What is Identity Federation Services? How To Secure Applications with SAML and OpenID Connect
Identity services are a collection of tools for managing users and their accounts. They help to create, manage, and use digital identities.
An identity federation service is a centralized authentication solution that handles user identities and manages security policies, permitting access to resources based on the user’s identity. Such services can be used in multi-tenant environments by allowing different organizations or organizations within the same organization to interact with each other, even if they’re located on different servers or servers belonging to different companies.
What is an identity federation service?
Identity Federation Service, or IFS as it is sometimes called, is a way of connecting multiple identity providers together to share data and control access to information. This can be used to share information across “multi-tenant” domains such as corporations and government agencies, or it can be used in conjunction with other tools to provide single sign-on for users within a single organization.
A federated identity service is a network of different identity management systems that work together to provide users with single sign on (SSO) and multi-factor authentication. A federated identity system is built on top of existing public key infrastructure (PKI) and uses it as the basis for integrating different systems into a single, centralized database.
The functions of identity services are
- Provide a consistent, authoritative identity for users across applications.
- Protect the privacy and security of users’ personal information.
- Facilitate the conversion between different types of identity credentials issued by different organizations (e.g., a user’s SSN and their Google account).
- Enable two-factor authentication on all applications that support it (e.g., Google Apps).
Components of a federated identity system
The Identity Provider (IdP) is an entity that provides users with their credentials and informs them about when they need to log into an online service. The IdP can be a standalone application or an integrated part of a larger organization such as your company’s HR department.
The Service Provider (SP) is an entity or organization that hosts applications for its users. You might use this term to refer to your company’s website, but it can also refer to third-party sites like social media platforms or banks that host their own applications on their servers.
There are many ways to enable identity federation services, including single sign-on, SAML, and OpenID.
- SAML stands for Security Assertion Markup Language. It is an open XML standard that enables interoperability between services that use different security protocols. SAML enables users and systems to exchange assertions about themselves in order to prove who they are and what they have access to. This allows federated applications to work with any SAML-enabled service provider without having to worry about whether the service provider supports that particular protocol or not.
SAML based identity federation uses XML to describe how authentication works between two parties — the authentication service provider (ASP) and the service consumer (SC). The two parties create an XML document that defines the identity federation process between them. Once created, this document can be shared with other organizations so that they can also federate their users’ identities with one another.
- OpenID Connect is a protocol that enables applications to obtain user credentials from other applications and services, without requiring users to re-enter their passwords on every site or service. OpenID Connect aims to enable seamless integration between different forms of identity – including social media sites, email providers, and even third-party directories – so that users can have one set of credentials that work across all those different platforms.
OpenID federation is an open standard that allows users to authenticate themselves through any website or application that supports OpenID technology. This means that anyone who supports OpenID can send you their ID token and you can use it to authenticate yourself with their site.
- Single sign-on (SSO) identity federation is a way for users to access multiple websites or applications that require different user IDs and passwords. SSO lets users log in once and get access to all of the online services they use, such as Google, Facebook, Netflix, and Twitter.
Need for identity federation
Identity federation is a way to connect different systems to each other. It enables you to use the same identity across different systems, in order to access them. For example, if your bank has a single sign-on service, and you use that service to log onto your e-mail or web browser, then when you log into your bank’s website it will use the same credentials that were used when you logged into the website.
Is miniOrange a federation service?
miniOrange is a federation service. miniOrange provides secure access to resources on the web, such as websites, email addresses, and phone numbers. Since miniOrange doesn’t store any information about you or your organization, you can use it confidently.
The service includes a Single Sign On (SSO) and session management capabilities, as well as APIs for fetching public content data from other federated services.