1 Introduction
Identity federation is the foundational element for enabling Single Sign-On (SSO) between different domains. Thousands of organizations across the globe depend on identity federation for mission critical applications. Federation technology silently powers connections between colleges and universities, banks and other financial institutions, medical service providers to hospitals, e-commerce brands and retail sites, government departments to agencies, employers and employee benefits providers, subsidiaries and holding companies, suppliers to commercial buyers, sub-contractors to prime contractors, online publications to other media companies, etc.
The classic federation use case is a set of users in one domain (Acme.com) leveraging their identity credentials and authentication events to gain access to another domain (Globex.com), without having to explicitly maintain distinct accounts and login with different passwords. Identity federation is one of the main technologies that helps organizations move away from password-based authentication. Since federation is seamless between organizations and transparent to the users, it makes moving between federated web properties a much better user experience.
Federation brings many benefits beyond improving the user experience via SSO. Decreasing the number of passwords that users must remember provides immediate security benefits, in that it reduces the identity attack surface. It also improves organizational security posture, in that, a user’s home domain is usually more diligent and quick to terminate accounts when the user leaves or no longer needs access than all the down-level service providers he or she may interact with in their daily business. Federation also simplifies account maintenance across connected sites. Relying Parties (RPs) depend on Identity Providers (IdPs) to maintain, update, and remove accounts, so the burden of duplicate accounts, attributes, and effort are eliminated.
Prior to the advent of identity federation protocols, web access management (WAM) systems provided SSO within a single domain. Federation technology can bridge WAM systems, even between WAM systems by different vendors. Therefore, federation technology can help deploying organizations escape vendor lock-in, and more easily connect (or disconnect) entities involved in mergers, acquisitions, and divestitures.
The most common federation protocols, frameworks, formats, and specifications are Security Assertion Markup Language (SAML), OAuth, OpenID, OpenIDConnect, JSON Web Tokens, (JWT), WS-Federation, and WS-Trust.
Ping Identity’s PingFederate is the flagship of their product line. PingFederate supports all the federation protocols and provides additional authentication and authorization functionality.
Ping Identity, founded in 2002, has grown to be a major vendor of identity management solutions, both for on-premise and cloud deployment.
Ping Identity was acquired by Vista Equity in June of 2016, and subsequently acquired UnboundID in August 2016, adding robust directory, Consumer Identity & Access Management (CIAM), and Identity-as-a-Service (IDaaS) capabilities.