1.2.4 Identity Federation

Identity federation is the association of accounts between an identity provider and a service provider. As shown in Figure 1-2, an employee named Steve is known as steve s. at his corporate identity provider. He has an account at a work-related service provider called 401k, which has set up a trust relationship with his company. At 401k, he is known as ssmith_01.

Figure 1-2 Identity Federation

401k, as a service provider, can be configured to trust the authentication from the corporate identity provider. Steve can enable single sign-on and single logout by federating or linking his two accounts.

From an administrative perspective, this type of information sharing reduces identity management costs. Multiple organizations do not need to independently collect and maintain identity-related data, such as passwords. From the end user’s perspective, this results in an enhanced experience by requiring fewer logins.