Establish secure access to organizational domain resources using the trusted Federated Identity approach.
Federation — also referred to as Enterprise Federation — is the term typically used when a trusted relationship with an organizations own central Identity Provider (IdP) is established.
Hi, I’m Peter Fernandez, and as a CIAM expert, I want to share my experience incorporating federated identity into modern applications.
SAML…
Typically associated with B2B SaaS scenarios (where CIAM and traditional IAM effectively meet) Federation typically involves establishing a trust relationship with a corporate Identity Provider (IdP), using the SAML protocol. In this scenario, via an upstream conversation, the corporate identity provider is responsible for all user authentication, delivering an Assertion incorporating user information together with authorization information for Access Control (e.g. using RBAC and the like).
…or OIDC
In certain circumstances, the upstream conversation with a corporate IdP can also leverage the OIDC protocol. In this case, an ID Token — the OIDC security artefact generated in a valid user-authenticated context — provides user information together with the details used for Access Control. Whilst the formal spec for OpenID Federation is still a work in progress the use of an intermediate IdP as a protocol proxy can provide an effective mechanism for establishing trust relationships.
Browser-based Authentication…
Federation is typically achieved using a workflow involving the Browser and is largely utilized by web-based applications (using an embedded browser context for Mobile or Native Apps). Browser-based workflow provides the most secure mechanism for communication and allows the upstream IdP to dynamically interact with the user if required. It also provides flexibility for leveraging capabilities such as MFA and SSO.
…SP Initiated…
In Service Provider (SP) scenarios, a user attempts to access a protected resource directly without logging in. The SP does not handle user credentials per se but utilizes an upstream identity provider (IdP)-federated account. The SP sends an authentication request to the IdP via the Browser — which in turn sends both the request and the returned SAML assertion back to the SP.
…or IdP Initiated
Conversely, in an IdP-initiated scenario, a user logs on to the identity provider as part of an attempt to access a resource on a service provider (SP). In this case, the IdP transports the user and the generated SAML assertion to the SP, again using the Browser.
SSO
Federation is most commonly associated with SSO, and the terms are often used synonymously. Whilst SSO is synonymous with a number of modern CIAM use cases today — including those related to Social and account-linked scenarios — it (SSO) was originally one of the primary functions for federation and a key factor behind the development of the SAML protocol.
Social
In many ways, Federation can be viewed as synonymous with the Social scenarios typically employed in B2C SaaS applications. Whilst the explicit trust relationship is not the same — the use of OIDC effectively creates an implied trust relationship instead — the use of an upstream IdP for authentication and the subsequent creation of an SSO context is similar.
Buy vs DIY
You could build an in-house custom solution yourself…it’s certainly an option. Particularly if you have a team with the time, capacity, knowledge, and expertise to develop SSO; deploy and maintain Attack Protection; leverage OIDC and/or SAML for Authentication, Social and/or (Enterprise) Federation; implement Passwordless, Passkeys and/or MFA, and/or optionally OAuth 2.0 for API Authorization.
The alternative is to integrate with a SaaS solution provided by one of the popular vendors, and the cost of subscribing to one of these typically depends on the features you use and the number of active consumer identities you have.
With vendor-based CIAM the cost is typically associated with the platform hosting the backend service(s) that deliver Authentication, Authorization, Management and Protection from attack. With consumer-oriented software, much of this infrastructure is already in place: cloud-based “compute”, database, network resources, etc. could be a necessity for your solution, and delivering these at scale may be something you also need to do.
Deploying a standards-based open-source DIY solution within your existing infrastructure might provide a more cost-effective approach — delivering secure and robust CIAM without the need to build everything yourself and with the added benefit of more flexibility and control.
Got questions?
Feel free to reach out!
