In the world of identity management, we tend to play fast and loose with terminology. When discussing with your team the requirements to implement Single Sign-On (SSO) for a new partner portal, the term often evokes two different concepts: a centralized enterprise login page for some, and a social or third-party Identity Provider login (e.g., "Login with Google") for others.
While they both solve the problem of saving the user from remembering dozens of passwords, SSO and Federated Identity are related but subtly distinct concepts. Confusing these two can lead to some pretty awkward conversations with your security team.
In this article, we are going to break down what makes them different and let you understand the nuances for a better conversation and system design.
The Core Concept of Single Sign-On
At its heart, the goal of Single Sign-On (SSO) is simple: allow a user to authenticate once and gain access to multiple related, yet independent, software applications without being prompted to log in again.
The "magic" usually happens via cookies or tokens. Once you are authenticated with the Identity Provider (IdP), a session is established in your browser. When you navigate to a different application that trusts the same IdP, that application checks with the IdP. Since the IdP sees you already have an active session, it confirms your identity to the application and you are in.
Historically, SSO was often implemented within a single security perimeter, such as a corporate intranet, using one centralized directory or authentication server.
However, what is relevant is that SSO describes a user experience and authentication capability, regardless of its implementation. Users don’t care about the technical implementation of the authentication process. They use one set of credentials to access multiple independent applications.
To learn more about Single Sign-On, you can read The Developer’s Guide to Single Sign-On.
What Is Federated Identity?
Within a single organization, applications typically rely on a single Identity Provider to manage users and allow them to access multiple applications, thus enabling SSO.
But what if you want to grant access to users external to the organization?
Consider the case of a company that wants to grant access to some internal applications to users from a partner company. The company could create an account in its own IdP for those external users, but this would lead to a few problems:
- it forces external users to memorize a new set of credentials,
- the company assumes the responsibility for managing these new users, with all the challenges of aligning with the user lifecycle within the partner company.
This last point is very important: what happens if the external user is disabled in the external organization, for example, if a user leaves the partner company?
This is where the concept of Federated Identity comes in.
Federated Identity is the architectural framework that enables SSO across different security domains or administrative boundaries. It is the mechanism that lets an application establish a technical trust relationship with an external IdP.
The Architecture of Federated Identity
In a federated setup, the IdP and the application live in different organizations or security domains. There are no shared or duplicate users. Instead, there is a pre-established "circle of trust" based on standardized protocols and cryptographic keys.
But how is this trust established? Who is trusting who? Is the application or the internal IdP that trusts the external IdP?
In a Federated Identity architecture, both scenarios are valid, and the choice depends on where you want to handle the complexity of managing trust relationships. You can have two scenarios:
- Application Trusts Multiple IdPs. The application can directly establish trust with multiple Identity Providers (e.g., allowing users to sign in via Google, Facebook, or a corporate Okta instance). In this model, the application maintains configuration for each IdP.
- Identity Brokering. Alternatively, the application can trust a single "Broker" or "Gateway" IdP (often the organization's primary IdP or a service like Auth0). This Broker IdP then establishes trust relationships with external IdPs. The application only manages one connection, while the Broker handles the complexity of federating with various external sources
Protocol Standards and Handshakes
You cannot talk about SSO and Federated Identity without touching on the protocols that make them work. While some proprietary SSO systems exist, most modern implementations rely on standard protocols, which become much more relevant when you are going to implement Federated Identity.
When you implement SSO within an organization, the trust is often implicit. The app and the authentication server are part of the same entity. You can implement a proprietary protocol or use protocols like LDAP or Kerberos, which are tightly integrated with the local network layer or assume one centralized directory.
In Federated Identity, the trust must be explicit and cryptographic. This is where protocols like SAML and OpenID Connect (OIDC) come into play. You establish a "circle of trust" where the IdP provides a public key or a metadata URL, and the application uses that to verify assertions. You don't need to know the user’s password; you just need to trust the digital signature of the IdP.
SAML (Security Assertion Markup Language) is the old guard of federation. It is XML-based and very common in enterprise environments. It is great for passing identity information between a corporate IdP and a SaaS application.
OIDC (OpenID Connect) is the modern JSON-based layer on top of OAuth 2.0. This is what you see most often in "Login with X" scenarios. It is developer friendly, works great with mobile apps, and is the standard for most modern web architecture.
The interesting part is that these protocols can be used to achieve SSO not only in Federation, but even within a single organization. In other words, you can use OIDC to build an SSO experience for your suite of applications within your company. You can also use OIDC to federate identities from an external partner.
Where the Lines Get Blurry
We often use Federation Identity to achieve SSO. This is where the confusion usually starts.
If your company uses Auth0 to log in to Slack, Salesforce, and Jira, that is technically a "Federated SSO" setup. It is “Federated” because your company and Salesforce are different entities using a protocol like SAML to talk. It is “SSO” because the user only logs in once to Auth0 and gets into everything else automatically.
However, you can have SSO without Federation Identity. Think of an old school Kerberos setup on a Windows network. You log in to your workstation, and you are automatically authenticated to the file share and the printer. There is no SAML assertion or OIDC token involved; it is just a shared authentication protocol within a local network.
Conversely, you can have Federation Identity without SSO. Imagine a scenario where you use your GitHub account to sign up for five different developer tools. If each tool requires you to click "Login with GitHub" and re-authorize or re-authenticate every single time you open a new tab, you are using Federated Identity, but the "Single Sign-On" part of the user experience is broken or poorly implemented. However, consider that Federated Identity without SSO could be explicitly implemented for high-security transactions or sensitive resources.
The Challenge of Global Logout
One of the most practical differences for developers is handling logout.
In a single-organization SSO environment, logging out of the central IdP can often clear the sessions for all connected apps. This is because they all share a common session management strategy.
In a Federated world, Global Logout is a headache. If you log out of a SaaS app using your Google identity, you are not necessarily logged out of Google. And you certainly aren't logged out of the other three apps you accessed via Google federation. Each application maintains its own session based on the initial assertion. If you need a "kill switch" that ends all sessions everywhere, Federation makes that much harder than a centralized SSO setup.
Read this article to learn more about the challenges of logging out.
SSO vs. Federated Identity: Key Takeaways
SSO is the experience of not having to log in again. Federated Identity is the architecture that allows an identity to be valid in places it does not live.
While we often use them together, keeping the concepts separate allows you to have clearer conversations with your stakeholders and possibly better systems. The next time you are architecting a new project, don't just ask for SSO. Ask if you are building a centralized identity system or if you are federating with external authorities. Your choice will dictate your protocol (SAML vs OIDC), your security model, and how much "identity debt" you'll have to manage down the road.
About the author
Andrea Chiarelli
Principal Developer Advocate
I have over 20 years of experience as a software engineer and technical author. Throughout my career, I've used several programming languages and technologies for the projects I was involved in, ranging from C# to JavaScript, ASP.NET to Node.js, Angular to React, SOAP to REST APIs, etc.
In the last few years, I've been focusing on simplifying the developer experience with Identity and related topics, especially in the .NET ecosystem.