Federated Identity Management

Industry Insight

Federated Identity Management

What is Federated Identity Management (FIM)

Federated Identity Management is an adaptation that helps multiple enterprises to let subscribers use the same identity to access different domains, without performing different logins for different service providers.

Example – It permits you to sign in to Azure with your Office 365 account details.

Here, the user’s credentials are validated through an Identity Provider(IdP) which can be connected to several companies’ domains instead of managing the authentication on the service provider (SP)/applications themselves. Hence, when a user tries to access a particular SP or application, the SP redirects the user to the IDP login page. The user login on the IDP and is then redirected to the requested SP/application. Generally, the user identity authorization is executed through:

1) Security Assertion Markup Language (SAML)

2) Open Authorization (OAuth)

3) OpenID Connect (OIDC)

How Federated Identity Management Work

The end goal for any authorization is a safe and secured login to multiple Service providers with the same identity. But the procedure might differ depending on the protocol used.

Let us discuss in detailed the working of Federated Identity Management.

Federated Identity Management with SAML

For Federated Identity Management using SAML protocol, generally, the user follows the below procedure:

1. User, through a web browser, requests access to the secured application/SP.

    2. The service provider redirects to a specific Identity provider (registered with the Service Provider) for authentication with SAML Authentication request.

    3. Browser makes authentication requests to the registered Identity Provider. The IdP validates the SAML request and gives the user/ browser a login form.

    4. Upon successful credential check/ or authentication, the identity provider will generate an XML-based assertion verifying the user’s identity and will relay this to the browser. 

    5. Browser passes the XML insertion to the Service Provider and it sets up cookies in the browser.

    6. The user/ browser gets the access as it is authenticated now.

    Federated Identity Management with OAuth/ OpenID Connect

    OpenID Connect is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choices, such as scopes and endpoint discovery. It is specifically focused on user authentication and is widely used to enable user logins on consumer websites and mobile apps.

    The user follows the following instructions for OpenID Connect Protocol:

    1)User requests to access the resource server, which is then redirected to Identity Provider.

    2)Once the authorization request is passed to Identity Provider, it returns the login page to the User.

    3)After the IDP validates the user credentials, it redirects the user to the resource server.

    4)It redirects the user to the resource server.

     5)Once the user requests the page, a token is requested from the resource server to the IDP.

    6)Token is validated by IdP.

    7)Token is returned by the IDP directly to the Resource Server and user logs in successfully.

    RCDevs Security Solutions and Federated Identity Management

    RCDevs OpenID / SAML Identity Provider works with OpenOTP back-end. The RCDevs SSO solution supports PKI logins (with user certificates), OTP, FIDO2, and VOICE biometric-based authentication. Another advantage that RCDevs provides is the possibility to define WebADM client policies per SP. That offers high flexibility regarding authentication purposes, access policies, the allowed domains to access an application, and so on.

    Key Features of FIM:

    -Supports SAML 2.0 authentication and logout requests.

    -Supports IdP-initiated and SP-initiated SAML requests for Cloud SSO.

    -Supports OpenID-Connect and OAuth2

    -Returns group memberships and configurable user attributes

    -Very easy configuration for corporate SAML with metadata URL

    -Supports all authentication methods supported by RCDevs (Push, FIDO, SMS OTP, VOICE Biometric…)

    -Supports OpenID user profile scopes

    -Supports all policies features provided by WebADM control center

    It is simple to integrate OpenOTP SSO Solution:

    SAML Identity Provider

    OpenID- SAML IdP Web Service

    More, information check RCDevs page.