Federation

Is Federation closer to something like a Federal structure?

It is, actually. Many countries around the world follow a federal structure of governance where provinces self govern themselves under the federal government at the Center. The federal government is like the dad of all provincial governments. Federation in technology is a tad similar to this style of governance but then it’s different. The common thread between the two is the guiding cooperation shared by two entities which in case of the government structure is the federal and state governments. Confused? Let’s get to the first question then.

What is Federation all about?

Federation is all about sharing. It is about sharing of federated identities between two entities so as to remove redundancies. Let’s look at it from the social networking perspective. Most websites - require consumers to create an account and login - provide for customers to login using their social identities. You must already be knowing this is called Social Login. With Social Login, businesses don’t have to force their customers to register the first time their attempt to signin but can directly leverage their Facebook or Google identities and be led to their accounts. Social Login is nothing but Social Federation with the social identity being the federated identity.

So, at the basic level, the business is not provisioning identities but is using identities created by another business, which in case of social login is a social network. The federated identity is only used to authenticate a user or, in other words, ascertain that the person seeking access is genuine. Post this process, the business could choose to create a dedicated account. However, the authentication would always be dependent on the social network or another business.

Is there any prerequisite to this?

Of course there is. The first and foremost is trust. That is, trust between the two parties. Federated Identity Management architecture divides parties into two types: the Identity Provider and the Service Provider. The access seeking customer is the Principal or user. To establish a federated identity management architecture, the service provider must be able to trust the identity provider. If you don’t trust that Facebook will authenticate a genuine user only, there is no point in establishing the system because effectively you think you are exposing your infrastructure to external threats. This is why Federation is based on trust agreements between the identity provider and the service provider(s). And then, identity and service providers work with each other in an environment of laid down protocols 

What protocols does Federation Identity Management use?

Federated Identity Management requires application of protocols for communication between identity and service provider. Most commonly, OpenID and SAML are used for federated identity management though OAuth is also used but for the purpose of authorization. A simple flow of federation would be to setup an environment with an identity provider and a service provider. A user seeking access to a website - which is the service provider - reaches there and request login and presents the username and password credentials. Once entered, the service provider sends this information in a SAML request to the identity provider which is parsed. The identity provider verifies the credentials and sends a SAML response which is then accepted by the service provider as authentication and the user is logged in.

Federated Identity Management versus Single Sign-On. Are they different?

Single Sign-On is technically a subset of Federated Identity though they are designed to solve similar kind of problems. Single Sign-On basically is used to access multiple systems with the same set of credentials within a single organization. Federation, on the other hand, is more expansive and offers access to multiple systems across multiple enterprise organizations. So while Single Sign-On is one set of credentials to access, say, all Oracle applications, federation allows one single set of credentials for, say, all of Oracle, Microsoft and Google applications (this is only an example and not literal since there is no such agreement now).