PingFederate Server

About identity federation and SSO

Federated identity management, or identity federation, allows enterprises to exchange identity information securely across domains, providing browser-based single sign-on (SSO).

Identity federation also integrates access to applications across distinct business units within a single organization. As organizations grow through acquisitions, or when business units maintain separate user repositories and authentication mechanisms across applications, a federated solution to browser-based SSO is desirable.

This cross-domain, identity-management solution provides numerous benefits, ranging from increased end user satisfaction and enhanced customer relations to reduced cost and greater security and accountability.

For complete information about identity federation and the standards that support it, see Supported standards.

Service providers and identity providers

Identity federation standards identify two operational roles in an SSO transaction: the identity provider (IdP) and the service provider (SP).

An IdP might be an enterprise that manages accounts for a large number of users who need secure access to the web-based applications or services of customers, suppliers, and business partners. An SP might be a SaaS provider or a business-process outsourcing (BPO) vendor wanting to simplify client access to its services.

Diagram illustrating secure single sign-on between the workforce identity provider and the cloud service provider.
Secure single sign-on

Identity federation allows both types of organizations to define a trust relationship whereby the SP provides access to users from the IdP. The IdP continues to manage its users, and the SP trusts the IdP to authenticate them.

A single instance of PingFederate provides complete support for both roles even when a single organization’s business processes encompass both SP and IdP use cases.

Federation hub

As a federation hub, PingFederate can bridge browser-based SSO between IdPs and SPs, reducing administrative overhead.

Identity federation refers to the negotiation and management of federation settings with partners. Supporting different federation protocols can hinder application development and SSO implementation.

Configuring PingFederate as a federation hub:

  • Allows you to simplify application development and SSO implementation by extending federated access across partners supporting different federation standards

  • Provides a centralized console to simplify SSO administration

Bridging IdPs and SPs through a federation hub allows you to multiplex a single connection for multiple partners.

federation hub diagram