as middleware. Security tools, such as multi-factor authentication (MFA) and single sign-on (SSO), are used to manage user access and validate user identities.

Federated identity and single sign-on (SSO)

Federated identity and single sign-on (SSO) are often mistakenly thought to be synonymous. While their functions sound similar and fall under the identity management umbrella, they perform different functions.

Both federated identity and SSO authenticate users with a secure protocol and reduce user access to one login event, which usually includes multi-factor authentication. Once logged in, users are able to connect to different services without additional logins. However, SSO allows users to access multiple systems within an organization, and federated identity provides users access to multiple systems in different organizations.

Federated identity streamlines SSO, allowing users to access systems without authentication barriers.

It also aggregates multiple groups. These groups can be isolated within a single enterprise environment or spread across disparate enterprises with centralized authentication.

Federated identity and authentication

Federated identity is authenticated using standards-based secure protocols. These allow for authentication and access across federated domains. The most common secure authentication protocols are:

  1. JWT (JSON Web Token)
  2. Kerberos
  3. LDAP (Lightweight Directory Access Protocol)
  4. OAuth (Open Authorization)
  5. OIDC (OpenID Connect)
  6. RADIUS (Remote Authentication Dial-In User Service)
  7. SAML (Security Assertion Markup Language)
  8. SCIM (System for Cross-domain Identity Management)

Other secure authentication protocols include:

  1. CHAP (Challenge-Handshake Authentication Protocol)
  2. Diameter
  3. EAP (Extensible Authentication Protocol)
  4. PAP (Password Authentication Protocol)
  5. TACACS (Terminal Access Controller Access Control System)

How federated identity works

Federated identity is based on trusted relationships between two types of entities.

  1. Service providers are any external application, software, or website that relies on an identity provider to identify and authenticate a user.
  2. Identity providers (IdP) are systems that create, maintain, and manage identity information (e.g., name, email address, location, device, browser type, biometric information).

The following is a summary of how federated identity works. Note that each step is instantaneous and invisible, making it a seamless, touch-free process for users.

  1. The user tries to log into a service provider that uses federated identity.
  2. The service provider requests federated authentication from the user’s identity provider to ensure the user is who they claim to be.
  3. The identity provider verifies the user’s identity information and checks their access and permission rights.
  4. The identity provider authorizes the user to the service provider using a secure protocol (e.g, oAuth, OIDC, SAML).
  5. The user is granted access to the service provider.

Federated identity and the US government

In 2004, Homeland Security Presidential Directive 12 was issued, making it a requirement to have secure credentials to access government assets. This generated a series of agreements, protocols, and programs for federated identity. The National Cybersecurity Center of Excellence and the National Strategy for Trusted Identities in Cyberspace National Program Office collaborated on a Privacy-Enhanced Identity Federation project to establish a set of standards to use for federated identity.

The Global Federated Identity and Privilege Management (GFIPM) framework provides a standards-based approach for implementing federated identity. The framework supports the three key interoperability areas of security in the federation.

  1. Identification / authentication
    Who is the user, and how were they authenticated?
  2. Privilege management
    What certifications, clearances, job functions, local privileges, and organizational affiliations are associated with the user that can serve as the basis for authorization decisions?
  3. Audit
    What information is needed or required for the purposes of auditing individual systems, systems access and use, and legal compliance of data practices?

Benefits of federated identity

Cost savings
Using federated identity frees organizations from the time and expense of setting up and maintaining SSO to manage multiple identities.

Easy data management
Federated identity makes it easy to store, access, and manage information across systems by streamlining data management operations.

Enhanced user experience
Users only have to provide their credentials once throughout a session to access multiple systems across federated domains. This improves user experience by removing roadblocks to access.

Improved security
The number of times a user has to log into individual systems is reduced, which improves security and provides better data protection since each login creates a point of vulnerability and increases the risk of unauthorized access.

Increased productivity
Federated identity relieves users of the burden of multiple logins to access resources, reentering passwords, and submitting helpdesk requests for password resets. This time savings and reduction in frustration results in enhanced end user and overall organizational productivity.

Safe resource sharing
Organizations can facilitate the sharing of resources and data efficiently without putting credentials or security at risk.

Single-point provisioning
Federated identity enables single-point provisioning, which makes it easier for IT teams to provide access to users and systems outside of a single enterprise perimeter.

Misunderstandings about federated identity

Federated identity is often misunderstood and tagged with erroneous beliefs. The two main misconceptions are:

  1. Because federated identity management systems follow specific rules and policies, there is less control over how they can be configured.

    This is incorrect. While these systems do have a rigid structure, there are options for custom configurations to meet organizations’ unique requirements.
  2. Possible security risks cited with federated identity are largely unfounded. Almost any security approach has flaws, but federated identity is widely regarded as a superior security solution.

Mitigating password fatigue with federated identity

Even with strong password mandates, passwords pose persistent security problems, because users take risky shortcuts in an effort to simplify the management of multiple passwords. Federated identity mitigates this password fatigue, streamlining access for users and simplifying password management for IT teams.

Take control of your cloud platform.

Learn more about SailPoint and Federated Identity.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief