For many employees today, the workplace is no longer a fixed location.
It can be an office, a living room, a commuter train, a transatlantic flight, or somewhere in-between. Employees can work from anywhere if they have the right technology.
A successful work-from-anywhere model provides easy and secure access to data, apps, and systems employees need to do their jobs, regardless of their location or device.
Access (what employees connect to) and authentication (how employee identity is proven when they connect) must be user-friendly, productivity-enhancing, cost-efficient, and above all, secure.
For businesses embracing a work-from-anywhere policy, federated authentication offers a secure, flexible way to reduce IT overhead and boost employee productivity.
With federated authentication, a single digital identity unlocks an employee's access to different services and authenticates them without additional passwords.
What is federated authentication?
Like most people, you may have dozens, if not hundreds, of passwords to manage. Form-based authentication, where you enter a username and password for access, is a cheap, easy, and familiar way for digital services to grant access to a user.
Unfortunately, passwords are also a nuisance for IT admins and employees alike. They're hard to create, easy to forget, and pose a significant security risk. Poorly-managed passwords cause 80% of data breaches.
Password prompts also disrupt an employee’s workflow and take time away from value-added activities. Simply put, traditional passwords are a very inefficient, disjointed, and insecure way to connect employees to work resources.
Federated authentication redefines user identities and access to digital services. A user has a single digital identity built with data points managed by an identity provider (IdP). The identity provider establishes trust with other applications and services while using a single digital identity.
Employees can then access information in different domains without logging in each time. Not only does this remove the need for repeated logins and passwords but also changes the way employees and IT teams interact with and manage access to digital accounts. Federated authentication further reduces the risk of BYOD in the workplace.
With federated authentication, user access and authentication are managed centrally. All user identities are managed in one database called the user directory. This gives IT insight and visibility into employee identities.
For example, IT decides the data points needed to create employee identities for maximum security and accuracy. Federated authentication then builds on the information available in the user directory and ties that identity to each employee's digital activities.
In addition, IT admins can set policies and controls over what, where, and when users can access data. They can grant or revoke employee access at a moment's notice when employees join the team or leave for another job. A centrally managed identity can unlock access to data, apps, and resources employees use every day.
All these extra layers of security don’t increase the burden on employees. Federated authentication simplifies user login by eliminating login prompts and passwords.
A set of credentials is sufficient to establish a user's identity. For employees, federated authentication means less hassle and faster access.
Components of federated identity
Federated authentication helps build relationships between different technology providers, enabling automatic identification and user access.
Employees no longer need to enter separate usernames and passwords when visiting a new service provider. Federated authentication works behind the scenes to determine who the user is and what they should have access to.
An identity provider (IdP) establishes a user's identity and connects to a service provider (SP). A security protocol, Security Assertion Markup Language (SAML), then authenticates the user.
Identity provider (IdP) is a technology system that creates, maintains, and manages identity information. In other words, an identity provider establishes users’ identities and the details that make up those identities.
These details can include an employee's name, email address, location, device or browser type, or even biometric information like fingerprint data.
Some popular identity providers are:
Microsoft's Active Directory Federation Services (ADFS).
Typically, IT teams centrally manage user identities on their network, including every employee, contractor, vendor, or client using an identity provider.
Ideally, IT should always know who needs access to different services and ensure that only these users have access. But this kind of central control and management is only possible when a cloud directory service is in place and leveraged as an identity provider or connected to a third-party identity provider.
Policies and security controls allow IT to standardize user access procedures across the identity provider. That means controlling which users can access specific apps or services and blocking access based on time, location, seniority, department, or other relevant data points, from a centralized dashboard with easily configurable options.
With an identity provider in place, IT can use federated identity management to connect their company's identity provider and service providers their employees use.
What is a service provider?
Service provider refers to any external app, software, or website used in the workplace that relies on an identity provider to identify and authenticate a user.
Instead of creating an account with a service provider, the identity provider links employee identity with the service provider on the backend. Once active, users can "carry" their identity from service to service without redundant logins.
When a user wants to access an external service, the service provider "matches" the identity and access with the identity provider. If everything checks out, the IdP authenticates the user via SAML.
Security Assertion Markup Language (SAML) is an open federation standard that allows an identity provider to authenticate users across domains on behalf of a service provider.
The nonprofit technology consortium OASIS developed SAML. It has been around for almost two decades and is a widely adopted and secure authentication standard.
Essentially, SAML securely transfers identity information between an identity provider and a service provider. The service provider relies on the identity provider to verify a user's identity and complete the authentication process.
Once the "check" is complete, the service provider loads the account for the user. The service provider trusts the identity provider to know who the user is and what they can access. SAML facilitates this trust relationship between the two entities.
How does federated authentication work?
SAML allows employees one set of credentials to access different domains. It pares down the login process to an initial login (to the identity provider) so that subsequent logins (to service providers) are automatic.
Here's how this process works:
A user logs in to their identity provider (for example, Google).
The user initiates a login to an external service provider that supports an identity federation.
The service provider requests user authentication from their identity provider.
The identity provider checks the data points from the service provider to verify the user.
The identity provider authorizes the user to the service provider (SAML).
The user can now access the application or service.
These steps are almost instantaneous and don’t need any user input. If a user doesn't already have an active session with the identity provider, the IdP prompts them to log in with their federated authentication credentials. Federated authentication makes the whole process seamless.
Federated authentication vs. SSO
Federated authentication may sound a lot like single sign-on (SSO), where a set of credentials unlocks access to multiple services without passwords. However, federated authentication and SSO differ significantly in identity management.
Federated authentication and SSO play different roles in facilitating employee access in a work-anywhere office model. Companies can leverage both technologies side-by-side to maximize employee efficiency and IT admin management.
Much like federated authentication, SSO grants authorized users access to services with one set of login credentials based on a user’s identity and permissions. Additionally, SSO providers allow users to access multiple web apps concurrently.
One way to visualize SSO is logging into Gmail and then simultaneously opening YouTube, Google Drive, and Google Photos in new tabs without logging in again.
You're essentially re-authenticated behind the scenes using the same credentials as the initial login. Your identity remains the same across all the apps. SSO is a way for you to carry a login session across multiple services.
Using the same credentials to access all your accounts may seem like a security risk. And it would be if you reuse a username and password for every login. However, SSO uses a secure protocol like SAML to authenticate a user securely. This works best when developing an identity and access management strategy with SSO.
When employees use a single password to access all their web apps, SAML identifies credentials to complete their login. This is actually a security boost, as SAML is far more secure than short, simple, reused, and easily-guessed passwords.
Understanding the difference between federated authentication and SSO
How exactly are federated authentication and SSO different?
Both federated authentication and SSO authenticate users with a secure protocol like SAML. And like federated authentication, SSO reduces employee access to one login event, after which they instantly connect to other services without further login prompts.
The access range is the main differentiator between the two. SSO allows a single credential to access different systems within an organization, while federated authentication provides single access to multiple systems.
In other words, SSO authorizes a single sign-on to various systems in one organization. Federated authentication enables access to different applications in different companies.
Organizations can also use federated authentication to access a cloud SSO provider and leverage the benefits of both. For example, if a company uses Microsoft ADFS as a federated identity provider, users can authenticate to a cloud SSO service provider with their ADFS credentials.
Once logged in to the cloud SSO provider, the user can launch and instantly access any web app without additional logins. The federated authentication service manages a user's identity to their SSO service provider, and the SSO service provider facilitates the user's access to all other cloud services.
Use cases and benefits of federated authentication
Any efforts to streamline user access in a workplace need to maximize data security and minimize friction. When employees power up their computers or other devices, they want to instantly connect to the data/apps/services they need.
Likewise, IT admins want to provide the workplace with fast and convenient access, but standardization and control are paramount. That's why federated authentication benefits both users and admins.
Federated authentication for users
With federated authentication, users benefit from automation and speed.
Users can share access to systems and resources without extra credentials. As a result, employees spend less time creating and typing credentials, resulting in less frustration throughout the workday.
Employees also experience fewer interruptions from login prompts, which means quicker access to the information needed to complete tasks. This improves communication and enhances productivity.
Employees can also be confident that they follow the company's approved security protocols without getting bogged down in complex rules and tedious security checks. Federated authentication offers more efficient, smoother user access without sacrificing security.
Federated authentication for admins
Federated authentication eliminates redundant data and systems for admins, reduces IT support costs, and boosts information security.
When IT manages user identities in a central user directory, it can use policies and controls to standardize security across the organization.
For example, IT can apply the same access and authentication policies to all users. It can also customize policies based on a user's role, department, location, device, and other granular details.
Federated authentication consolidates access management by tying disparate systems together and giving users a unified identity across those systems. This helps IT develop and maintain a central repository as the "source of truth" for employee access.
Eliminating passwords also reduces an IT team's workload. Provisioning and resetting user accounts is a significant portion of its workload. With fewer passwords to create and manage, federated authentication frees up IT resources for higher-value projects.
Fewer passwords also mean a reduced attack surface and lower risk of breaches. Traditional passwords pose a significant security threat; they're comparatively easy to steal, guess, or crack. Federated authentication helps IT eliminate weaknesses by replacing passwords with secure protocols like SAML.
Stay secure with ease
Federated authentication offers many benefits to users, IT teams, and organizations. It helps organizations reconcile ease of access with security. Implementing federated authentication can be a time and resource investment, but organizations can save time and money in the long run with automated identity management.
Building a solid foundation for federated identity management equips IT teams to meet the demands of an evolving workplace and reduce the risk of breaches. Learn more about what to do during a data breach.
Manage identity and access on the go
Protect your organization from unauthorized access or misuse with identity and access management software.
Amber Steel is an experienced content marketer for LastPass. For over a decade, she’s been writing/blogging/talking about cybersecurity, password security, and related technologies. In her free time, you can find her reading books, acquiring more books, or trying valiantly to the garden.
Manage identity and access on the go
Protect your organization from unauthorized access or misuse with identity and access management software.