Because centralized identity management is united across all applications, the user only needs to access one console to enable a variety of services and infrastructure. Users can access the tools they need without having to sign on to multiple accounts because a trust relationship exists between the user, enterprise, and partner sites. This reduces frustration, friction, and password fatigue while increasing data security.
Generally, there are two areas of centralized identity management: single sign-on (SSO) and federated identity management (FIM).
Before single sign-on, users required a separate account to access each service they wanted to use. Each service had to manage its own set of users, authentication data, and authentication policies. Keeping all of these user stores in sync created management challenges that were costly and prone to error. Single sign-on became the answer to simplifying account creation, login, and management processes by allowing users to access multiple applications or services with a single set of credentials.
SSO is ideal when you need to access various services within a single organization, even if they are segregated across different systems and applications. It centralizes the authentication responsibility from within each service, reducing that service’s complexity, increasing security, and simplifying the management of authentication policies and user data.
Choose SSO for:
Ease of access: Reduces account fatigue by requiring users to remember only one set of credentials
Improved user experiences: Saves time and enhances user satisfaction by eliminating repeated login prompts
Reduced IT workload: Lessens the burden on IT support for password resets and account lockout issues
Reduced attack surface: Fewer locations storing user passwords reduce the number of systems that, if attacked, may result in compromised account data
Ideal SSO use cases:
Known and/or registered users
Access to multiple services within a single organization
Limitations of SSO:
SSO doesn't convey any information about the user to the services being accessed other than that they are logged in and an identifier by which they may be referenced—generally a username.
SSO only enables access to systems controlled by your organization and deployed within its domain(s). Federated identity management is needed to benefit from resources stored in services operated by other companies.
While SSO is ideal for accessing services within an organization, federation extends its benefits across organizational boundaries, allowing identity and authorization information to be shared across a trusted network of domains.
Federated identity management (FIM) allows a user authenticated by one organization to use their identity to access services operated by another. In addition, FIM conveys much more sophisticated information about a logged-in user, including how the user authenticated, profile attributes, and permissions. FIM works via standards to ensure that services that authenticate users and transmit their data and permissions (the “identity provider” or “IdP”) and services that rely on that data (the “relying party”) can understand one another.
Like SSO, FIM reduces the number of registered accounts an individual needs to maintain and the number of authentication credentials they need to retain. As long as both the user and the relying party trust a given provider, a single account can be used to access a myriad of services operated by different organizations.
One drawback of FIM is its reliance on this provider as a central figure in the authentication interaction. As the provider has to share information about the user, a user must first give that provider a significant amount of information about themselves. Moreover, each time their data is shared with a relying party, the provider is made aware of this interaction.
Choose FIM for:
Cross-domain authentication: Enables seamless access to resources across different domains or organizations
Independent autonomy: Each entity retains control over its own identity management policies while participating in a shared authentication system
Enhanced collaboration: Facilitates collaboration and sharing of resources among different organizations in a secure and controlled manner
Ideal FIM use cases:
When a remote or third-party identity provider is used to offload the responsibility of authentication and identity management processes
You are allowing access to data and operations in your services controlled by a user by sharing authorization for remote clients to inspect or execute them on that user's behalf
You are supporting various remote login providers with which users may already have accounts, such as social networks
To gather information stored about a user's identity from a trusted source, to be used within your service's offering, creating a single view of the user's identity shared between both
Limitations of FIM:
Requires backend integrations between organizations that can be cumbersome to organize and expensive to maintain
Threat actors can compromise user credentials via man-in-the-middle attacks or session hijacking
User experience is often jarring, moving the users between services to log in and presenting them with lists of 'things that are about to be shared' that can be cumbersome for an individual to process
Standards were designed with web application interactions in mind and can result in a mobile experience that relies on rendering web views rather than keeping the user inside a native app
When paired with orchestration, both SSO and FIM enable authentication and authorization capabilities. To keep identities and business resources as agile and secure as possible, it’s also important to understand and follow a Zero-Trust Security model and leverage identity standards and protocols.
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo