Federated Identity Management
Federated Identity Management for ultimate customer experience
The ultimate dream in customer experience is allowing customers to access resources and applications seamlessly. Federated Identity Management (FIM) brings this dream a step closer.
The core principle of Federated Identity Management
As companies start working in tech ecosystems with other companies, employees from one company will access the partner company’s applications and systems. Gaining access to an external system can be set up by giving partner employees their own set of credentials, or by using the partner company’s authentication system as an Identity Provider. Once users have been authenticated by one company, they can access services or applications of the other company without having to authenticate again.
Why use TrustBuilder for Federated Identity Management?
TrustBuilder as Identity Broker
As a catalyst for building ecosystems and connecting systems that use different standard and protocols, TrustBuilder ID Hub acts as an identity broker, linking any Identity Provider or a combination of Identity Providers to any Service Provider. TrustBuilder.io is a managed platform that provides customers with standardized connections to Identity Providers, and SaaS applications.
Attribute and context-based policy
TrustBuilder uses the Attribute-based engine and the Workflow engine to apply arbitrary complex policies on selecting authentication mechanisms and Identity Providers.
Key components of Federated Identity Management
Three elements are important in establishing the trust between different domains or organizations that will allow FIM.
Identity Provider (IdP)
An Identity Provider is an internal or external service that can vouch for the identity of a user. The IdP typically provides its own authentication service(s). It stores the attributes of an individual that prove the user is who he claims to be.
Service Provider (SP)
The Service Provider (SP) is the application that a user wants to access and use. The SP trusts the identity provided by the IdP and ensures it is provided with the necessary identity attributes and access privileges to allow the user to consume its service.
An assertion is the message that is sent between the systems. The assertion tells the SP what the account name is of the user and will also provide the other attributes an SP needs to create a session for the user. Assertions, protocols and format are defined for each standard federation protocol (SAML, OIDC, …)
Benefits of Federated Identity Management
FIM was created to make it easier for users to access applications, thus enhancing customer experience. At the same time, FIM also yields business and technical benefits.
Business benefits of FIM
- Customer convenience: a user only needs to remember one username/password to access applications and websites across multiple organizations or domains.
- Customer experience: a customer or a user can navigate from one application to another without having to authenticate for each app.
- Faster onboarding: if a user already has an identity with an IdP, there is no need to fill out some sort of registration form to create an account.
Technical benefits of FIM
- Ease of administration: the SP does not have to administer users. This is a direct cost benefit to their organization.
- Unburdening the helpdesk: users can use the same credentials for a wide range of applications. This lowers the chance of users forgetting their passwords and having to call the helpdesk on Monday morning or after holidays.
- Improved security: when a user is deleted (for instance because they leave an employer) from the database that is used as an Identity Provider to multiple domains and applications, they cannot, thereafter, access any application that uses that IdP.
How are customers using Federated Identity Management?
Several of our customers have been long-time users of TrustBuilder ID Hub in order to accomplish FIM.
European HR services leader SD Worx needs to provide its customers’ employees with seamless access to payroll information and other HR applications. SD Worx uses TrustBuilder ID Hub as an international single authentication platform to let customers start up any SD Worx application.
Insurance company Allianz Benelux works with an extended network of insurance brokers. Employees of the brokers need seamless access to the Allianz insurance applications. This is achieved through FIM using TrustBuilder ID Hub.
A European bank
A large European bank uses Single Sign-on (SSO) for its 40,000 employees but also allows a number of business and service partners access to both its internal and its Software-as-a-Service (SaaS) applications. To enable that, they use FIM to access cloud-based SaaS applications.