Term · 2. Authentication & Authorization
Identity Federation
Identity federation lets users authenticate with their home organization's identity provider to access applications owned by another party — without a separate account. Trust is established between identity providers and service providers using standards such as SAML, OIDC and WS-Federation. It enables business-to-business SSO, social login and cross-cloud access, reducing password sprawl and centralizing offboarding.
Definition
Trust arrangement letting an identity authenticated in one domain (Identity Provider) access resources in another (Relying Party / Service Provider) without a separate local account. Implemented via standards such as SAML 2.0, OpenID Connect, and WS-Federation. Foundation for cross-organisation SSO, B2B access, and social/government login.
- Application
- MidPoint: MidPoint acts as an identity data source and integrates with federated identity providers via SAML and OpenID Connect.
- Standards & regulations
-
- NIST SP 1800-3B «When system requirements include **identity federation**, protocols such as SAML 2.0 and OpenID Connect can define the syntax and semantics for passing identity and authorization information between t»
- OASIS WS-Federation 1.2 «This specification defines mechanisms that are used to enable **identity, attribute, authentication, and authorization federation** across different trust realms.»
- OASIS IDCloud-paas-v1.0 «The following OASIS standards for **Federated Identity** are applicable: OASIS SAML; OASIS WS-Trust and WS-Federation.»
- OASIS IDCloud-gap-v1.0 «Known **federation techniques** [include] WS-Trust, WS-Federation, SAML, OpenID Connect for targeting different scenarios.»
- Sources
-
- NIST SP 800-63C (Federation and Assertions) primary source
Related terms
-
Kerberos
Network authentication protocol developed at MIT (Kerberos v5: IETF RFC 4120, 2005) using symmetric-key cryptography and …
-
mTLS (mutual TLS) (mTLS)
Mutual TLS — both client and server authenticate each other via certificates during TLS handshake. RFC 8705 specifies OA …
-
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) — distributed system of services, components, and policies supporting cryptographic oper …
-
Relying Party (RP)
Application or service that depends on an Identity Provider to authenticate users and provide identity assertions. In SA …
-
Single Sign-On (SSO)
Authentication mechanism allowing users to access multiple applications with one login. Federated SSO (SAML, OIDC) — IdP …
-
Adaptive MFA
Authentication mechanism that adjusts MFA challenges based on real-time risk signals — device trust, location, behavior, …
Frequently asked questions
How does identity federation work?
An application (service provider) trusts an external identity provider. When a user logs in, the IdP authenticates them and sends a signed assertion or token; the app accepts it and creates a session. No password is shared with the application.
What is the benefit of federation?
Users get single sign-on across organizational boundaries; companies avoid managing external accounts and can revoke access centrally by disabling the user at their home IdP. It reduces password reuse and simplifies partner and M&A integration.
Is SSO the same as federation?
SSO is the user experience of logging in once; federation is the trust mechanism that makes SSO work across separate domains or organizations. Internal SSO can exist without federation, but cross-company SSO requires it.