Federated identity management, also known as identity federation, is a relatively new concept that has the potential to change identity management forever. It could also revolutionize how businesses partner together.
In this article we will cover what federated identity management is, how it works, how it compares to single sign-on, its benefits, disadvantages, and the potential applications.
On a very basic level, federated identity management (FIM) is when multiple enterprises let subscribers use the same identification data to obtain access to the services and/or networks of all the enterprises in the group. It has aspects that are similar to single sign-on (SSO), but it is different and we will dive into that later.
With FIM, a user’s credentials are always stored by a core organization - the identity provider. When a user logs into a service, they don’t have to provide their credentials to the service provider. Instead, the service provider trusts the identity provider to validate the user’s credentials. As a result, the user never actually provides their credentials to anyone but the identity provider.
Additionally, when two or more domains or service providers become federated, all a user has to do is authenticate one. They can then access services and resources without having to perform a separate login process for each organization within the federation.
Identity federation offers both economic advantages and convenience to organizations and users alike. For example, if multiple companies can share a single application, everyone will ultimately save due to a consolidation of resources.
However, FIM involves a lot of trust and open communication between partners that choose to make use of it. Companies that are thinking about creating or joining an identity federation need to ensure that they agree upon all factors. Honest communication is a must.
Typically, a user will log into their identity provider. Once they have done that, they will initiate a login to a service provider that offers identity federation. Instead of authenticating directly with the user, the service provider requests the user’s authentication from their identity provider.
The identity provider then authorizes the user to the application or service provider, and the user is then permitted to access the service or app. As you can see, the user only needs to have their data authenticated once.
FIM and single sign-on (SSO) have a lot of similarities, but they are different at their core. It’s important to point out that federated identity management gives you SSO, but SSO does not necessarily give you FIM.
Single sign-on allows users to log in to multiple services using the same login credentials. You’ve definitely seen this on the internet, for instance, when you can register or login using your Facebook, Twitter, or Google account.
However, there are two things that FIM does that SSO cannot, and they make a big difference. Firstly, SSO only allows users to access multiple systems within a single organization, while FIM enables users to log into systems across different organizations. For example, you can use your Facebook account to create an Instagram account because Facebook owns both companies. With FIM, you could be part of an identity federation that includes Netflix, Hulu, and Disney+.
Secondly, FIM is far more secure than SSO. For SSO, your credentials are still being provided to any system that you are logging into. Whereas with FIM, your credentials are only given to your identity provider, no one else.
FIM certainly relies heavily on SSO technologies to authenticate users across different websites and apps, but it has developed these technologies further. So while FIM does offer users SSO, SSO does not provide all of the same benefits that FIM does.
Naturally, FIM offers convenience for both companies and their users, and it has a number of different applications. For example, organizations that are working together on a project can form an identity federation so that all of their users can share and access resources easily. This allows users to access all resources across domains, and also allows administrators to still control the level of access in their own domains.
Additionally, FIM eliminates the need to create new accounts for each service provider, application and domain. This means that users don’t need to remember all of their different usernames and passwords. A Dashlane study from 2015 found that the average person has 90 online accounts; imagine trying to remember all of your login data for 90 accounts. Password managers are increasing in popularity, but FIM eliminates the need for them altogether.
Security is also increased with FIM as users only need to provide their data once to an identity provider. Far less information is being passed around, making things like data breaches far less effective. This not only makes user data safer, but also means that companies are not as vulnerable.
FIM also saves companies money. By consolidating their resources, each company is no longer responsible for individual login pages, authentication, data storage, access, et cetera. Things become far simpler for both organizations offering FIM and their users.
While FIM is generally seen as an overwhelmingly good thing, it does have some disadvantages. The first is that setting up an FIM system can be expensive initially. Small businesses and start-ups may not be able to offer FIM because doing so means they will have to modify their existing systems.
Another challenge is that participating members of an identity federation will need to create policies and security protocols. Each member will have to adhere to these rules, which may cause problems when different companies have different rules and requirements. As we witness FIM becoming more mainstream, we may potentially see different federations competing against each other.
Since an organization can be a member of different federations, they need to follow what could be multiple sets of rules. Following these different policies and procedures may require more time and effort than many companies are aware of.
We already mentioned that trust is really important to identity federations, and that can be a disadvantage. For example, given Facebook’s history of not caring about user data privacy, they may find that no one wants to form a federation with them. In fact, a fair amount of most major companies have experienced data breaches, which may make it hard to find someone with adequate safety procedures in place to partner with.
With identity management becoming an increasingly popular topic, it will be interesting to see if FIM becomes mainstream. From a user perspective, it could be a major player when it comes to protecting personal data.
When we consider how FIM could be used with decentralized identity (DID), things become even more interesting. DID means you only hand over your data to a trusted third party that handles all requests for access and identity. If DID and FIM combine, data becomes even more secure. DID keeps your identifying information safe, while FIM keeps all of your account information protected. Using both together could revolutionize data privacy for the better.
FIM can also be used for companies that are collaborating on projects together or companies that offer business to business (B2B) services. Instead of trying to share data back and forth constantly, all that is needed is an identity federation to allow access to those who need it.
Microsoft is one of the first companies to start using FIM, so it makes sense that they are also proactively working on DID as well. The US government has also shown interest, and is working on FIM research through the National Institute of Standards and Technology.
Federated identity management offers benefits to both the general population, users, and the organizations that employ it. Things become more streamlined and safer for everyone who makes use of FIM. It will be interesting to see if major companies follow Microsoft’s lead and begin integrating it into their own systems.
While FIM does have some disadvantages, in particular when it comes to cost and time, we think the benefits outweigh them. That being said, it would be nice to see FIM become more accessible to smaller businesses as well as major corporations. We can only hope that it becomes less time and money intensive as it becomes more mainstream.
Data privacy and protection are a big part of technology’s future, and we think FIM has a major role to play. With 73% of people having increasing concerns over data privacy, it is vital that companies adapt to ensure both consumer protection, and their own data safety. As time goes on, hackers are only going to get better and better at what they do, and organizations of all shapes and sizes need to do their due diligence when it comes to data protection. FIM might not be the complete answer, but it is part of the solution.