Knowledge

Everything you always wanted to know about federated identity management (but were afraid to ask)

Do you have a file on your computer called ‘passwords’? Or do you simply have a large number of Post-it notes tacked to your screen? Or perhaps you have different password vaults, and try to avoid duplicate entries? Let’s hope these practices are just a remnant of past systems and that you are now using federated identity management (FIM) throughout your enterprise. If not, here’s some advice on how to put federated identity management to use in your company. 

Read on to learn: 

  • What is federated identity management?
  • What are the key components of federated identity management?
  • What is the difference between single sign-on and federated identity management?
  • What are the main benefits of federated identity management?
  • How does TrustBuilder help me with federated identity management? 

What is federated identity management?

Federated identity management is a question of trust. Trust between two or more domains. Or trust between two or more enterprises. These domains or enterprises make an arrangement that allows users of these domains or enterprises to access services and applications by using the same digital identity. Once the user has been authenticated by one of the domains, (s)he can gain access to the available applications of all the enterprises that belong to the group in which this trust agreement has been made. Besides FIM, other terms used are federated identity, to denote the identity that serves for all services or applications, and identity federation.  

Each enterprise that participates in this group of trust can go on using its own identity management system, but a user can authenticate to one domain and then access services or applications in another domain without needing to perform a separate process to log in or authenticate. To achieve this, the domains communicate: the first system sends a message to the second system, telling it who a user is, and also assuring the second system that the user has properly authenticated. If the domain that provides the applications uses Attribute-based Access Control, it can use the attributes of the domain that provides the identity to better secure and give finegrained access to the applications.  

What are the key components of federated identity management?

The principle of federated identity is simple enough. It is very much like a group of friends. When I introduce you to a friend of mine, I tell you: “this guy is my friend. I trust him, so you can trust him too.” You may believe me at face value but, between enterprises and applications, we need a number of agreements to be made, and we require a number of key components: 

  • Identity provider (IdP): the IdP contains the attributes of an individual that prove that a user is who he claims to be.
  • Service provider (SP): the service provider is the application that the user wants to access and use.
  • Assertion: the message sent between the systems. The assertion tells the service provider what the account name is of the user and also provides all the other attributes the service provider needs to create a session for the user. Assertion is the A in SAML, short for Security Assertion Markup language. SAML is an open standard XML framework, used for the exchange of authentication and authorization information. Other protocols that allow federation are OAUTH, OIDC or WS-Fed. 

What is the difference between Single Sign-on and federated identity management?

It is easy to mistake Single Sign-on (SSO) for federated identity managementDespite their similarities, they are not the same, and federated identity management goes much broader than SSO.  

What is Single Sign-on 

Single Sign-on is exactly what its name promises: SSO allows users to access multiple applications at once, using just one set of credentials. As an example: within an organization, employees can use the same credentials (for instance, a username and a password) to access a variety of internal applications: a CRM system, HR applications, time recording systemetc. For employees, this is easier than having to remember several sets of usernames and passwords. 

However, SSO is not restricted to internal systems. Retailers that run web shops for different brands can use SSO to let customers gain access to their accounts with different stores, using the same credentials. Another example: if you book a flight on Ryanair, you can also rent a car or make a hotel reservation using the same credentials to access different applications

How does Single Sign-on differ from federated identity management? 

As we’ve seen in the examples above, with SSO, the user is linked to just one organization: an employer or a retailer. SSO is set up to authenticate a single set of credentials across various systems within one organization. Federated identity management goes broader than that, allowing users to access several  applications across different organizations.  

What are the main benefits of federated identity management?

Better user experience and easier administration are some of the more obvious reasons for adopting federated identity managementLet’s not forget federated identity management was created to solve the problem of users having to memorize credentials for every web application they wanted to access. The proliferation of web applications also meant an uncontrolled growth of identity stores that each held different user credentials. Managing these identity silos efficiently was no easy task. Hence federated identity management. 

Technical benefits of federated identity management 

  • Easier administration: a system administrator can set permissions and access levels across various applications in different domains for a user based on a single set of attributes.
  • Less support resources needed: on Mondays and after holidays, helpdesks are flooded with calls about lost or forgotten passwords. If users have only one password for a multitude of applications, the chance that they’ll forget those credentials, is minimized.
  • Higher safety levels: if an employee of an external company uses their company’s Identity Provider to authenticate with your applications, they immediately lose access to your systems when they leave their employer. This also makes it easier for your administration.  

Business benefits of federated identity management 

  • User convenience: a user need only remember one username and password to access applications and websites across multiple domains or organizations. So there is no longer a need for the ‘password.doc’ file on their system.
  • Customer experience: a user can move from one app to another without having to authenticate over and over againWhat’s more, by connecting the user to their IdP upon authentication, they provide a trusted and familiar authentication experience.
  • Easier onboarding: if a user already has an identity with an IdP, there is no need to complete a registration form of any kind to create an account.
  • Improved KYC (Know Your Customer): You don’t just have to trust the user that (s)he claims who (s)he is, the federated Identity provider has verified his identity and, as a company, you can rely on the information that is given. For some IDPs it might be limited to the e-mail and that it is actually a person. Others, like governmental IDPs, can give you verified, official attributes of a person.

How does TrustBuilder help me with federated identity management?

As you’ve read in the previous paragraphs, federated identity management increases security, unburdens the IT department, and enhances customer experience. These traits are exactly what characterizes our flagship product, TrustBuilder Identity Hub. TrustBuilder has in-built connectors to multiple Identity Providers, supports the existing standards and provides fast access to your applications.  

TrustBuilder Identity Hub acts as a unique identity broker, linking any identity provider or a combination of identity providers to any service provider. By opting for TrustBuilder Identity Hub, organizations need not build these connections themselves, but can rely on TrustBuilder to take care of that.  

Additionally, the fact that we are using Attribute-based Access Control allows us to use the attributes we receive from a federated identity provider when enforcing adaptive authentication or step-up authentication. We can also check the level of authentication of users to access sensitive applications and data. As an additional benefit, this allows organizations to remain compliant with regulations such as GDPR and PSD2.  

The number of apps consumers are using, is only set to increaseConsumers demand ease of use and a frictionless customer experience. Federated identity management is one of the concepts that can help organizations cater to the demands of consumers while, at the same time, making administration simpler for IT. What’s more: product managers wanting to add new services to address new opportunities in the market, need not worry about the authentication part of offering access to these new services. Federated identity management will take care of that. 

Want to find out how federated identity management can help your organization? Then contact us for a personalized demo.