domain platform Commons: 3/5

Federated Identity Pattern

Also known as: Identity Federation, Federated Authentication

1. Overview

The Federated Identity pattern is a mechanism for delegating authentication from a single application or service to an external, trusted identity provider (IdP). This pattern allows a user to access multiple systems across different trust domains using a single set of credentials. The core idea is to establish a trust relationship between the service provider (the application) and the identity provider. When a user attempts to log in, the application redirects them to the IdP. The IdP authenticates the user and then sends a security token back to the application, which then grants access. This approach is fundamental to implementing Single Sign-On (SSO) capabilities and is a cornerstone of modern, decentralized identity management. Its origins can be traced back to the early 2000s with the development of standards like Security Assertion Markup Language (SAML).

2. Core Principles

The Federated Identity pattern is built on several core principles:

  • Trust: A formal trust relationship must be established between the service provider (SP) and the identity provider (IdP). The SP trusts the IdP to authenticate users on its behalf.
  • Standards-Based: The pattern relies on open standards to ensure interoperability between different systems. The most common standards are SAML, OAuth 2.0, and OpenID Connect (OIDC).
  • Separation of Concerns: The responsibility of authentication is separated from the application’s core logic. The application focuses on authorization and its business functions, while the IdP handles the complexities of user authentication.
  • User-Centric: The user remains in control of their identity and can choose which identity provider to use. This also improves the user experience by reducing the number of credentials they need to manage.

3. Key Practices

In a distributed and heterogeneous IT landscape, users often need to access a multitude of applications and services, each with its own user database and authentication mechanism. This leads to several problems:

  • Credential Fatigue: Users are forced to create and manage a separate set of credentials for each service, leading to a poor user experience and the temptation to reuse weak passwords.
  • Security Risks: The proliferation of credentials increases the attack surface. A security breach in one service can expose credentials that might be reused in others. Managing user lifecycles (onboarding, offboarding, password resets) across multiple systems is also complex and error-prone.
  • Development Overhead: Each application developer has to implement their own authentication logic, which is a complex and critical security function. This duplicates effort and increases the risk of implementation errors.

4. Implementation

The Federated Identity pattern addresses these problems by centralizing authentication with a trusted identity provider. The solution involves the following components:

  • User: The individual who wants to access a service.
  • Service Provider (SP): The application or service that the user wants to access.
  • Identity Provider (IdP): The trusted entity that manages the user’s identity and performs authentication.

The workflow is as follows:

  1. The user attempts to access the Service Provider.
  2. The SP, not having an active session for the user, creates a security token request and redirects the user’s browser to the Identity Provider.
  3. The IdP authenticates the user (e.g., by asking for a username and password).
  4. Upon successful authentication, the IdP generates a security token (e.g., a SAML assertion or an OIDC ID token) and sends it back to the user’s browser.
  5. The browser then forwards this token to the Service Provider.
  6. The SP validates the token, extracts the user’s identity information, and grants access.

This process allows the user to be authenticated once by the IdP and then gain access to multiple SPs without re-entering their credentials.

5. 7 Pillars Assessment

Pillar Score (1-5) Rationale
Purpose 3 Serves a clear technical purpose in system design
Governance 3 Can be governed through standard engineering practices
Culture 3 Supports engineering culture of reliability and quality
Incentives 3 Aligns incentives toward system stability
Knowledge 4 Well-documented pattern with extensive community knowledge
Technology 4 Directly applicable to modern technology stacks
Resilience 4 Contributes to overall system resilience
Overall 3.4 A valuable technical pattern that supports commons infrastructure

Advantages

  • Improved User Experience: Users can access multiple services with a single set of credentials, simplifying the login process.
  • Enhanced Security: Centralized authentication allows for the enforcement of stronger security policies, such as multi-factor authentication (MFA). It also simplifies user lifecycle management.
  • Reduced Development Costs: Application developers no longer need to build and maintain their own authentication systems.

Disadvantages

  • Single Point of Failure: If the identity provider is unavailable, users will not be able to log in to any of the services that rely on it.
  • Dependency on Third Parties: The security and availability of the applications are dependent on the security and availability of the IdP.
  • Complexity: Setting up and managing the trust relationships and integrating with different standards can be complex.

6. When to Use

  • Social Logins: Many websites and applications allow users to log in using their existing accounts from social media platforms like Google, Facebook, or Twitter. In this scenario, the social media platform acts as the identity provider.
  • Enterprise Single Sign-On (SSO): Many organizations use federated identity to provide employees with seamless access to a variety of internal and cloud-based applications (e.g., Microsoft 365, Salesforce, Workday) using their corporate credentials. Microsoft Entra ID (formerly Azure Active Directory) is a prominent example of an enterprise IdP.
  • Academic Federations: In the academic world, federations like InCommon allow students, faculty, and staff to access resources from other institutions using their home university’s credentials.

7. Anti-Patterns & Gotchas

In the age of AI and machine learning, the Federated Identity pattern remains highly relevant and can be extended to new use cases:

  • Securing AI/ML Services: As organizations increasingly rely on AI/ML models and platforms, securing access to these resources is critical. Federated identity can be used to control access to sensitive models, data, and APIs, ensuring that only authorized users and services can interact with them.
  • Federated Learning: While not directly related to identity, the concept of federation is also a key principle in federated learning. In this context, a central server coordinates the training of a global model across multiple decentralized devices or servers holding local data samples, without exchanging the data itself. This approach to distributed machine learning shares the same principles of decentralization and collaboration as the Federated Identity pattern.
  • Personalized User Experiences: By securely sharing user attributes between services, federated identity can enable more personalized and context-aware experiences powered by AI. For example, an e-commerce site could use information from a user’s social profile to provide personalized product recommendations.

8. References

  • Shared Resource: The identity provider itself can be seen as a shared resource, providing authentication services to a community of service providers. Open-source implementations of IdPs further enhance this aspect.
  • Democratic Governance: The standards that underpin federated identity (SAML, OAuth, OIDC) are developed and maintained by open standards bodies like OASIS and the OpenID Foundation, which operate in a democratic and transparent manner.
  • Equitable Access: By simplifying the login process and reducing the need for multiple credentials, federated identity can improve accessibility for all users. It can also enable access to resources for individuals who may not have a formal affiliation with a particular organization.
  • Sustainability: The pattern promotes reusability and reduces the duplication of effort, which contributes to the long-term sustainability of the digital ecosystem.
  • Community Benefit: Federated identity fosters interoperability and collaboration between different organizations and services, creating a more connected and user-friendly digital environment that benefits the entire community.

References

[1] Microsoft. (n.d.). Federated Identity pattern. Azure Architecture Center. Retrieved from https://learn.microsoft.com/en-us/azure/architecture/patterns/federated-identity [2] Okta. (n.d.). What Is Federated Identity?. Retrieved from https://www.okta.com/identity-101/what-is-federated-identity/ [3] Wikipedia. (n.d.). Federated identity. Retrieved from https://en.wikipedia.org/wiki/Federated_identity