Single sign-on is great.
SSO gives users a nice simple and seamless experience with their IT services. Plus it means that users only have to remember one password, which means fewer trips to the IT help-desk to recover it when they have a memory lapse. Only needing to remember a single password makes it viable to make it longer and stronger. This is all good stuff, but it’s not the be all and end all.
Federation is the authentication infrastructure model that allows SSO to take place, and its function in an organisation is far more significant and powerful than a means to SSO.
Federation, in short, is the process of delegating the authentication process to a third party - known as the IDP (identity provider).
Delegating the authentication of multiple applications through a single IDP is what makes SSO possible, but it also has the function of centralising the authentication process. This is important. The cloud is both disparate and distant, and without federation the authentication process is under the control of each of your users. The user is responsible for the relationship with the application - and your IT team and wider organisation has little say in the matter. This has a significant implication on security governance. You are not in control.
Federation, on the other hand, brings control over access and security to a single centralised point, which is under your management.
Our top 7 reasons why federation is more important than just a means to SSO.
1. Password policies and management
Self-service password reset allows users to reset their own passwords, which can remove a big burden from your IT help desk. Federation makes this possible, and what’s more allows you to further define the conditions of the password, forcing resets periodically, enforcing a certain level of password complexity, defining conditions upon which resets are and aren’t possible, and dictating what should happen if a user incorrectly enters a password a given number of times.
2. Access control
Access management before the cloud was easy. You implemented everything you needed on-site, and you could just use firewalls and other perimeter products to prevent people accessing non-permitted websites and services. The paradigm has changed significantly since then, but federation gives IT teams a chance to retain control. Federation enables organisations to implement controls like IP whitelisting, domain-only access, as well as limiting access to specific browsers and operating systems.
3. Security and MFA
Many cloud applications don’t natively support MFA, and even if they did, would you want 10 different MFA systems in place - one for each application? It’s hard enough keeping on top of passwords in a non-federated environment, let alone MFA as well. Federation routes your applications through the same IDP, which allows you to implement a single consolidated MFA system for any or all of your applications, regardless of whether they natively support it or not. As with password management and access controls, all these controls can be globally applied or just to certain specified groups of users.
4. Account deactivation
Federation enables a one-step deactivation process. When someone leaves your organisation, especially if it’s on negative terms, they pose a degree of risk to your security. The secure de-provisioning of accounts is an important IT procedure, and forms part of all information security standards like ISO 27001. Federation makes this process more effective while lessening the burden on IT. From a single place, be it your Active Directory, HR system, or through the Federation Service’s admin interface itself - a user can be immediately deactivated across a whole range of different applications in one step.
5. Logging, auditing, monitoring and alerting
Having the IDP middle-man gives organisations the opportunity to collect and monitor data about all the identity and access activities across their organisation. This data can be used for security audit purposes, for service performance monitoring, and for alerting anomalous user activities. None of this would be viable without federation.
6. Business insight
Beyond the benefits of tracking activity data mentioned above, the other benefit is in providing business insight. Having a clear picture of how cloud services are being utilised across your organisation can help you make decisions around procurement and understanding whether further support is needed to increase adoption. It can also provide evidence to help you make decisions around security policies.
Federation gives IT teams a unique opportunity to ensure users comply with the organisation’s policies, such as password complexity or MFA access for certain applications. However, this can be taken a lot further than the normal features found in identity and access management systems. At IAM Cloud we’ve built a framework called ‘TouchPoint’ that allows us (and our partners) to build custom modules into the authentication process. Want to get your users to sign-up to a new EULA? Easy, we can force them to the next time they log-in. Want your users to update some attributes, like their address information? We have a TouchPoint module that allows your users to self-administer their own attribute information on your request. Want to get your users to pay for a service? How about a TouchPoint payment system? What about getting your managers to approve a holiday for a team member in your HR System? TouchPoint could integrate with Workday business processes to enforce it at login. The possibilities are very nearly endless. But as with all the points above, none of this would be possible without federation.
In short, while most people know federation as the mechanism to create SSO, it's much much more important than that.