Trust And Federated Identity Management (FIM) vs Single Sign-On (SSO)
Any time an organization deploys a new app, end-users need to build a new set of credentials to recall. The outcome for staff? Too many passwords to remember. In reality, the average user needs to recall at least ten passwords a day but s/he forgets up to three of them every month.
The evolving challenges in identity management, in particular those related to identity theft, fraud, and other forms of identity abuse, have led to a new approach to identity management, now known as Federative Identity Management (FIM). Federated Identity Management is a relatively new concept that is part of an ongoing trend in identity management, an automated approach to managing identities such as passports, driving licenses, social security numbers, birth certificates, etc. There are many examples where two identity systems — management systems — are linked and can work together on the basis of mutual trust, for example in a social network.
What is Single Sign-On?
As the name suggests, SSO is a feature that enables users to access several web applications at once, using just one set of credentials.
This allows people to do their job — because they don’t need to recall several credentials anymore — and also reduces the time that IT takes on password resets.
What is Federated Identity Management (FIM)?
A federated identity is linking a person’s electronic identity and attributes, stored across multiple distinct identity management systems.
Federated identity is related to SSO, in which a user’s single authentication ticket, or token, is trusted across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability and it would not be possible without some sort of federation.
What are the Differences Between FIM and SSO?
The main difference between SSO and FIM is that SSO provides a single certificate across multiple networks under one organization. Federated identity management systems have single access to a variety of applications across several organizations.
Therefore, although SSO is an FIM function, SSO would not inherently permit the management of federated identities. That said, both resources are important for providing organizations with both data protection and customer interface hurdles to be minimized.
Federal identity management improves the productivity of the organization and increases the security of the overall networked systems. Federated identities also have the advantage that the management of identity proofs is the responsibility of the identity provider. The company directory need not know anything about a user if the user trusts the identity provider, and no user must provide credentials other than that identity provider to access his identity.
The introduction of SSO allows for federal identity management because it is a function of FIM, but it does not necessarily work the other way around. If the two organizations trust each other through a Federated Identity Management System, a user can authenticate on one website and then must authenticate again on the second website. As a result, it can give SSO the same level of confidence as a Single Sign-On solution. Organizations implementing SSO to enable federal identity management with a single login for all users.
This is made possible by Federated Identity Management, where a single login allows access to multiple business and social accounts and the possibility of authentication on multiple social media accounts.
This can be useful if you have multiple connected identity providers to trust, or if you have a service provider that is only used by users of a certain subset of the identity provider. Federal identity providers can be either a single provider, a group of providers, or a combination of multiple providers with different services.
Federation is a relationship of trust that can be established between two or more areas, and federated identity is one of the most common forms of trust and trust management for identity management. Once you have established a federation, your users only need to verify their identity once to gain access to the necessary applications. With federated identity, you can maintain the authentication process — premises in Active Directory, which allows increased security. The identity of the federation can also be embedded in third-party identity services that confirm that the users have entered the correct username and password.
This means you can provide federated identity solutions that allow users to enter the same credentials to access data in a connected IT environment. Benefits of federation access management include simplified login and access controls and access to Internet services that can delegate associated responsibilities to organizations that already have long-term relationships with customers.
With Identity Federation, you don’t have to create custom characters — in codes or manage your own user identities. Working with an identity provider allows you to develop the next generation of identity management solutions. Once implemented, these identity management systems support access to network resources with a single authentication.
In other words, the Inbound Identity Federation gives you access to applications and services that are outside the boundaries of your traditional organization and are trusted domains. The outgoing identity federation allows you to manage access outside your organization and beyond the traditional boundaries of the trusted domain. When multiple organizations implement interoperable, federated identity systems, an organization’s employees can use SSO to access services within the federation without any trust relationships associated with the identity. In so-called federal identity management systems, SSO can be connected between these systems via a single authentication mechanism.
But it doesn’t mean SSOs are always safe. According to a write up on recent SolarWinds attacks issued by the National Security Agency (NSA), the attackers succeeded to “compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens. Using the private keys, the actors then forge[d] trusted authentication tokens to access cloud resources.”
No matter what identity management systems are the cornerstone of a secure network, as the management of user identities is an essential part of access control.