Domain 5 of 8 · Chapter 3 of 6

Federated Identity

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • What federation is, and the trust it rests on
  • How a federation trust is established and exercised
  • Deployment models: on-premises, cloud IDaaS, and hybrid
  • Risk: the IdP is a high-value single point of failure
  • Exam-pattern recognition

Federation deployment models: where the IdP lives

AspectOn-premises federationCloud IDaaSHybrid
Where the IdP runsFederation server inside the corporate perimeterProvider-hosted IdP consumed as a serviceCloud IdP synchronized from / fronting an on-prem directory
Authoritative directoryOn-premises and under full org controlIn the provider's tenantOn-premises remains the source of truth
Operational burdenOrg runs and patches the federation infrastructureProvider runs it; org configures trust and policySplit: org runs the directory, provider runs federation
Added third party in the trust chainNone beyond the partner RPThe IDaaS provider must also be trustedThe IDaaS provider, but the directory stays in-house
Best fitStrict data-residency or full-control mandatesSaaS-first organizations with limited identity staffEstablished directory adopting SaaS gradually

Decision tree

Access crosses an organizational boundary? No (one domain) Plain single sign-on (SSO) Yes Can the third-party IdP be trusted and monitored? No Do not federate; use local account Yes Where must the authoritative directory live? Stay fully on-prem (residency) On-premises federation No directory; SaaS-first Cloud IDaaS Keep on-prem source, add SaaS Hybrid federation

Cheat sheet

  • Federation lets an RP accept the authentication a separate organization's IdP performs
  • Identity provider asserts, relying party consumes: the two federation roles
  • Federation is SSO across an organizational boundary; plain SSO stays in one domain
  • The RP must validate the assertion signature against the IdP's pre-registered key
  • Audience restriction stops an assertion for one RP being replayed at another
  • Release only the attributes each RP needs: minimize what the IdP shares
  • On-premises, cloud IDaaS, and hybrid are deployment choices, not different trust models
  • On-premises federation keeps the IdP and directory inside the perimeter
  • Cloud IDaaS outsources the IdP but adds a third party to the trust chain
  • Hybrid keeps the on-prem directory authoritative while a cloud IdP brokers federation
  • Federating concentrates risk in the IdP: its compromise impersonates everyone everywhere
  • The IdP's concentration is also the benefit: one place to deprovision everywhere
  • Protect the IdP signing key in hardware and rotate it
  • A federation contract does not substitute for technically verifying and monitoring the IdP
  • A federated assertion proves earlier authentication, not present authentication
  • NIST SP 800-63C grades assertion protection as a Federation Assurance Level (FAL)
  • Don't federate when there is no boundary or no trustworthy IdP
  • OIDC ID-token validation: verify signature, audience, issuer, and nonce
  • Federated ABAC requires mapping partner attribute schemas to a common meaning

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-63C-4, Digital Identity Guidelines: Federation and Assertions Whitepaper