Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
Federated Identity Management | Ping Identity
Identity Fundamentals
Expand All | Collapse All
Identity and Access Management
Identity Providers and Service Providers
Centralized vs Decentralized Identity Management
Zero Trust Security
Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Authentication and Authorization Standards
SAML
OAuth
OpenID Connect (OIDC)
Identity Orchestration
Authentication and Authorization Protocols
LDAP
SCIM
WebAuthn
Kerberos
WS-Trust

Federated Identity Management

 

Federated identity management (FIM) is a system that allows users in separate organizations to access the same networks, applications, and resources using one set of credentials. Each organization maintains their own identity management systems, which are linked to a third-party identity provider (IdP) that stores user credentials and authenticates users across organizations. 

 

When organization domains are federated, users can authenticate in one domain and access resources in the other domain without having to sign on again. For example, if an organization wants to provide users on-click access to third-party applications, such as Salesforce, Workday, or Zoom, an FIM solution is needed. Essentially, federated identity management enables single sign-on (SSO) across company lines.

 

Difference between SSO and FIM


SSO differs from FIM because:

 

  • SSO provides one-click access to applications and resources within one organization. 

  • FIM provides one-click access to applications across multiple organizations.


Let’s take a look at the user SSO experience for Acme Bank. In this example, bank customers can sign on to the bank’s site and perform a variety of tasks, such as checking their account balances and transferring money between accounts. Even if these services are actually separate applications managed by the bank behind the scenes, SSO provides customers with a seamless experience.

A diagram depicts a flow from the user to SSO and then to capabilities at Acme Bank, including check savings balance, transfer money, and check checking balance.

With FIM, bank customers can still sign on to the bank’s site and perform a variety of tasks, but they can also access externally managed services. Users can order checks, send money to others using Zelle, and apply for a loan without having to reauthenticate.

 

A diagram depicts a flow from the user to FIM, to Acme Bank, and then to capabilities, including order checks, send money, and apply for loan.

How does FIM work?

 

As with most identity and access management solutions, there are a variety of ways FIM can be implemented. It’s common for an organization to serve as the IdP that stores user identity information, as shown in this diagram. In this scenario, the IdP also establishes trusted relationships with service providers (SPs) that reside outside the organization so that users have seamless access to the SP applications and resources.

 

Here’s how it works:

A diagram depicts “IdP-initiated Federated SSO,” with a six-step sequence illustrating a typical federated SSO use case. The steps are as follows: 1) User requests access to an app through the IdP, 2) On first sign-on IdP requests credentials, 3) IdP checks credentials against identity directory, 4) Encrypted assertion authenticating the user is passed to the SP, 5) SP accepts assertion and directs user to the app, and 6) With the assertion user can now access any SP in the trusted group without login.

 

  1. A user clicks to access a third-party application that resides outside of the organization domain.

     

  2. The first time they sign on to their system, the IdP requests their credentials.

     

  3. The IdP verifies that the credentials provided match the credentials in the identity directory.

     

  4. The IdP sends an encrypted assertion to the SP indicating that the user is who they claim to be.

     

  5. The SP accepts the assertion and directs the user to the application or service.

     

  6. The user can now access any application or service in the trusted group without authenticating again.

Related Resources:

Capability
Single Sign-on Solutions

   

Start Today

Contact Sales

sales@pingidentity.com

+1 877-898-2905

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.