Federation
Federation is the practice of delegating authentication and authorization decisions to a trusted external identity provider instead of managing credentials locally. It allows users to access multiple applications using a single set of credentials, verified by a single trusted authority.
# WHAT TEAMS RUN INTO
- —
Auditing becomes fragmented. Logs live in the IdP and in each application separately. Correlating a user's actions across multiple systems requires stitching data from incompatible systems.
- —
Deprovisioning at the IdP doesn't instantly block access everywhere. Legacy apps don't check for revocation, and cached tokens keep working for hours after a user is terminated.
- —
Trust boundaries get blurry. Applications become passive — they accept whatever the IdP asserts without validating whether that assertion still reflects current policy.
# WHY IT MATTERS
Federation trades operational simplicity for architectural risk. When you federate, you are betting your access control on the integrity of a remote system. Every federated application becomes dependent on that IdP's availability, security, and trustworthiness. A single compromised IdP can unlock access across your entire federated ecosystem.