{"id":59704,"date":"2022-11-09T15:06:10","date_gmt":"2022-11-09T07:06:10","guid":{"rendered":"https:\/\/version-2.com\/?p=59704"},"modified":"2022-12-02T18:13:32","modified_gmt":"2022-12-02T10:13:32","slug":"federated-authentication-vs-delegated-authentication-whats-the-difference","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2022\/11\/federated-authentication-vs-delegated-authentication-whats-the-difference\/","title":{"rendered":"Federated Authentication vs. Delegated Authentication: What\u2019s the Difference?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The demand for web applications compelled tech vendors to adopt standards that allow authorized users to access resources, across domains, through a single set of credentials. That approach, called federated authentication, has simplified SaaS adoption. However, small and medium-sized enterprises (SMEs) still face barriers when they attempt to extend single sign-on (SSO) to all of their resources. Not every asset is an app, and IT teams struggle to set up access control throughout their entire infrastructure and often turn to complex or siloed systems.<\/p>

Delegated authentication is a simpler approach that addresses the shortcomings of federated authentication by broadening the protocols (and resources) that your identities can interface with. This article explores both types of authentication in more detail and outlines how an open directory adds more value to your existing identity and access management (IAM) investments.<\/p>

What Is Federated Authentication?<\/h2>

One identity should log your users into all of their web apps.<\/p>

Overview<\/h3>

Standards of federated authentication including OAuth<\/a>, OIDC<\/a>, and SAML<\/a> make it possible for one identity provider (IdP) to manage access and authorization<\/a> into many service providers (SP). For instance, that\u2019s what happens when you log into a non-Google service with your Google Workspace credentials. Your credentials don\u2019t pass over the web and the IdP determines whether access is granted. SSO users are managed from a single directory, even if applications have unique entitlements.\u00a0<\/p>

Benefits and Drawbacks<\/h3>

Federated authentication increases productivity, lowers management overhead, simplifies user lifecycle management, and increases security. There\u2019s fewer passwords to manage (assuming passwords are still required) and service providers don\u2019t store credentials. That has the benefit of reducing the risk of identities being compromised from third-party breaches. This form of authentication has given rise to entire ecosystems of cloud-native apps with seamless integrations that wouldn\u2019t have been possible without SSO. Those authentications are protected by other IdP security controls such as multi-factor authentication (MFA). Some IdPs are even adopting more user-friendly and secure passwordless solutions for frictionless access control.\u00a0<\/p>

Entitlement management, through a directory and groups<\/a>, can enforce least privilege computing<\/a> to ensure that users don\u2019t become a risk. For example, JumpCloud automates group memberships by continually auditing attributes. The result is that IT admins remember to remove access when one of your team members changes his\/her role.<\/p>

This approach to identity management is auditable and serves to satisfy cloud compliance requirements<\/a>. Your organization can more easily attest to its compliance by using SSO.<\/p>

Potential Lock-In<\/h4>

The spirit of openness doesn\u2019t always survive a vendor\u2019s stack. Identity providers and service providers can diminish the intention and effectiveness of using open standards by introducing closed practices and roadblocks. IAM lock-in presents itself in the form of vendor-specific considerations such as integrations with proprietary APIs that are roadblocks to accessing data and features. Spending on development projects for APIs creates a higher cost of switching. Other roadblocks include requiring components and licensing to work with other systems.\u00a0<\/p>

For example, Microsoft\u2019s approach to IAM can obligate organizations to adopt its extended stack including Azure Active Directory<\/a> (AAD), licensing Windows Server<\/a>, in addition to either Active Directory Domain Services<\/a> (AD DS), or Active Directory Federation Service<\/a> (AD FS) for users to access web apps. That\u2019s because Active Directory wasn\u2019t intended for the internet. Microsoft embraced open standards, but intertwined its monoculture with the IAM services it introduced.<\/p>

Hidden Costs<\/h4>

Service providers may also upcharge for SSO, a practice that\u2019s dubbed the \u201cSSO Tax<\/a>.\u201d Interoperability is possible, but it comes at a higher cost per user. The SSO tax runs contrary to the spirit of open standards and may even compromise security if the MFA solution that your organization has implemented can\u2019t function environment-wide<\/a>. Some IdPs, such as Microsoft, restrict the number of apps your users can access without incurring additional charges. Always consider hidden costs and how subscriptions change over time before you select an IdP or service provider. A directory that provides true federated authentication should make it possible to assemble the optimal stack of services from the vendors of your choosing, without limits.<\/p>

Accessing Non-Web Apps<\/h4>

SMEs commonly have resources that authenticate using RADIUS<\/a> or LDAP, including VPNs or Wi-Fi networks. Identity and access management (IAM) suites strive to fill in the gaps when interoperability falls short, but not every solution works the same way. Operational overhead can vary dramatically, depending on the use case, and how those solutions are implemented.<\/p>

Typically, this work is prerequisite:<\/p>