Federated Identity Management (FIM), or Identity Federation, is a system that allows using the same method of verifying access to applications and other resources in separate enterprises. The principle of FIM is that each company or enterprise maintains its own identity management, but these systems are interlinked through a third service. This “third service” is an identity provider, which stores the necessary credentials and acts as a mechanism of trust. Such a system allows gives access automatically to all resources that are tied to it, without the need to re-authenticate. With this solution users are able to access multiple accounts with a single set of credentials.
There are many popular Federated Identity systems currently on the market. In this article, we will focus on interesting solutions such as Keycloak service. Surely such solutions can help companies to cooperate more easily with each other and increase revenue through cross-sale and bundle products. Find out more about how to use federated identity!
What is federated authentication?
As we said above, federated identity is a method of linking the user’s identity across multiple separate identity systems. This method of authentication will allow users to move quickly between the systems. While doing that security is constantly maintained and there is no risk of IT threats. Federated authentication allows organizations to securely share identity information between different systems and platforms. Why is it important? Because it allows organizations to reduce the number of identity management systems they need to maintain. Also, the company is provided with a single sign-on experience, this way it allows users to access multiple systems with one password.
What is also very important, such authentication can help organizations to achieve identity federation by providing a central repository for identity information. This repository can be used to store information about users, such as their usernames, password, and contact information. Identity platforms such as Keycloak managed service can also provide federation capabilities, such as the ability to map users between different systems.
What is Federated Identity Management (FIM)?
Federated Identity Management, also known as federated SSO, refers to the establishment of a trusted relationship between separate organizations and third parties. Mentioned third parties are for example applications that belong to the vendor or partner. By using the federated identity provider you are able to share these identities and authenticate users across various domains. With FIM, it is possible to access two domains that are federated, with just one authentication. The access resources can be automatically transferred s in the other domain without having to perform a separate login process. FIM is achieved through the use of protocols like SAML, OAuth, OpenID Connect, or SCIM. Such protocols are available within the identity and access management system and enable the secure transmission of authentication across domains.
The results are simple – users can use a single set of credentials and gain access to the systems or applications within all federated domains. That is why FIM is really useful for large-scale companies that would like to improve their authentication protocols and data management.
How Does Federated Authentication Work?
Federated Authentication mostly relies on strong agreements between parties. The identity providers and service providers should develop an understanding of what attributes are representative. Once these attributes are verified the user will be authenticated across multiple platforms. There are a few general technologies that are used in federated authentication systems, such as:
- Security Assertion Markup Language (SAML);
Also, companies might use special security tokens such as JWT (JSON Web Token) and SAML assertions, to provide permissions from one application to another. This way user access is available within all systems.
Here is a simplified description of how this process can look like:
- Developers can pull OAuth credentials from the company’s API. You can choose certain data, such as for example client ID that both you and your client know.
- You can get an access token from the client’s server. In order to properly set up the authentication users will need a token to complete web requests for access.
- Compare the access scopes. Users grant access to data, and you must compare that your request matches their willingness to share.
- You should be able to send the token to an API. After this, users are ready to gain access, as long as the token is included in an HTTP authorization request header.
It is important, that from the user’s point of view, this process is almost invisible. Users will need the same credentials to access, and they should be able to enter the desired environment.
Benefits of Federated identity access
There are many advantages that come from the implementation of this method. Such a system can help organizations to reduce the cost and complexity of identity management. By providing a centralized repository for identity information, identity platforms can help organizations to avoid the need to duplicate data in multiple systems. In addition, identity platforms can provide federation capabilities that allow organizations to share information between different systems. What is also important is that Federated identity access can also help organizations to improve the security of their identity management system. By consolidating identity information into a central repository, identity platforms can help organizations to reduce the risk of data breaches. In addition, identity platforms can provide features such as multi-factor authentication that can help to prevent unauthorized access to identity information. There are also additional benefits of such a system:
- Increased workforce productivity by enabling employees to work from anywhere and on any device;
- Enhanced customer experience to increase loyalty and revenue;
- Lowered costs and increased efficiency of the IT resources.
Federated Identity vs Single Sign-on
It is possible you might hear that Single Sign-on (SSO) method and FIM are used together, however they are not synonymous. There are some important differences between these two processes that should be mentioned. The single sign-on method enables access to applications and resources within a single domain. On the other hand, federated identity management enables single-sign-on applications across multiple domains or organizations. I’m sure you are able to see the main difference between these two systems now. FIM is necessary for companies, that give their employees access to this-party applications. There are many examples of situations where this access should be provided, such as external communicators, online banking services, or other external apps.
Identity Federation and SAML?
The Identity Federation platform provides a comprehensive set of federation capabilities that allow organizations to securely connect and share information with their trusted partners. It is important to know, that the FIM platform includes support for popular federation standards such as SAML (Security Assertion Markup Language) and WS-Federation. Support for proprietary protocols such as Active Directory Federation Services (AD FS) is also provided within this platform. FIM also provides a secure token service that can issue tokens used by federation partners to access protected resources.
Identity Federation and OAuth?
OAuth is one of three major protocols for federated identity (next to OpenID and SAML protocols). This open standard protocol is used exclusively for authorization purposes and not for authentication purposes. The OAuth specifications define the following roles:
- End-user or the entity that owns the resource;
- The resource server (“OAuth Provider”), which is the entity hosting the resources;
- The client (“OAuth Consumer”) – the entity which is looking to consume the resource after getting the authorization.
What is an Identity Provider?
An Identity Provider (IdP) is a system that is used to create, store and manage digital identities. Such a system can also directly authenticate the user. What is more, the system can also provide authentication services to third-party service providers. In other words, the Identity Provider is responsible for user authentication. If you are using your browser account credentials to log in to into a streaming service – the browser sign-in is the Idp and the site you are using the credentials is a service provider (SP). Any website that requires a login, uses an Identity Provider to authenticate its users. The purpose of the IdP is to track the entities and know where and how to recoup the main identities that determine whether a person or device can access relevant data.
Examples of Federated Identity
The best example of Federated Identity is when someone is using their Gmail login credentials to access a third-party website. With Federated Identity Management, they can access numerous websites that have federated agreements with Google. Popular sites like Youtube, Blogger, or Picasa Web Album can be accessed using the same credentials. The same rule applies to websites with federated agreements with the Facebook (for example Instagram or Netflix). The idea is always the same – users will only need one set of credentials to access different sites. In this case, federated access is really convenient for the user but can create some IT security threats that should be addressed.
Conclusion – what is the future of federated identity?
It is important to know, that we are facing a reality where increased interconnectivity between numerous systems, protocols, and devices becomes a norm. Federated identity is definitely a step forward in the overall user experience. Although it is definitely much more convenient for the users (because they don’t have to remember their numerous credentials), it can cause some IT difficulties. It is important to know, that the proper implementation of federated identity solutions like Keycloak solutions can help companies to cooperate more easily with each other.