Identity Federation — a brief introduction

“Identity Federation” might not be a familiar term for many of you if you are not in the field of Identity and Access Management(IAM). Yet, I am sure you all have somehow experienced identity federation while using various cloud applications on the internet. At the end of this article, you will realize when and how you have experienced identity federation. So I suggest you to continue reading the article to the end :)

When I first started learning about Identity and Access Management as an Intern of WSO2 Identity Server team, I was drowning in a sea of terms and acronyms that made no sense to me. But I could slowly piece them together and understand many concepts of Identity and Access Management (of course not every bit of it :) ). Identity Federation is one such thing I learned and now I am going to teach you what I have learned about it.

Explaining Identity Federation in a way that everyone can understand is not that easy. So I am going to start by introducing two terms that you will see often when reading the article further — hoping it would make it easy for anyone to truly understand Identity Federation.

Identity Provider: An Identity Provider (IdP) is an entity that creates and manages identities of users and authenticates users to other applications that rely on the IdP. IdPs are responsible for asserting digital identities with claims for the relying applications to consume.

Service Provider: A Service Provider (SP) is an entity that provides Web Services. SPs may not authenticate users by themselves but rely on IdPs for user authentication.

Now let’s get back to Identity Federation.

What is Identity Federation?

Identity Federation is the process of delegating an individual’s or entity’s authentication responsibility to a trusted external party. Each partner in federation plays the role of either an identity provider(IdP) or a service provider(SP). In identity federation, an IdP vouches for the identity of the users, and an SP provides services to the users. When a user wants to access a service of an SP, the SP delegates the authentication to the IdP. This is called federation. For identity federation to take place, the SP must trust the authentication ability of the IdP. The trusted identity providers can be on-premise federation services, corporate directories, social identity providers like Google, Facebook, Twitter etc.

How does Identity Federation work?

Let’s take an example and discuss how Identity Federation works. Suppose a user wants to access a secured saas application (software as a service) that requires the user to be authenticated.

1. The user navigates to the application of the SP.
2. SP requires the user to be authenticated at the IdP (SP may have mechanisms to check whether the user is currently authenticated at the IdP using session data). The unauthenticated user is redirected to the login page of the IdP.
3. The user authenticates with the IdP (by entering login credentials).
4. If the user credentials are properly validated, the user is authenticated and provided an access token
5. The user goes back to the application with the obtained access token and the application allows the user to access the application.

The below diagram will help you understand the flow easily.

In a real-world implementation, identity federation can be obtained with an Identity Management System like WSO2 Identity Server which acts as a federation provider. The Identity Management System acts the role of the IdP for the SPs. It has trust relationships with the external federated identity providers. Some common examples for such external IdPs are Azure AD, ADFS (Active Directory Federation Services), social IdPs like Google, Facebook, Twitter, LinkedIn etc.

The federation provider can either link digital identifiers of a single identity in multiple federated IdPs to a digital identifier in the resident IdP(federation provider) or simply mediate between an SP and an external federated IdP.

A high-level overview of the federation implementation with a federation provider is illustrated in the diagram below. Here in the diagram, I have used WSO2 Identity Server as the federation provider.

As I mentioned in the beginning, chances are that you may be already using identity federation even though you are not aware of it. Do you remember the page you see when trying to sign in to your Medium account? Well, if you don’t, have a look at the below image. :) This is an ideal example of an identity federation scenario.

Medium, as an SP allows you to authenticate with a third-party service like Google, Facebook or Twitter as the identity provider. When you sign in to Medium by clicking “Sign in with Google” (or with Facebook/Twitter), Google (or Facebook/Twitter) acts as the trusted IdP that authenticates you on behalf of Medium and relays the authentication decision to Medium.

Now you know what is identity federation, and have experienced identity federation too. So you should probably feel the benefits of identity federation too. Let’s now discuss the benefits in detail.

What are the benefits of Identity Federation?

Identity federation saves end-users from the burden of remembering multiple sets of credentials for each and every service application (either cloud application or on-premise application) they consume. If the user needs access to 10 applications, that is 10 different sets of credentials to remember. Since it is not practical, users tend to practise bad password practices like password reusing.

In a corporate environment, if an employee needs to access multiple applications, having different sets of credentials makes it difficult for the employees to access the applications. Also, it is difficult for the IT admins to manage user identities. With Single-Sign-On(SSO), identity federation can be used to provide an improved user experience as SSO enables users to provide user credentials once and obtain access to multiple applications. Identity federation enables adding advanced identity management features like multi-factor authentication, password policies etc. which are difficult to be implemented for individual applications separately.

In this article, I tried to give you a high-level understanding about Identity Federation by explaining what it is, how it works, and what the benefits of it are. I hope you could understand the content properly with the given examples and diagrams. For more information about identity federation please refer What is Federated Identity Management? article available in WSO2 article space.

References:

https://wso2.com/articles/2018/06/what-is-federated-identity-management