Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
Unlock Seamless Access with Federated Identity Management
Identity Fundamentals
What is Identity and Access Management (IAM)?
Identity Providers and Service Providers
Centralized Identity Management
What is Centralized Identity Management?
How Does Centralized Identity Management Work?
Centralized Identity Standards
SAML
OAuth
OpenID Connect (OIDC)
Decentralized Identity Management
What is Decentralized Identity Management?
How Does Decentralized Identity Management Work?
How is Decentralized Identity Different?
Decentralized Identity Standards
Common Terms
Zero Trust Security
Orchestration
Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Protocols
LDAP
SCIM
WebAuthn
Kerberos
WS-Trust
What Is B2B Identity and Access Management (B2B IAM)
Agentic AI
Key IAM Considerations to Support Agentic AI
AI Agent Classes and Use Cases
IAM Best Practices for AI Agents
Reference Implementations and Patterns
Expand All | Collapse All

Federated Identity Management

 

Federated identity management (FIM) is a system that allows users in separate organizations to access the same networks, applications, and resources using one set of credentials. Each organization maintains their own identity management systems, which are linked to a third-party identity provider (IdP) that stores user credentials and authenticates users across organizations. 

 

When organization domains are federated, users can authenticate in one domain and access resources in the other domain without having to sign on again. For example, if an organization wants to provide users on-click access to third-party applications, such as Salesforce, Workday, or Zoom, an FIM solution is needed. Essentially, federated identity management enables single sign-on (SSO) across company lines.

 

Difference between SSO and FIM


SSO differs from FIM because:

 

  • SSO provides one-click access to applications and resources within one organization. 

  • FIM provides one-click access to applications across multiple organizations.


Let’s take a look at the user SSO experience for Acme Bank. In this example, bank customers can sign on to the bank’s site and perform a variety of tasks, such as checking their account balances and transferring money between accounts. Even if these services are actually separate applications managed by the bank behind the scenes, SSO provides customers with a seamless experience.

A diagram depicts a flow from the user to SSO and then to capabilities at Acme Bank including check savings balance transfer money and check checking balance

With FIM, bank customers can still sign on to the bank’s site and perform a variety of tasks, but they can also access externally managed services. Users can order checks, send money to others using Zelle, and apply for a loan without having to reauthenticate.

 

A diagram depicts a flow from the user to FIM to Acme Bank and then to capabilities including order checks send money and apply for loan

How does FIM work?

 

As with most identity and access management solutions, there are a variety of ways FIM can be implemented. It’s common for an organization to serve as the IdP that stores user identity information, as shown in this diagram. In this scenario, the IdP also establishes trusted relationships with service providers (SPs) that reside outside the organization so that users have seamless access to the SP applications and resources.

 

Here’s how it works:

A diagram depicts IdPinitiated Federated SSO with a sixstep sequence illustrating a typical federated SSO use case The steps are as follows 1 User requests access to an app through the IdP 2 On first signon IdP requests credentials 3 IdP checks credentials against identity directory 4 Encrypted assertion authenticating the user is passed to the SP 5 SP accepts assertion and directs user to the app and 6 With the assertion user can now access any SP in the trusted group without login

 

  1. A user clicks to access a third-party application that resides outside of the organization domain.

     

  2. The first time they sign on to their system, the IdP requests their credentials.

     

  3. The IdP verifies that the credentials provided match the credentials in the identity directory.

     

  4. The IdP sends an encrypted assertion to the SP indicating that the user is who they claim to be.

     

  5. The SP accepts the assertion and directs the user to the application or service.

     

  6. The user can now access any application or service in the trusted group without authenticating again.

Related Resources:

Capability
Single Sign-on Solutions

   

Start Today

Contact Sales

sales@pingidentity.com

See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.