Gartner Research

Decision Point for Federated Identity and Cross-Domain Single Sign-On

Published: 14 April 2015

ID: G00270982

Analyst(s): Mary Ruddy

Summary

How should organizations exchange identity and access management information across domains to support real-time sessions or transactions, especially SSO, to meet the increased need for identity federation driven by cloud (SaaS), mobile, social and the API economy?

Table Of Contents

Decision Point Question

Decision Point Overview

  • Business Scenario
  • Architectural Context
  • Related Decisions

Principles, Requirements and Constraints

  • Principles
  • Requirements and Constraints
    • Requirements
    • Constraints

Alternatives

  • User Constituency Groupings
  • IDP Alternatives
    • Organization Is the IDP and Deploys the IDP Software On-Premises
    • Organization Is the IDP and Uses IDaaS
    • Partner Is the IDP
    • (Industry) Federation Hub
    • Social Identity Provider
    • Government IDP
  • RP Application Scope and Grouping
  • Standards Choices
    • SAML
    • Shibboleth
    • WS-Security
    • WS-*
    • OAuth
    • OpenID
    • OpenID Connect
    • Nonstandards Approaches
  • User (Including Devices and Services) Identification Choices
    • Identifying End Users
    • Identifying Devices
    • Identifying Software Services
  • Federation Topology Choices
  • Operational Security Choices
  • Trust Framework Choices

Future Developments

  • Relationship Management
  • Federated Provisioning
  • New Trust Frameworks
  • New Federation Hubs
  • Evolving Standards
  • Evolving Technology Offerings

Decision Tool

  • Who Are Your User Constituencies?
  • What Organization Should Be the IDP?
    • Organization Controls Existing User Store?
    • Assurance Level?
    • Existing Identity Hub?
    • Partner Needs to Run IDP?
    • IDP in Cloud?
    • Social Identity IDP
    • Industry Hub IDP
    • Government IDP
    • Use Partner's IDP
    • Define Trust Framework
    • IDaaS IDP
    • Run Own IDP
  • What RPs Should Be Included?
  • What Federation Standards and Integration Approaches Should Be Used?
    • RP Uses Federation Standards?
    • RP Is Mobile or RESTful App?
    • Already Using SAML?
    • Higher Education?
    • "RP Supports API?"
    • Use SAML and OAuth/OpenID Connect With an STS to Transform Tokens
    • OAuth/OpenID Connect
    • SAML 2.0
    • Shibboleth
    • Custom Connector
    • Password Vaulting
  • How Should Users (Including Devices and Services) Be Identified?
    • Identifying Individuals
    • Identifying Software Services or Devices
  • Should Federations Employ a Point-to-Point, Hub or Networked Topology?
  • What Are the Operational Security Considerations?
    • Assertion-Based Authentication Assurance
    • Secure Communications
  • What Trust Framework Should Be Used?
    • Leverage Existing Agreements or Trust Frameworks

Decision Justification

Recommended Reading

©2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.