Single Sign-On
The identity of a principal is stored in the Identity Provider (IdP), trusted by service providers (SP) which conversely rely on the identity information from the IdP as they may not manage or maintain a directory of identities.
IdP-initiated SSO refers to the scenario that the subject is authenticated by the IdP first, then gets access to the resources on the service providers.
SP-initiated SSO refers to the scenario that an unauthenticated principal requests the resources on the service providers and is redirected to the IdP for authentication.
A subject authenticated by the IdP can roam among the SPs.
Federated Identity
The system entities engaged in a federation manage their own directory. The identity information is mapped (not synchronized or replicated) across the directories in the federation.
A subject authenticated by any of the system entities can roam in the federation.