Skip navigation

What is federated identity and how does it work?

Federated identity lets users access multiple applications and services across organizational boundaries with a single set of credentials. This guide explains how federated identity works, the trust relationships behind it, and why organizations use it.

Download a copy of our ebook

What is federated identity and how does it work

What this article covers

  • What federated identity is

  • How federated identity works

  • The benefits of federated identity for users and organizations

  • Some considerations with federated identity

How identity federation simplifies access across organizations

Today's enterprise users sign in to a wide range of applications and services every day. After signing in to the organization's network, they may sign in to a collaboration platform, an HR system, customer relationship software, an expense tool, and many others. Add in personal accounts and the number of separate logins multiplies quickly. Following good password hygiene would require a separate strong password for each application.

Using a password manager and deploying passwordless authentication and passkeys helps, but they are not enough. Forgotten passwords and multi-factor authentication (MFA) issues remain a major source of IT help desk calls, and password reuse across applications is widespread. Federated identity eliminates the need for many of these separate passwords by establishing secure authentication across organizational and domain boundaries without duplicating password credentials.

Federated identity operates on trust relationships between systems

In the federated identity model, organizations establish a trust relationship with an identity provider (IdP), such as Cisco Duo or another enterprise or cloud-based identity platform. The IdP can be an in-house or external service. The IdP creates and manages user credentials and performs user authentication for sign-in attempts.

Service providers (SPs)—the internal or external services that the user wants to access—trust that the IdP has authenticated the user per the established trust relationship. The IdP and SPs communicate using standards-based secure protocols. The user's credentials are federated, enabling identity information to be shared across different platforms instead of each platform storing that information for authentication. Credentials and authentication logic never leave the IdP's control. Cloud identity federation extends these trust relationships to cloud-based services and applications.

For a detailed look at how identity providers and service providers work together, see our guide to identity providers.

How federated identity works

The federated identity model relies on trusted relationships between IdPs and SPs and the use of established protocols for communication. Here is a typical data flow.

  1. The user attempts to access an SP (application or service) with their federated identity.

  2. The SP sends a request to the IdP for federated authentication.

  3. The IdP verifies the user's credentials using strong security processes like MFA and checks their access rights and permissions.

  4. The IdP sends a signed security assertion or token to the SP using a secure protocol such as Security Assertion Markup Language (SAML), OpenID Connect (OIDC), or OAuth.

  5. The SP validates the security assertion and grants access to the user.

Alternatively, the login can start with the user signing in to the IdP and selecting the application or service to be accessed. The IdP-to-SP communication then begins with the IdP sending the signed assertion to the SP.

At first glance, federated identity sounds a lot like single sign-on (SSO). The two are closely related, but federated identity extends the concept beyond a single organization, while SSO typically enables one login across applications within an organizational domain. For a deeper comparison of the two models and guidance on which to choose, see our guide to federated identity vs. SSO.

The benefits of federated identity for users and organizations

With federated identity, users can securely access multiple applications and services with a single login. The trust relationship between identity providers and service providers allows users to move across different domains without re-entering credentials. This system offers benefits to both the user and the organization.

Federated identity benefits to users:

  • Reduced password administration: Federated identity reduces password fatigue and friction, making it easier to follow strong password hygiene. The result is a better overall user experience.

  • Increased productivity: Without the time spent logging in and dealing with password issues, users can focus on their job responsibilities.

Federated identity benefits to organizations

  • Centralized security: Centralized authentication and fewer passwords enable stronger and more consistent access control. Minimizing password exposure reduces overall vulnerability to a breach. The identity provider enforces strong authentication, such as MFA and conditional access, as part of a broader identity and access management program.

  • Zero trust security: Federated identity supports least-privilege access, continuous verification, and dynamic policy enforcement, which facilitate the implementation of zero trust security models.

  • Simplified IT: IT teams have better control over user provisioning, maintenance, and deprovisioning. Fewer passwords mean less time dealing with password issues and recovery.

  • Easier compliance: Centralized authentication control facilitates compliance auditing and reporting.

  • Reduced cost: Avoiding the work of managing multiple user accounts and credentials, or managing in-house single sign-on (SSO) solutions, can reduce cost. Adding new applications also does not require creating new user accounts.

Some considerations with federated identity

While federated identity can deliver significant benefits to users and organizations, organizations should consider several factors before deploying it.

  • Risk of misconfiguration: As with any authentication model, rigorous change management and configuration monitoring help prevent trust relationship errors that could expose services to unauthorized access.

  • Strong security policies: Because the IdP authenticates across all connected services, organizations should adopt, enforce, and monitor strong security policies—including phishing-resistant MFA and continuous monitoring—to protect this critical component.

  • Administration complexity: The federated identity model requires careful deployment and administration, and is best suited to organizations with mature identity and access management processes. Some legacy systems may not support federated identity protocols.

  • Single point of failure: The IdP serves as the central authority for authentication. Organizations should establish backup and mitigation policies in case the IdP is unavailable or compromised, since outages or breaches could affect multiple services linked to that IdP.

Duo for federated identity management

Federated identity allows users to access trusted external and internal systems using a single, verified identity, without needing new credentials. A key component is the IdP, which acts as an identity broker, connecting to multiple identity sources and securing access to applications and services. IdPs like Duo support open standards such as SAML and OIDC for enhanced security and centralized visibility.

Whether you need to deploy SSO or federated identity, you can learn more about how Duo can be your primary security-first IdP in our ebook, Restoring Trust in Identity: a guide to Duo's security-first IAM.

Federated identity FAQs

  • What is identity federation?

    Identity federation uses trust relationships and established protocols between different systems to allow secure authentication across organizational and domain boundaries without duplicating password credentials.

  • What is federation authentication?
  • What is the difference between federated vs. non-federated identity?

Want to learn more about access and identity security?

Discover more ‘what-is’ content and learning resources, including ebooks, guides and webinars, crafted to help you enhance your organization’s access security strategy.

Visit the learning hub

Find clear explanations of identity and access security terms.

Explore resources

Dive into whitepapers, case studies, how-to guides, and more.

Why choose Duo

Learn why 100K+ global customers depend on Duo.