Federated Identity Management vs. SSO

Last time I wrote about how much it costs to protect yourself, so I want to follow up  with another topic that hits close to home: your wallet.

Federated identity management (FIM) and single sign-on (SSO) are not synonymous — FIM gives you SSO, but SSO does not give you FIM. That minor detail is very important to understand, as you make the leap to the cloud and adopt more SaaS applications. While you will have some initial startup cost with FIM by building out an identity service provider (IDP), it is cheaper in the long run than using simple SSO with FIM.

Why is that so? Well, let’s start by understanding what the difference between the two is.

Single Sign-on (SSO) allows users to access multiple services with a single login.

2017-02-17_11-46-23The term is actually a little ambiguous. Sometimes it’s used to mean that a user only has to provide credentials once per session and then gains access to multiple services without having to sign in again during that session. Think your bank account — you log in once but now you can access all your accounts such as savings, retirement, investment, mortgage and so on without being prompted for credentials again. But in all reality, these individual accounts are all separate from each other. If you pay close attention to your browser bar as you click on the different accounts, you’ll most likely see something like this there:

 https://yourbankurl/switchaccount/SAML_Action

That SAML action call is reauthenticating you during the same session — hence SSO (and maybe even a bit of federation behind the scene, but it would be beyond the scope of this blog to go into that much detail. That is a topic for another blog).

But for some people SSO means merely that the same credentials are used for multiple services — the user might have to login multiple times, but it’s always the same credentials. You log on to some SaaS app and as you are trying to access some “sensitive” information you must enter your credentials again. For example, when you access the account settings on your Amazon Prime account you must re-authenticate. Or even worse, some consider SSO if you are using the same username and password for yahoo and google. That is not SSO, that is you asking to be hacked.

And to make it even more confusing some people even consider password management tools such as Roboform, Dashlane and Zoho Vault  SSO solutions. They are not, they are password managers that allow you to save multiple logins so you do not have to remember them all.  So, beware, all SSO’s are not the same in that regard. Many people (me included) only consider the first case to be “true” SSO.

Some of the downsides with SSO are that you are reliant on the SaaS application’s support for multi-factor authentication (MFA) for additional protection. The user has to remember all the different logins or resort to a password manager. IT has to manage all the individual SaaS logins for all employees, which results in departed employees having access to confidential information long after they have left the company because IT or the LOB has not de-provisioned / deactivated their SaaS account. It also results in the company still paying for licenses that are assigned to former employees. All of the above make SSO without FIM costly and insecure.

Now federated identity management (FIM) refers to a way to connect identity management systems together. With FIM, a user’s credentials are always stored with a “home” organization (the “identity provider”). When the user logs into a service (SaaS application), instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials. So the user never provides credentials directly to anyone but the identity provider. You are federating your service providers (SaaS applications) with your FIM (identity provider). It’s a many to one mapping, many SaaS applications to one identity provider.

FIM and SSO are different, but are very often used together. Remember, FIM gives you SSO, but SSO doesn’t necessarily give you FIM.

Identity federation offers economic advantages, as well as convenience, to enterprises and their subscribers. For example, multiple corporations can share a single application (B2B federation), with resultant cost savings and consolidation of resources. In order for FIM to be effective, the partners must have a mutual trust. Authorization messages among partners in an FIM system can be transmitted using security assertion markup language (SAML) or a similar XML standard that allows a user to log on once for affiliated but separate websites or networks. Additionally, FIM systems (IDP’s) like Centrify provide automated account provisioning and de-provisioning into SaaS applications like O365, Salesforce, AWS and ServiceNow. Automated account provisioning gives the IT department the benefit that a new user is automatically provisioned into all applications assigned to him automatically based on role or group membership in their user database such as Active Directory or LDAP. The user has the benefit of having only to remember his “Domain Credentials.” In a nutshell, FIM is cheaper and much more secure in the long run because:

  • It doesn’t need to manage individual SaaS accounts. It happens automatically.
  • Licenses for said SaaS applications are assigned or removed automatically.
  • Access to ALL SaaS applications is removed at once.
  • The user only needs to remember ONE username and password combination.
  • FIM allows IT to protect critical apps with Multi Factor Authentication.
  • The User has a single user interface to access ALL his SaaS applications.

Learn how to add security through SSO with, “A Quick Guide to Mitigating Security Risks.