So what exactly is identity federation? Why does your enterprise need it? What can it offer you in terms of security and user experience?
These questions can seem daunting, especially because discussions of identity federation often becomes clouded with technical jargon. How can a layperson sift through all the technical language and determine what identity federation can offer their business?
We dive into identity federation to show just what it can do for you!
What is Identity Federation?
Let’s begin with the technical. Identity federation enforces common identity security standards and protocols. It coordinates and manages user identities between different identity providers, applications, and portals across your infrastructure.
Usually, federation can establish trust via digital signatures and encryption. It does so through multiple protocols such as SAML 1 or 2, WS-Federation, or OAuth2.
Unfortunately, this explanation doesn’t offer much in the way of insights. Let’s break it down.
Federation connects different identity management systems together (hence the name federation). In a federated system, a central home node or identity provider stores the users’ identities.
Therefore, when a user needs to authenticate themselves, the database or application processes the access request through the identity provider; since they already trust the identity provider, they know whether the access request meets their authentication requirements.
Thus in a federated identity security system, the user never directly provides credentials to anyone other than the identity provider. You can thus think of the identity provider as the center of a web of SaaS applications—everything connects to it.
How Does That Differ From Single Sign-On?
Often, much of the confusion surrounding identity federation stems from this question.
Single sign-on differs from identity federation in the same way that squares differ from rectangles. Federation automatically provides your enterprise with single sign-on. However, having single sign-on does not automatically give your enterprise federation.
To clarify, single sign-on belongs on the list of top next-generation identity management capabilities. It can mean either:
- Allowing users to use a single login to access multiple databases or applications for their business processes.
- Asking users to log in multiple times for different databases, but allowing them to use the same credentials over the course of the session.
Sure, you can think of federation as a type of single sign-on. However, federation allows for a much broader reach as it can span multiple organizations and security domains.
Can Identity Federation Work with Multifactor Authentication?
Of course! This is your authentication we’re discussing; you can enforce any kinds of authentication protocols you want. When your user logs into a session with your identity provider, you can choose to ask for any number of authentication factors.
Regardless of whether you use federated identity security or not, you should use multifactor authentication. The more factors between the access request and the data sought, the more secure it remains.
In fact, multifactor authentication (MFA) can deter as many attacks as it directly blocks. Hackers are notorious for attacking the low-hanging fruit. Usually, they prefer to target businesses with no identity management or only with single-factor authentication. MFA puts up too many barriers for most hackers to circumvent.
What Can Identity Federation Offer My Enterprise?
Convenience and security, mostly. Federation can help your IT security team manage your Security-as-a-Service accounts automatically. As a few examples of what federation can offer your enterprise, it can help you handle onboarding and offboarding and can balance security and the user experience through a unified interface.
Additionally, identity federation allows your users to fulfill their business processes without constantly logging into different databases and applications.
If you want to learn more about the different identity federation options, check out our Identity Management Buyer’s Guide. We cover the top vendors in the field, their key capabilities, and our Bottom Line for each.
Latest posts by Ben Canner (see all)
- SecZetta Raises $10 Million in Series A Funding Round - September 13, 2019
- The 5 Key Privileged Identity Management Capabilities - September 11, 2019
- How to Protect Your Privileged Accounts (And Why You Need To) - September 9, 2019