1 Introduction
Identity federation is the foundational element for enabling Single Sign-On (SSO) between different domains. Thousands of organizations across the globe depend on identity federation for mission critical applications. Federation technology silently powers connections between colleges and universities, banks and other financial institutions, medical service providers and hospitals, e-commerce brands and retail sites, government departments and agencies, employers and employee benefits providers, subsidiaries and holding companies, suppliers and commercial buyers, sub-contractors and prime contractors, online publications and other media companies, etc.
The classic federation use case is a set of users in one domain (Acme.com) leveraging their identity credentials and authentication events to gain access to another domain (Globex.com), without having to explicitly maintain distinct accounts, and login with different passwords. Identity federation is one of the main technologies that helps organizations move away from password-based authentication. Since federation is seamless between organizations and transparent to the users, it makes moving between federated web properties a much better user experience.
Federation brings many benefits beyond improving the user experience via SSO. Decreasing the number of passwords that users must remember provides immediate security benefits by reducing the identity attack surface. It also improves organizational security posture because a user’s home domain is usually more diligent and therefore quicker to terminate accounts when the user leaves or no longer needs access than all the down-level service providers he or she may interact with on a daily basis. Federation also simplifies account maintenance across connected sites. Relying Parties (RPs) depend on Identity Providers (IdPs) to maintain, update, and remove accounts, so the burden of duplicate accounts, attributes, and effort is eliminated.
Prior to the advent of identity federation protocols, web access management (WAM) systems provided SSO within a single domain. Federation technology can bridge WAM systems, even between WAM systems from different vendors. Therefore, federation technology can help deploying organizations escape vendor lock-in, and more easily connect (or disconnect) entities involved in mergers, acquisitions, and divestitures.
The most common federation protocols, frameworks, formats, and specifications are Security Assertion Markup Language (SAML), OAuth, OpenID, OpenID Connect, JSON Web Tokens, (JWT), WS-Federation, and WS-Trust.
Ping Identity’s PingFederate is the flagship of their product line. PingFederate supports all the federation protocols and provides additional authentication and authorization functionality.
Ping Identity, founded in 2002, has grown to be a major vendor of identity management solutions, both for on-premises and cloud deployment.