How Single sign on is different from Federation?

Nov 14
12:04

2016

elena peter

elena peter

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Single Sign On and federation are the hot topics that really require big discussion. How they different from each other and what are the protocols they need in order to implement are the things about which there is not much awareness and this article is a small effort to highlight some of them.

mediaimage

Although single sign on and Federation may appear similar to the end user. With both of them user can login once and then can use multiple systems and applications without having the pain of logging into each one separately. However similar they are but the functionality of both is quite different behind the scenes and that’s the reason there is a variety of protocols to implement them. Multi-factor authentication is a thing that both terminologies use.

 

In SSO there is a unique identity for each user by which it is recognizable to the organizations who leverage SSO,How Single sign on is different from Federation? Articles but they all agree to trust a single sign-on. This user identity is enticed with system directories to which the SSO provides access. Now the user has its own unique credentials for each system behind the SSO. This entire thing can take place in two ways:

 

  1. Having users to login to one system through a gateway in another system hence creating a token in the gateway system.
  2. By creating a separate account that connects the gateway system with the systems behind the SSO.

 

You must have heard the names of OpenID, Infocard or other available commercial programs, they provide federation rather than SSO. Federation seems like SSO to the end users but it is different in its working and it provides different kind of authentication. In federation, end users are only known to front end systems and the organizations who comes under the federation agrees on the point that they will accept credentials and the identities that are passed to them through SAML but they have no idea of the end user identity in the access manager or directory before it is passed.

 

With this federation doesn’t mean that users are unknown to the downstream systems but it simply refers that he was not enrolled in the access manager for that system. The goal of federation is the establishment of trust between the credential provider and relying party. Federation is also more likely to get hacked because of the lack of strong identity proofing and authentication. Without strong identity proofing any fraudulent user can enter into the system through the front door pretending to be a legitimate user and then no amount of encryption on the back end can prevent the fraudulent user from accessing the information within the federated systems.

 

SSO on the other hand uses two factor authentication with OTP solutions or tokens at the beginning of any session. Additionally organizations who use SSO leverage strong identity proofing, professional credentialing and authentication as a part of comprehensive approach to risk management.