Identity and Access Management (IAM) is a complex discipline that encompasses a number of distinct tenants, such as multi-factor authentication (MFA), single sign-on (SSO), and identity lifecycle management (ILM). When it comes to IAM, organizations have widely varying levels of maturity. While some have full-featured, modern IAM solutions in place, others are just making the move to cloud- or SaaS-based applications and are still manually creating users and passwords.
If your organization falls into the latter category or is just in the beginning phase of your IAM program, taking your identity management efforts to the next level we recommend you start with the most logical first step in the IAM maturity model— Federated Identity Management.
Federated Identity Management, also known as federation, is the most simplistic tenant of identity management. In fact, the majority of organizations can use federated identity management without implementing a full scale IAM solution.
Authentication vs Federation vs SSO—What’s the Difference?
Before getting further into the topic of federated identity management, we first need to understand basic authentication. You might often hear the terms such as authentication, single sign-on (SSO), and federation used interchangeably— but these capabilities have separate and distinct meanings. Let’s take it a step back and navigate through each term.
User authentication, the most basic of these three concepts, is a process used to prove that a person (or entity, such as a computer system or piece of hardware) is who they claim to be. There are two steps involved in the authentication process: identification and verification. During the identification step, the claimed identifier is presented to the identity system or application. The most common identifier used is the standard username (e.g. jdoe).
Next, in the verification step, the user must prove they are who they allege to be. Information must be either provided or generated to verify the binding between the information and the identifier. The most common method used for verification is the standard password (e.g. MySecretPassword_123!). In short, an example of authentication is when user credentials, such as a username and password, are entered and then verified before access is granted into the system.
Single sign-on, on the other hand, is a feature of an authentication mechanism that allows for a single authentication process to be used across multiple systems. With true SSO, a user has access to a set of applications and is only required to authenticate (i.e. log in) once in a central portal. From there, the user can seamlessly access various applications during a single session, such as a typical work day, instead of entering their credentials into each application.
Federation is a specific type of SSO that enables organizations to integrate with applications without exposing critical systems or data by leveraging a trusted party to identify and authenticate constituents. The trust has been established between the systems ahead of time to verify this mutual exchange of information.
For example, companies who rely on third-party applications on a consistent basis can federate a set of applications to allow users one central point for authentication, such as entering a username and password.
So, Who Can Benefit from Federated Identity Management?
Federated identity management has significant benefits to organizations, particularly those who are in the beginning stages of an IAM program or those who are currently using or switching to cloud or SaaS-based applications.
A primary benefit of federation is to simplify the user authentication experience, saving time and headaches. Users login to the central point for authentication once and then seamlessly continue their day-to-day processes without having to constantly enter and manage separate credentials for each application.
In addition, organizations look to federation as a way to reduce administrative overhead. For example, there will always be employees coming and going, and perhaps your organization requires a password reset every 6 months. With federation, your administrative team has one central portal to make these updates, instead of within multiple applications for each user.
Finally, federation is used to increase the security posture in identity management and can even be combined with multi-factor authentication (MFA). When authentication is streamlined to one central location, very little information is shared with external applications, due to the trust established ahead of time. Adding MFA, such as a one time password or push authentication, adds an extra layer of protection from a security standpoint.
Where Does Your Organization Fall on the Federation Maturity Model?
So, now that you know the basics of federation, it’s time to put it into practice! Gain valuable information by watching Identity Automation's webinar, Advancing Your Identity Management Strategy with the IAM Maturity Model: Part 1 - Federation. In this on-demand recording, our Founder and IAM subject matter expert, Troy Moreland, discusses federated identity management and provides practical and actionable insights into how to update and refine your organization’s federation efforts.
Whether you are in the beginning phase of your IAM program or wanting to take it to the next steps, we recommend you watch this resource to discover the characteristics of each level within the Federation Maturity Model. From basic to advanced, this tool will help you identify your organization’s current status on the maturity and capability scale.