Federated Identity Management vs. SSO
Federated identity management (FIM) and single sign-on (SSO) are not synonymous— FIM gives you SSO, but SSO does not give you FIM. That minor detail is very important to understand, as you make the leap to the cloud and adopt more SaaS applications. While you will have some initial startup costs with FIM by building out an identity service provider (IDP), it is cheaper in the long run than using simple SSO with FIM.
Why is that so? Well, let’s start by understanding what the difference between the two is.
Single Sign-on (SSO) allows users to access multiple services with a single login.
The term is actually a little ambiguous. Sometimes it's used to mean that a user only has to provide credentials once per session and then gains access to multiple services without having to sign in again during that session. Think your bank account -- you log in once but now you can access all your accounts such as savings, retirement, investment, mortgage, and so on without being prompted for credentials again. But in all reality, these individual accounts are all separate from each other. If you pay close attention to your browser bar as you click on the different accounts, you’ll most likely see something like this there:
Some of the downsides with SSO are that you are reliant on the SaaS application's support for Multi-Factor Authentication (MFA) for additional protection. The user has to remember all the different logins or resort to a password manager. IT has to manage all the individual SaaS logins for all employees, which results in departed employees having access to confidential information long after they have left the company because IT or the LOB has not de-provisioned / deactivated their SaaS account. It also results in the company still paying for licenses that are assigned to former employees. All of the above make SSO without FIM costly and insecure.
Now federated identity management (FIM) refers to a way to connect identity management systems together. With FIM, a user's credentials are always stored with a "home" organization (the "identity provider"). When the user logs into a service (SaaS application), instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials. So the user never provides credentials directly to anyone but the identity provider. You are federating your service providers (SaaS applications) with your FIM (identity provider). It’s a many-to-one mapping, many SaaS applications to one identity provider.
FIM and SSO are different but are very often used together. Remember, FIM gives you SSO, but SSO doesn’t necessarily give you FIM.
Identity federation offers economic advantages, as well as convenience, to enterprises and their subscribers. For example, multiple corporations can share a single application (B2B federation), with resultant cost savings and consolidation of resources. In order for FIM to be effective, the partners must have mutual trust. Authorization messages among partners in an FIM system can be transmitted using security assertion markup language (SAML) or a similar XML standard that allows a user to log on once for affiliated but separate websites or networks. Additionally, FIM systems (IDP’s) like Delinea provide automated account provisioning and de-provisioning into SaaS applications like Office 365, Salesforce, AWS, and ServiceNow. Automated account provisioning gives the IT department the benefit that a new user is automatically provisioned into all applications assigned to him automatically based on role or group membership in their user databases such as Active Directory or LDAP. The user has the benefit of having only to remember his “Domain Credentials.” In a nutshell, FIM is cheaper and much more secure in the long run because:
- It doesn’t need to manage individual SaaS accounts. It happens automatically.
- Licenses for said SaaS applications are assigned or removed automatically.
- Access to ALL SaaS applications is removed at once.
- The user only needs to remember ONE username and password combination.
- FIM allows IT to protect critical apps with multi-factor authentication.
- The User has a single user interface to access ALL his SaaS applications.