Basic Difference Between Single Sign-On and Federation
I know the concept of both single sign-on and federation is quite mixed up or similar. To the end user, both systems appear the same. With each, users can log in once and get access to multiple resources and applications without having to login again and again. However, both the concepts work quite differently behind the scenes. Let’s explore both the concepts in brief.
Single sign-on is a technology where users can login to dozens of websites by providing credentials once.
Suppose, there are five websites that are deployed under SSO solution. The identity of a user is enrolled in each system (directories). The users have credentials for each directories behind the SSO. There are many ways through which users can access resources. One way is login to systems through a gateway in another system. The other way is creating a separate account that ties gateways together behind the single sign-on solution. It is the simple concept of SSO.
Federation is quite different from the way it works. In federated systems, the user is only known to front end system. All the systems have to believe and accept the credentials if it is passed through any of the systems. That means, if there are five different websites and a user authenticates his credentials on one of them, remaining four have to trust the first one and provide authentication without asking further authentication.
For example, if a person might use federated sso to access health information chart in a hospital system. The hospital management certainly knows who the patient is and can drive the data although the patient is never enrolled in the hospital management system.
Let's make it clear. Suppose there are three different websites that a user needs to access. He created a username and password for each of them. If he is using SSO solution then he just need to enter his credentials once and get permission to access all three websites. But in case of federation, user needs to enter his username and password every time when he wants to enter the websites. He can use the same username and password but unlike SSO, he never gets a permission of automatic login to websites.
So, I hope, this article makes some sense to you. Drop your comments in the comment box to make it clearer.