Federation, SSO, SAML, OIDC, and OAuth
Key Takeaways
- Federation lets one organization or identity provider assert identity information to another service.
- SSO improves usability but increases the importance of MFA, conditional access, and identity provider resilience.
- SAML is commonly used for browser-based enterprise SSO with XML assertions.
- OIDC adds an identity layer on top of OAuth 2.0 and commonly uses ID tokens.
- OAuth is for delegated authorization, not proof by itself that a user authenticated to an application.
Federation, SSO, SAML, OIDC, and OAuth
Federation allows a service provider to trust identity information from an identity provider. In a typical enterprise SSO flow, the user authenticates to the identity provider, and the identity provider sends a signed statement or token to the application.
Vocabulary
| Term | Plain-language meaning |
|---|---|
| Identity provider | System that authenticates the user and issues identity data |
| Service provider or relying party | Application that trusts the identity provider |
| Federation | Trust relationship between identity domains |
| SSO | One authentication experience used to access multiple applications |
| Assertion or token | Signed data used to communicate identity or authorization details |
SAML, OIDC, and OAuth
| Protocol | Common use | Exam clue |
|---|---|---|
| SAML | Enterprise web SSO | XML assertion, service provider, identity provider |
| OIDC | Authentication layer for modern apps | ID token, user identity, built on OAuth 2.0 |
| OAuth 2.0 | Delegated authorization | Access token, scopes, consent, API access |
OAuth is a common trap. OAuth can let a calendar app read a user's calendar through an access token with a defined scope. That does not mean OAuth alone is an authentication protocol. OIDC uses OAuth 2.0 flows and adds identity information for authentication.
Scenario: SaaS SSO
A company uses a cloud identity provider for SSO into a project management SaaS application. The identity provider requires MFA when the user is off the corporate network. The SaaS app trusts signed SAML assertions from the identity provider and maps the "Project-Managers" group to a project administrator role.
Simplified sign-in event:
2026-04-29T18:22:10Z idp event=auth user=lsantos mfa=success method=push risk=medium source_ip=198.51.100.24
2026-04-29T18:22:12Z idp event=saml_assertion app=project-saas user=lsantos groups=Project-Managers assertion_id=A-7719 result=issued
2026-04-29T18:22:13Z app event=sso_login user=lsantos mapped_role=project_admin result=success
This log chain shows authentication at the identity provider and authorization mapping at the application.
Token and Trust Risks
Federation reduces password sprawl, but it concentrates risk at the identity provider. If an attacker steals a session token, abuses consent, changes a signing certificate, or bypasses MFA, many applications may be affected.
Important controls include MFA, conditional access, certificate rotation, token lifetime controls, app consent governance, just-in-time provisioning, and monitoring for impossible travel, unusual app consent, and suspicious token use.
Common Traps
- Calling OAuth an authentication protocol without OIDC.
- Assuming SSO automatically means least privilege.
- Ignoring role mapping inside the service provider.
- Failing to revoke active sessions after disabling an account.
- Trusting unsigned or improperly validated tokens.
Exam Focus
If the question asks about single sign-on to a SaaS app, SAML or OIDC are likely candidates. If it asks about a third-party application getting limited API access without sharing the user's password, OAuth delegated authorization is likely the answer. If it asks how to reduce risk from SSO, look for MFA, conditional access, token controls, and monitoring.
A web application needs to authenticate users through a modern identity provider and receive an ID token. Which protocol is the best fit?
A third-party reporting tool needs permission to read a user account through an API without receiving the user password. Which concept is most relevant?
What is a key operational risk of SSO?