What is federated identity, and how does it work?

What is federated identity and authentication?

Federated identity and authentication is a method for providing user authentication and identity verification to various platforms using only one set of login credentials. If you’ve ever installed an app or visited a website and they asked you to sign in via your Google account, then you’ve experienced federated identity and federated authentication.

The entire process is known as federated identity management (FIM). Trust relationships between the different entities involved in the process form the basis of the system. The entities involved are a service provider (SP) or, for example, an app maker that requires you to log in. The other entity is an identity provider (IdP) who manages and authenticates users.

The user’s initial authentication with the IdP may involve factors such as a one-time password (OTP), multi-factor authentication (MFA), or two-factor authentication (2FA), depending on the IdP’s security requirements.

The SPs and IdPs agree on authentication methods for federated identity management, including biometric authentication and certificate-based authentication. Generally, many different SPs will use a small number of IdPs for authentication. Virtually any app or website can be an SP, but only a few services operate as large IdPs.

How does federated identity work?

Federated identity management works through a standardized series of protocols to exchange authentication information between IdPs and SPs.

To start the process, a user would request access to a service, such as an app, using federated identity credentials like their existing Google ID. The servers would then authenticate the user and send that information back to the app via one or more of the following standardized protocols.

Security Assertion Markup Language (SAML)

Security assertion markup language is an older XML-based authentication protocol. It is common in enterprise single sign-on (SSO) processes and occasionally used for federated identity management.

Open Authorization

Open Authorization or OAuth manages the sharing of access permissions across service providers. A common example of this is when you grant a third-party service to use your existing credentials and link two services. The OAuth protocol handles the authorization and token exchange, but it doesn’t handle the authentication itself.

OpenID Connect

OpenID Connect (OIDC) is a newer protocol that expands OAuth by adding additional functionality, such as an API for deeper integration with various service providers. When the servers authenticate the user, they send a message to the app or service provider to grant the authorized access.

The entire FIM process works via the above protocols and through existing partnerships with each service provider and identity provider. Most services today are moving away from SAML protocols in favor of OAuth 2.0 and OIDC. However, in enterprise situations, SAML is still part of the overall user authentication process if internal access controls allow for federated identity.

Federated identity and SSO: What is the difference?

Single sign-on (SSO) and federated identity may sound similar, but these two technologies differ in their applications.

SSO allows you to use one set of credentials or ID to log into multiple systems. Using the one login, you don’t need to re-authenticate yourself as you move from system to system.

However, SSO is primarily used within a single enterprise or company network. For example, you would use SSO to sign into your company’s main network. You could then access various network resources and applications within the company without entering new login credentials.

Federated identity management helps a user access multiple domains across companies. With federated identity, you can access two separate apps or companies with the same login credentials.

In short, SSO functions within a single company or enterprise ecosystem. Federated identity allows you to use the same credentials across virtually any platform or company service.

Benefits of federated identity

Cybersecurity and authentication are always a balancing act for network engineers. Systems must be secure, and data must be protected. However, they also must allow easy and frictionless access for legitimate users. Federated identity helps with this balance by providing the following benefits.

• Reduced costs. Companies implementing federated identity management solutions can reduce costs since they don’t have to develop their proprietary SSO or authentication system. This process helps startup technology companies create services without the burden of higher development costs.
• Streamlined user experience. If you have to log in individually to various services and apps, it can be frustrating and detract from the experience. With FIM, one login can work across various platforms and apps, allowing you to quickly access the services or data you need.
• Fewer vulnerabilities. Using FIM, fewer IdPs mean fewer systems where hackers can access sensitive personal information or login credentials. Without FIM, each app or service would be a potential target for hackers or cybercriminals.
• Single point provisioning. By having one single point for granting access across different domains, businesses can attract customers and users from a larger pool. This process also gives customers access to services they may not have tried otherwise due to login inconveniences.
• Share resources without sharing identity details. Identity details stay with the identity provided when using FIM. This means businesses and services can share resources with customers without the need for personal information sharing across each domain.

Is federated identity secure?

When used properly, federated identity and FIM are more secure than other authentication solutions. No security solution can provide 100% guaranteed security, but with FIM, the security benefits outweigh the potential risks.

One common criticism of FIM is that it highly depends on trust relationships between IdPs and SPs that share information across services. In cybersecurity, trust relationships establish a connection between multiple systems. These centralized trust relationships do provide a valuable target for hackers and cybercriminals to exploit. However, although attacks are possible, FIM and authentication have preventive measures to resist these kinds of exploits.

Examples of federated identity

You’ve likely already used federated identity services and may not have realized it. Below are some common real-world uses of federated identity.

X (Formerly Twitter)

If you download the X app and create a new account, you can use your existing Google credentials. Google and X have a federated agreement, and Google acts as the identity provider for X and several other platforms and services. This process shows how federated identity can manage multiple user identities across various platforms.

Tinder

Tinder also uses FIM as an option to streamline the login experience. Tinder users can link their Facebook accounts to the Tinder service. Using this option, you don’t need to create a separate login for Tinder and you simply use Facebook as the IdP. Tinder has federated agreements with several identity providers, including Apple and Google.

One important note is that federated identity access can occasionally change if companies decide to terminate the agreement.

How to keep yourself secure while using federated identity

Using federated identity can help you keep your information secure, but there are a few tips to help give you more control over your data.

1. Remove unused permissions. You may have signed up for a service or app and used federated identity, but you no longer use that service. Make sure to go into your account management settings and remove the federated identity access to that account. In Google, you can do this through the third-party connection setting under your account tab.
2. Only use services you trust. Only use federated identity when you trust the service provider. You also want to ensure you’re using an authentic app or legitimate website before entering any login information. Scammers can create phishing sites that appear similar to established identity providers.
3. Check what information is shared. Some federated identity solutions can grant access to specific areas of your account. Carefully read the sign-up page from the provider to see what is shared before granting access. If you’re uncomfortable with the level of sharing, create a separate account for that particular app.
4. Use security tokens. Security tokens can add an extra layer of protection by providing a unique code or token required for access, further enhancing the security of user access.

Following these tips will help you keep your information secure while using FIM. Most importantly, use only trusted services and keep yourself informed about the latest solutions for securing your access.