Federated Identity Management vs. SSO: Which is Better?
Comparing federated identity management and SSO can be tricky if you don’t fully understand federation or identity and access management. We’re walking through both to help you compare.
What is the difference between federated identity management and single sign-on authentication? SSO is meant to authenticate one person across different systems. FIM will allow one user access to many applications over any number of networks.
What Is Federated Identity Management?
Federated identity management is a way to leverage identity management and sharing protocols to facilitate authentication across multiple vendors and application platforms. FIM is a set of technical agreements between organizations, implemented through technical standards, that allows users of those platforms to access apps with a single set of credentials.
Because FIM emphasizes identity management, FIM solutions do not apply to the authentication of user credentials. Instead, FIM is all about how disparate systems across multiple enterprises negotiate trust. That’s because in an FIM system, every participating organization agrees to trust the fact that if a user authenticates with one system, they should have access to all participating systems.
Implementing FIM, therefore, includes technologies built around communicating user credentials and/or tokens that can attest to authentication and identity management.
Some of the technologies that play a role in FIM include the following:
- Security Assertion Markup Language: This open standard gives identity providers a language to exchange authorization credentials. When a user attempts to access a SAML-enabled system, that system returns a SAML assertion that verifies the user is who they say they are. The SAML assertion within a FIM should be a legitimate form of authentication across all federated systems.
- OAuth: OAuth is an authentication protocol that relies on passing tokens between identity management and service providers. A user provides credentials to an OAuth provider who then returns a token that isn’t readable or editable by the user. This token can be used to authenticate the user across multiple systems.
Unlike SAML, OAuth is often geared towards mobile devices, Internet of Things technology, or other contexts where authentication will be long-lasting. SAML, on the other hand, will better serve enterprise users with shorter, daily authentication needs.
- OpenID Connect: Supported by the major social media and cloud providers (Google, Facebook, Microsoft, PayPal, Yahoo, and Symantec), allows for authentication through a third-party identity provider.
Depending on their needs, a federated identity management system will usually work with at least one of these protocols.
What Is Single Sign-On Authentication?
Single sign-on allows users to authenticate across multiple platforms with a single set of credentials. For example, a user may have a single username and password combination (and perhaps a biometric authentication type like a fingerprint scan) that they then use to access a diverse set of accounts. Unlike password management, which just gives users a way to organize and secure multiple passwords, SSO provides a single point of entry for those users, even allowing for authentication features like biometrics.
Some of the configurations you may commonly see with SSO are as follows:
- SAML: Much like FIM, SSO solutions can use SAML to allow users to authenticate once and access many different account features. SAML can include information that states the permissions that users have and the resources or applications they should access.
- Kerberos: Kerberos is an SSO solution that uses a system of “tickets” that function as authentication verification across multiple applications. These tickets operate much like token systems, such as OAuth (albeit with different protocol standards and implementation features).
- Social Networks: Platforms like Twitter, Facebook, and Google use their SSO forms that allow users to log in to their social account and use that authentication to access other participating accounts or applications.
SSO minimizes remembered passwords and streamlines authentication. It doesn’t allow addressing different levels of security and allows for more significant breaches if credentials are compromised.
What Are the Differences Between SSO and FIM?
It’s important to note that SSO and FIM share several commonalities, most notably the ability to provide users and enterprises with a way to simplify authentication. Both offer infrastructure where users can log in to a single set of credentials and access several different services and applications. In fact, many professionals often make reference to “federated SSO” (or some combination) because SSO is technically a form of federated identity management.
Where they differ is where they are applicable. Single sign-on solutions provide a single access point to multiple applications within a single domain, usually an enterprise network. For example, an SSO solution may allow employees to use a single authentication event to access internal company resources, including HR portals, cloud resources, and shared applications.
On the other hand, FIM provides access to applications across multiple domains or organizations with a single set of credentials. Whereas SSO might provide centralized authentication for internal company applications, FIM will extend that access to third-party vendor apps that are integrated with the company’s system, such as external video conferencing, customer relationship management software, or office applications.
How to choose one is relatively simple: If you are using authentication internally across different apps in your organization, the SSO should suffice. If you are connecting to a variety of third-party applications across multiple vendors, then you’ll most likely want to work with a compatible FIM solution.
Enterprise SSO with Advanced Security with 1Kosmos
Enterprise organizations are typically looking to ease authentication for their workforce. Streamlined identity verification across all business resources reduces challenges for IT and HR while also reducing user-caused security risks. SSO is an important part of this process because it limits the information users have to remember just to log in to company systems.
But SSO carries some security issues, including the fact that a compromised user account linked to an SSO solution can endanger any associated systems. It’s critical that any SSO company implement effective modern cybersecurity and authentication methods like advanced biometrics, identity proofing, and robust identity management.
1Kosmos BlockID provides features needed to support SSO authentication for enterprise customers with an innovative approach to identity management. This approach includes the following:
- Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
- Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
- Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
- Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.
To learn more about 1Kosmos SSO support and passwordless authentication, sign up for the newsletter. And, make sure to watch our webinar on Freedom from Passwords 2.0