Over the course of the past 10 years, federated single sign-on (SSO) has been successfully applied across many different business sectors. Today, the majority of federated SSO connections are based on the SAML 2.0 protocol. But what happens when a party wants to start using a new protocol (say OpenID Connect) or wants to upgrade to a newer version of an existing protocol (say SAML 1.1 to SAML 2.0)?
In traditional single-protocol implementations, one would have to make sure that all federation partners have deployed that new protocol stack before making a big-bang transition. That is a time consuming and labor intensive process that is likely to break at some point.
Multi-protocol implementations such as PingFederate make our lives easier by supporting a range of different protocols and versions in a single software product so that one protocol can be used alongside others. The result supports a gradual transition strategy so that over time all partners can be moved over to the new protocol.
As you will notice, the fact that peers communicate directly with each other means that they inherently have to speak the same protocol, which complicates matters. So let's introduce an intermediate entity, call it a federation gateway, residing in the middle between the two peers.
The peers connect to the gateway and no longer communicate directly. The gateway supports multiple federation protocols. The peers each can use their preferred protocol to communicate with the gateway. The gateway will translate between different protocols and realize end-to-end communication between all peers, regardless of the protocols in use.
As you can see the concept of a federation gateway (a.k.a. federation proxy, federation router or federation bridge) presents a way to more easily upgrade or migrate between federation protocols. Not coincidentally, it is a feature that is supported by PingFederate: PingFederate 7.0 can bridge between OpenID Connect, SAML, and WS-Federation as well. The federation gateway concept brings us interoperability between old, new and yet-to-be-inventend federation protocols and languages, in the way a Babel fish would do.