In many cases, organizations wish to share identity information with other organizations. For example, many websites rely on credentials provided by major technology companies for their authentication, allowing users the convenience of logging in “with Google” or connecting with “your Facebook account.” This approach, where one organization depends on the identity information provided by another organization is known as federation. In a federated identity system, the organization that provides the accounts is known as the identity provider, while the organization that depends on those identities is known as the service provider.

There are several major approaches to federated identity, using different technologies:

• The Security Assertion Markup Language (SAML) is an approach used by websites where the user attempts to access a website and is redirected to their identity provider for authentication. SAML is widely used by websites.
• OpenID Connect is an alternative to SAML that works in a similar manner from the end user’s perspective. The major difference between OpenID Connect and SAML is that OpenID Connect includes a process where the user is asked to consent to the sharing of specific attributes before they are provided to the service provider. SAML does not have a similar consent process.
• Shibboleth is an implementation of SAML that is widely used among educational institutions. Academic resources often integrate with Shibboleth to allow faculty and students to log onto those resources using the identities provided by their home institutions.

Federation is a powerful concept that facilitates the interoperability of access control systems, the use of single sign-on, and cooperation between different organizations.

Today, many organizations also choose to adopt third-party identity and access control services that outsource some or all of the access control implementation to cloud service providers. This approach reduces the need of the organization to hire identity management specialists and transfers responsibility for maintaining complex technical infrastructures to specialist providers. These providers are known as Identity as a Service (IDaaS) providers.