Federated identity management (FIM) is a system that allows users in separate organizations to access the same networks, applications, and resources using one set of credentials. Each organization maintains their own identity management systems, which are linked to a third-party identity provider (IdP) that stores user credentials and authenticates users across organizations.
When organization domains are federated, users can authenticate in one domain and access resources in the other domain without having to sign on again. For example, if an organization wants to provide users on-click access to third-party applications, such as Salesforce, Workday, or Zoom, an FIM solution is needed. Essentially, federated identity management enables single sign-on (SSO) across company lines.
Difference between SSO and FIM
SSO differs from FIM because:
SSO provides one-click access to applications and resources within one organization.
FIM provides one-click access to applications across multiple organizations.
Let’s take a look at the user SSO experience for Acme Bank. In this example, bank customers can sign on to the bank’s site and perform a variety of tasks, such as checking their account balances and transferring money between accounts. Even if these services are actually separate applications managed by the bank behind the scenes, SSO provides customers with a seamless experience.
With FIM, bank customers can still sign on to the bank’s site and perform a variety of tasks, but they can also access externally managed services. Users can order checks, send money to others using Zelle, and apply for a loan without having to reauthenticate.
How does FIM work?
As with most identity and access management solutions, there are a variety of ways FIM can be implemented. It’s common for an organization to serve as the IdP that stores user identity information, as shown in this diagram. In this scenario, the IdP also establishes trusted relationships with service providers (SPs) that reside outside the organization so that users have seamless access to the SP applications and resources.
Here’s how it works:
A user clicks to access a third-party application that resides outside of the organization domain.
The first time they sign on to their system, the IdP requests their credentials.
The IdP verifies that the credentials provided match the credentials in the identity directory.
The IdP sends an encrypted assertion to the SP indicating that the user is who they claim to be.
The SP accepts the assertion and directs the user to the application or service.
The user can now access any application or service in the trusted group without authenticating again.