Subway of Life 8/52 / Dennis SkleyAuthentication. Federation. Single Sign On (SSO). I’ve mentioned these concepts many times. I haven’t actually formally defined what each of these terms mean even though I’ve used these many times throughout my writing — these concepts are closely related.

Bạn đang xem: Authentication vs

Authentication: process of an entity (the Principal) proving its identity to lớn another entity (the System).

Single Sign On (SSO): characteristic of an authentication mechanism that relates to lớn the user’s identity being used lớn provide access across multiple Service Providers.

Federation: comtháng standards & protocols to manage và map user identities between Identity Providers across organizations (và security domains) via trust relationships (usually established via digital signatures, encryption, & PKI).

First, Identity & Access Management (IAM) is the management of identity concerns within an information công nghệ organization. The term, IAM, can refer lớn the team or the responsibilities of the team. Ideally, IAM is a centralized team, but due khổng lồ history, politics, or organizational structure that isn’t always possible. The next best option is lớn have sầu a central team dedicated khổng lồ each of Business-to-Business (B2B), Business-to-Consumer (B2C), & Business-to-Employee (B2E) concerns. All too often, every individual group handles their own IAM responsibilities — this creates additional hurdles khổng lồ adopting Federation và SSO across an organization. IAM can include authentication of users & system, authorization of those users and systems, user provisioning, audit of identity systems, user repository management (think LDAP or Active Directory), password policies, và other concerns.


Providing authentication services is a core responsibility of IAM. Authentication is the most generic of the three concepts mentioned in the post title. From an earlier post on, I gave the following as a definition of authentication. Authentication is the process of an entity (the Principal) proving its identity lớn another entity (the System). The Principal could be a computer program (a batch job, for example, running in the background), an kết thúc user (human), a computer system, a piece of hardware, thiết bị di động device, or other exotic things. The System, for our purposes, is any computer system that requires the caller to lớn be identified before access is granted — often this system will be on hệ thống, sometimes it is on a device (cellphone, desktop, laptop, tablet), sometimes it will be in a browser. The Principal provides Credentials to lớn the System that must be authenticated by the System using some type of identity system (including User Repository, Federation Server, or other). Credentials are sensitive information that positively identify the client & could come in many forms:

Userid & passwordDigital SignatureX509v3 client certificate

For completeness, a User Repository contains information about Users (Principals), their Credentials, Groups, group membership, & other user attributes. An LDAP. Server or Active sầu Directory is a typical example of a User Repository. More detailed descriptions of these concepts can be found here. I previously defined Federation Server và Identity Provider in a previous post.

Xem thêm: Nữ Tuổi Kỷ Tỵ Hợp Hướng Nào, Làm Nhà Hướng Nào Theo Phong Thuỷ

Single Sign On

Single Sign On (SSO) is a characteristic of an authentication mechanism that relates lớn the user’s identity being used to lớn provide access across multiple Service Provider. SSO allows a single authentication process (managed by a single Identity Provider, Directory Server, or other authentication mechanism) to be used across multiple systems (Service Providers) within a single organization or across multiple organizations. That single authentication mechanism could be:

an LDAP hệ thống, Active Directory, database, or similar directory servera system that generates và passes a trusted token around khổng lồ applications for the purposes of authentication.Sometimes, the term SSO is used to lớn describe signing inkhổng lồ applications with a password manager.Before 2005, SSO might have sầu been used khổng lồ mean a common phối of credentials were used across multiple systems (probably with some type of asynchronous password synchronization system), but those credentials had to lớn be provided by the user lớn log inkhổng lồ each separate system — in some contexts, this is probably still the case.Federation as described below.

Single Sign On (SSO) giao dịch with authentication và the technical interoperability of the actors involved to lớn provide the common login credentials across systems.

A Directory Server-based SSO solution for multiple applications looks something lượt thích the following diagram.





N SPs trusting a single IdPFederation

Federated Identity Management is a sub-discipline of IAM, but typically the same team(s) is involved in supporting it. Federation is a type of SSO where the actors span multiple organizations and security domains.

From the WS-Federation spec (one of numerous SSO protocols that enable federation) we have, “The goal of federation is lớn allow security principal identities and attributes lớn be shared across trust boundaries according to established policies.” This is a good mô tả tìm kiếm of federation in general; it involves having comtháng standards và protocols to lớn manage và map user identities between Identity Providers across organizations (and security domains) via trust relationships (usually established via digital signatures, encryption, và PKI). Federation is the trust relationship that exists between these organizations; it is concerned with where the user’s credentials are actually stored and how trusted third-parties can authenticate against those credentials without actually seeing them.

The federation relationship can be accomplished through one of several different protocols including (but, not limited to):

SAML1.1SAML2WS-FederationOAuth2OpenID ConnectWS-TrustVarious proprietary protocols

Federation can take many forms. Within an organization (departments, business units), the patterns could look like:

N Service Providers (SPs) within an organization trusting a single Identity Provider (IdP) — see diagram in the last section.N SPs across multiple organizations trusting a single third-tiệc ngọt IdP