Single Sign-On

The identity of a principal is stored in the Identity Provider (IdP), trusted by service providers (SP) which conversely rely on the identity information from the IdP as they may not manage or maintain a directory of identities.

IdP-initiated SSO refers to the scenario that the subject is authenticated by the IdP first, then gets access to the resources on the service providers.

SP-initiated SSO refers to the scenario that an unauthenticated principal requests the resources on the service providers and is redirected to the IdP for authentication.

A subject authenticated by the IdP can roam among the SPs.

Federated Identity

The system entities engaged in a federation manage their own directory. The identity information is mapped (not synchronized or replicated) across the directories in the federation.

A subject authenticated by any of the system entities can roam in the federation.