Authentication, SSO, IAM, Federation

Intro

Once I started implementing an authentication system, I found myself coming back to these terms again and again to separate their individual roles and purpose in the system. This article was created to serve as a quick reference.

Authentication

• process of the Principal proving its identity to the System
  • Examples of Principal
    • application
    • computer system
    • human
    • hardware, etc
  • System is any computer system that requires identification before allowing access
  • System could be hosted on
    • server
    • device
    • browser, etc

Single Sign On (SSO)

• characteristic of an authentication mechanism
  • that relates to
  • the user's identity being used to
    • provide access across multiple Service Providers
• allows a single authentication system to be used across multiple systems
• The single authentication mechanism could be
  • LDAP or such directory server
  • a system generating trusted token
  • Federation (see below)

Identity and Access Management (IAM)

• the management of identity concerns within an information technology organization
• can include
  • authentication of users and system
  • authorization of those users and systems
  • user provisioning
  • audit of identity systems
  • user repository management (like LDAP or Active Directory)
  • password policies and other concerns

Federation

• common standards and protocols
  • to manage and map user identities
  • between Identity Providers
    • across org (and sec domains)
  • via trust rel (like dig sig, enc, PKI)
• a sub-discipline of IAM, but typically the same team(s) is involved in supporting it
• a type of SSO where the actors span multiple organizations and security domains

Reference

For a deep dive into the above (and more): https://medium.com/@robert.broeckelmann

Related

If you found this quick reference article useful, you may also benefit from

• Notes on OAuth 2.0
• Notes on LDAP