IAM 101 Series: Federation and Federated SSO
What It Is, Why It’s Important, and How It Enables Our Online Lives
As highlighted in our blog post, IAM 101 Series: Single Sign On (SSO), people all over the world are utilizing digital apps and services to access their jobs, stores, schools, and health services remotely from their homes now more than at any other time in history.
In fact, the Associated Press (AP) reports: “Transaction volumes in most retail sectors have seen a 74% rise in March (2020) compared to the same period last year, while online gaming has seen a staggering increase of 97%, according to analysis by ACI Worldwide of hundreds of millions of transactions from global online retailers.”
Breaking down the rise in retail by sector, the AP article shows the following increases in transaction volumes for March 2020 compared to last year:
- Home products and furnishings: +97%
- Do it Yourself (DIY) products: +136%
- Garden essentials: +163%
- Electronics: +26.6%
- Telco: +18.6%
Sadly, the increase in online transactions brings with it an increase in cybercrime and fraud. Just weeks ago the BBC reported: “Scammers are sending 18 million hoax emails about Covid-19 to Gmail users every day.”
With this explosion in online traffic and cybercrime, organizations and service providers are continuously asking the question: “How do we provide the easy online access our workforce and consumers want and need securely?”
Identity and access management (IAM) and federated single sign on (SSO) are the answer. They are the behind-the-scenes secret sauce that enables secure, easy online access for billions of users and all their connected things around the globe.
So, what is federated SSO, and how does it work? Let’s review the single sign on basics first and go into federation from there.
Single Sign On (SSO) Basics: A Review
In the blog post IAM 101 Series: Single Sign On (SSO), we discuss single sign on in its simplest form within the security perimeter of an organization. In a nutshell, all SSO relies on an IAM component called an identity store to house user credential information and data (such as usernames and passwords) for multiple resources (such as apps, services, and systems). This one identity store to many resources ratio is what allows internal users to log into multiple resources with one set of credentials – hence, single sign on. Identity stores are part of, and managed by, identity and access management (IAM) systems.
When users such as employees are within an organization’s IT security perimeter or firewall, SSO is relatively simple. The resources are internal, and the user has already been vetted to some degree. Therefore, there is an existing level of trust and security.
But what about when a user or resource is not internal to an organization, such as a third-party dropship partner needing access to an ordering system, or an employee using externally hosted software like Salesforce? How do they gain secure access to those apps and systems?
Enter identity federation and federated SSO.
Identity Federation and Open Standards: The Building Blocks of Federated SSO
For those new to identity access management and SSO, the word ‘federation’ means a united, trusted relationship between two or more entities, such as schools, businesses, government agencies, and so on. For example, the U.S. Federal Government is a federation of states.
Identity Federation, IAM, and Open Standards are the magic behind the curtain empowering our digital lives.
For purposes of IAM and SSO, a trusted union of entities is called an identity federation. Identity federations use agreed-upon protocols based on open standards that allow the federated organizations’ IAM systems to securely talk to one another in order to share data and access to resources across organizational perimeters. Open standards accomplish this by creating and passing encrypted tokens that contain user data in order to authenticate the user between the federated IAM systems. Commonly used open standard protocols for federation include OAuth, WS-Federation, WS-Trust, OpenID Connect, and SAML.
Fun fact: ForgeRock’s very own Chief Technology Officer, Eve Maler, is one of the original authors of the SAML and UMA open standards, among others.
Identity federation, IAM, and open standards enable organizations to conduct business securely with third parties, such as partners, and individuals, such as customers, by allowing each organization to know who is interacting with them and what they’re enabled to do and to trust that the interaction between them is secure. This is significant because it means that identity federation, IAM, and open standards are the magic behind the curtain empowering our digital lives.
What Is Federated Single Sign On?
Building from the section above, federated single sign on is a capability only made possible by identity federation, IAM, and open standards. Because secure, encrypted communication can flow between federated IAM systems, you can therefore authenticate with one organization to gain access to resources hosted by another organization(s). This is the basis of federated single sign on. For example, when you log into an app using your social media credentials (called social sign on), it means that the social media organization is federated with the organization offering the app. Additionally, federated SSO allows you to authenticate once to then gain access to multiple resources. For example, your social app typically doesn't log you out after inactivity so you can use it to gain access to different third party apps for the duration of a session.
Federated SSO translates into better user experiences because it provides greater accessibility to apps and services without the headache of having to remember multiple usernames and passwords. Additionally, for organizations, federated SSO results in better security, engagement, and conversion.
Why ForgeRock for Federated SSO and IAM? The Ease and the Results
The ForgeRock Identity Platform is the most extensive IAM platform on the market and offers the very latest federated SSO capabilities, such as passwordless authentication, which allows users to securely authenticate without usernames and passwords (yes, really). A distinguishing feature of the ForgeRock platform is its ability to give organizations the latest IAM and SSO capabilities and enable them to quickly coexist with legacy IAM systems or easily replace them.
With ForgeRock, one of the largest wireless communications providers removed 99% of the friction in their login process and decreased fraud by 25%
For example, one of the world’s largest wireless communications services providers, with more than 100 million wireless customers, was using Oracle Open SSO and required open standards, such as OAuth, SAML, OIDC, and so on. After careful consideration of many providers, they selected ForgeRock because our platform includes many of the capabilities they sought right out of the box, such as open standards support.
The results that this large communications company realized with ForgeRock are outstanding. In terms of SSO, they removed 99% of the friction in the login process, resulting in superior customer experiences and improved customer trust. They also increased their security by decreasing fraud occurrences by 25%.
The benefits of ForgeRock are wide-ranging. In addition to bridging the gap from legacy SSO systems, the ForgeRock platform also includes integrations from the industry’s largest technology partner network, so you can leverage the latest single sign on practices, as well as easily extend your IAM capabilities to other areas without having to vet numerous vendors or buy multiple point solutions.