What Is Federated Identity?
Federated identity is a solution that enables users from a group of linked organizations to share the same user verification method to various applications and resources. It does this by connecting users’ online identities across multiple domains and networks.
Federated identity solves several common access and security issues for organizations. For example, users commonly recycle passwords for various online accounts to help them remember login details and make logging into multiple accounts quicker and easier. However, this practice also makes it easier for hackers to intercept credentials, use stolen login details to compromise users and organizations, and steal sensitive data.
Organizations can manage user access and provide easy access to applications by using security tools like multi-factor authentication (MFA) and single sign-on (SSO). An example of federated access is an organization enabling users to access partner websites, Active Directory, and web applications without having to log in every time.
How Federated Identity Management (FIM) Works
The federated identity management (FIM) model includes policies and protocols that enable organizations to manage authentication and identity. For FIM to work, connected partners must have established trust in an FIM system. This improves security in connected systems while eliminating complexity and improving user experience through the login process.
An FIM scheme works by storing end user credentials within an identity provider (IdP). When users log in to an application, they do not need to provide their login credentials. Instead, the service provider (SP) of the application enables the IdP to validate the user and allow access. As a result, the user only provides and authenticates their login credentials to the IdP, which grants them secure access to all connected applications, portals, and websites.
FIM works through this process:
- A user’s login credentials are stored on their own IdP.
- The user attempts to log in to a remote application that uses federated identity.
- The remote application then requests federated authentication from the user’s authentication server.
- Finally, the user’s authentication server authorizes the user and confirms their identity to the application, which grants them access.
How Identity Authorization Works in an FIM System
An FIM system uses identity authorization to provide users with secure access to connected applications and websites. It does this through various practices and protocols, including:
- Security Assertion Markup Language (SAML): SAML is a protocol that enables IdPs to send users’ login credentials to SPs. SAML enables users to be authenticated and authorized by simplifying the password management and identity process. It uses Extensible Markup Language (XML), a set of rules that encode documents to standardize communication between computers and systems. SAML is crucial to organizations' ability to store users’ identities across various identity management systems and use security tools like SSO.
- Open Authorization (OAuth): OAuth is a framework that enables users to consent to applications sharing their login credentials. It uses access tokens to provide users with secure access to connected third-party services without revealing or exposing their login credentials. A common example of this is logging in to a website by using a Facebook or Google account rather than creating a username and password.
- OpenID Connect (OIDC): OIDC is an authentication protocol from the OpenID Foundation. It verifies users’ identities when they attempt to access protected Hypertext Transfer Protocol Secure (HTTPS) websites. It works in conjunction with OAuth to provide an authentication layer to OAuth’s authentication layer.
FIM Use Cases
FIM systems can be used for several purposes, of which the most common include:
- Providing users with access to organizations’ connected distributor, partner, and supplier resources and networks
- Enabling users to quickly and easily access websites through social logins, which enables them to log in to a site with Facebook, Google, or Twitter instead of creating a username and password
- Enabling organizations to provide access to users outside of the traditional corporate perimeter, such as through mergers and acquisitions
- Enabling citizens to access national identity provider services, such as the Netherlands’ DigiD identity management platform
- Providing researchers with a free ORCID iD, which allows them to participate in research workflows and carry out scholarship and innovation activity
- Providing a temporary arrangement that enables organizations to transition between identity and access management (IAM) systems
Benefits of Federated Identity Management
Using an FIM system presents organizations with several advantages, such as:
- Convenience: Providing users with quick and convenient access to the applications they use on a daily basis
- Cost savings: Saving organizations the time and cost of managing user identities
- Seamless user experience: Ensuring seamless user experience across all the applications they use, rather than having to enter their login credentials every time they log in to a service
- Simplified data management: Simplifying data management for organizations by storing credentials within an IdP
- Easy and secure sharing of resources: Enabling organizations to share resources easily and securely
Federated Identity Management vs. Single Sign-on (SSO)
SSO is an FIM tool that enables users to access multiple websites and applications using a single set of credentials. When a user logs in to an SSO service, it provides them with access to connected applications and websites without having to log in again. SSO is one component of FIM, which forms part of the process of providing secure logins to users.
The difference between FIM and SSO is the resources they allow users to access. SSO enables users to access various applications and systems connected to one organization, whereas FIM provides users with access to resources across multiple organizations.
The Top 5 Laws of Federated Identity
The top five laws of federated identity include:
- User control and consent: Users consent to share data and have some control over how data is shared.
- Minimal disclosure: The least amount of identifying information is disclosed or shared and is securely stored and immediately erased.
- Justification: Access is only granted to those who can demonstrate a need for it.
- Directed identity: To hide the identity of the user, they are given private identifiers, which make it difficult for others to build an identity profile of someone working on multiple platforms.
- Competition: Competition encourages enhanced performance, so it is best to support multiple identity providers, which fosters a healthy sense of competition.
How Fortinet Can Help
The Fortinet IAM solution enables organizations to securely confirm the identity of users and devices as they enter corporate networks. With it, businesses can control and manage identities so that only specific users can access specific resources.
FortiAuthenticator provides centralized authentication across the entire Fortinet Security Fabric, including SSO services, certificate management, and guest access management. FortiToken and FortiToken Cloud enable MFA by adding a second factor to the authentication process through physical or soft tokens.