Why identity federation?
Before getting into “Why identity federation?” let’s get to know about this term called “identity federation”. In simple terms, we can identify “identity federation” as a way that handles/manages user identities between different identity providers(an entity that stores and manages digital identities), applications, etc. Common identity security standards and protocols have been established in order to enforce this identity federation.
Our digital identities and attributes have been stored across multiple trust domains. These trust relationships are built across the applications through identity servers. By knowingly or unknowingly we experience this identity federation when we are accessing or signing into web applications in our day-to-day life. It is called an identity federation with social login. Today many and most people do have accounts in popular identity servers like Google and Facebook. So they can bring their own identity when going to log into another application. Let’s further understand with WSO2 Identity Server which is a well known identity provider.
Here the service providers refer to the applications which the users are intended to log in to. First the user try to log into the system using their social accounts (Google, Facebook etc.). The login request is being passed to the WSO2 identity server. The user identity is not stored in the WSO2 identity server at the moment. So it has to authenticate the user through the trust relationship with an external identity server (External IdP) which holds the identity of the user. Here in the above figure we can see Google, Facebook, Microsoft etc. as such external identity providers. This external identity provider also can be another WSO2 identity provider. So user authentication can be executed using the login request that has been passed into the external identity provider. After the user authentication the login response is passed to the WSO2 Identity Server and it will be forwarded to the service provider and then the user can log into the particular application.
This has been possible due to the trust relationship between identity provider entities. I think you can understand how it is convenient for a user to bring his/her own existing digital identity when accessing other applications. This allows to share resources in an easy and convenient manner. Although resources being shared across the domains, the organizations can still take the control of access to its resources.
The users don’t have to keep credentials for each and every application they log into. This enhances user experience in other terms. And we can say that this enhances security as well. Open standards and protocols like SAML 2.0, OpenID Connect, WS Federation are used to exchange identity information between the identity servers and identity providers. Single Sign-On is yet another aspect of identity federation. Through this federation concept , the organizational costs are also reduced.
So we can understand that identity federation is a useful concept in the Identity and Access Management(IAM) domain.
References
