Federated identity management (FIM) and single sign-on (SSO) are not synonymous — Federated Identity Management provides single sign-on, but SSO does not give you FIM. This is an important distinction.
Single Sign-On allows users to access multiple services with a single set of login credentials.
The term is a little ambiguous. Sometimes it’s used to mean that a user must only provide credentials once per session and then gains access to multiple services without having to sign in again during that session. Think of your bank account — you log in once but now you can access all your accounts such as savings, retirement, investment, mortgage and so on without being prompted for credentials again. But, these individual accounts are likely all separate from each other. If you pay close attention to your browser bar as you click on the different accounts, you may see something like this:
The call is reauthenticating you during the same session — providing SSO (there may be other things going on, but we’ll keep this straightforward).
Some people think of SSO merely as using the same credentials for multiple applications, the user might have to login multiple times, but they use the same credentials. You see this in large Enterprise settings sometimes, many applications but one set of login credentials that are used in all applications. You log into an app and as you are trying to access some other app you must enter your credentials again.
Some people may even consider password management tools SSO solutions. They are not, they are password managers that allow you to save multiple logins, so you do not have to remember them all. So, beware, all SSO’s are necessarily created equal.
Some of the downsides with SSO, compared to Federated Identity Management, are:
You are reliant on each application to support multi-factor authentication (MFA) for additional protection.
The user must remember all the different credentials, log in at different login locations or even resort to a password manager.
IT must manage all the individual logins for all users, which results in some users having access to sensitive information long after they no longer require simply because IT or the responsible department has not de-provisioned the account.
Federated identity management (FIM) refers to a way to connect systems together. With FIM, a user’s credentials are always stored with a “home” organization (the “identity provider”). When the user logs into an application, instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials. So, the user never provides credentials directly to anyone but the identity provider. You are federating your service providers (applications) with your FIM (identity provider). It’s a many to one mapping, many applications to one identity provider.
FIM and SSO are different but are very often used together. Remember, FIM gives you SSO, but SSO doesn’t necessarily give you FIM.
Identity federation offers economic advantages, and convenience, to governments and their users. For FIM to be effective, the players must have a mutual trust. Authorization messages among partners in a FIM system can be transmitted using security assertion markup language (SAML/2 oAuth) or a similar XML standard that allows a user to log on once for affiliated but separate websites or networks. Additionally, FIM systems (IDP’s) like CitizenOne can provide automated account provisioning and de-provisioning into applications around the government enterprise. Automated account provisioning gives the government department the benefit that a new user can be automatically provisioned into the application available to them. The user has the benefit of having only to remember one set of credentials. Some of the benefits of FIM include:
Access to applications can be more easily managed (both from the user and governments point of view).
The user only needs to remember one username and password combination.
FIM allows a government to protect critical apps with Multi-Factor Authentication in a citizen-focused, contextual way (e.g. no blanket approach).
The User has a single user interface to access all their applications.