Source: https://www.techtarget.com/searchsecurity/definition/federated-identity-management

“The Federation of Identities is the best agreement for your company.”

Federated identity management (FIM) is an arrangement between multiple enterprises or domains that enables their users to use the same identification data (digital identity) to access all their networks. These partners are also known as trust domains. A trust domain can be an organization, a business unit, a smaller subsidiary of a larger organization, etc.

FIM is a system of single login, multiple access. For FIM to work effectively, all involved partners must have a sense of mutual trust. Each trust domain maintains its own identity management. However, all domains are interlinked through a third-party service that stores users’ access credentials and provides the trust mechanism needed for FIM to work. This third service is known as the identity provider or identity broker.

This provider brokers access control among multiple service providers. The FIM arrangement is made between two — or even more — identity brokers across organizations.

FIM links users’ identities across multiple security domains. When two domains are federated, users only need to authenticate themselves to one domain. That’s because a second security domain — and part of the FIM system — trusts that the user’s home domain authenticated the user and enables them to have unfettered access.

Examples of FIM systems include OpenID and Open Authorization, as well as Shibboleth, which is based on the Organization for the Advancement of Structured Information Standards’ Security Assertion Markup Language (SAML).

How does federated identity management work?

In three simple items lets us explain it. 

FAIM works after their partners send them.

  1. Authorization messages: Those can the transmitted both enable users to log on once to access multiple affiliated but separate websites or networks. y using SAML or a similar Extensible markup language standard.
  2. Websites or Networks: Both enable users to log on once to access multiple affiliated but separate websites or networks.
  3. Software-as-a-service: Users’ credentials are provided to and stored with their identity provider, which is their home domain. Then, when logging in to a service such as a software-as-a-service application, they don’t have to provide credentials to the service provider. Rather, the service provider trusts the identity provider to validate these credentials and grant them access.