Glossary / Authentication
Identity Federation
Identity federation lets a user authenticate with one identity provider and gain access to applications run by other parties that trust it, so a single identity works across organizational boundaries.
Also: federation, federated identity
Identity federation establishes trust between separate domains so that an identity issued in one is accepted in another. A service provider relies on an external identity provider to authenticate the user, then trusts the assertion or token it receives, rather than holding the user’s credentials itself.
Federation is what makes cross-organization single sign-on possible. The protocols that carry it are OpenID Connect and SAML, and the trust is set up in advance through configuration and key exchange between the parties.
In CIAM, federation appears in two main ways. Social login federates to consumer providers such as Google or Apple, and business-to-business login federates to enterprise customers’ own identity providers, so their employees sign in with their existing corporate accounts.
Sources
- OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html
Related terms
Standards
- OpenID Connect Core 1.0
- OASIS SAML 2.0