02.05 · SSO across organizational boundaries

Federated Identity

SSO works when one organization runs both the IdP and the SPs. Federation is what happens when they don't. The trust relationship between two organizations — and the math that keeps it from being forged — is the whole story.

Federation in one sentence

SSO within one organization, extended across organizational boundaries by way of a standing trust relationship between two parties. Northgate runs an IdP. Brightspace runs an SP. Northgate and Brightspace pre-agreed on a public key and metadata, so when a Northgate user shows up at Brightspace, Brightspace accepts Northgate's signed claim "this is alex" without ever talking to Northgate's user database.

The same pattern lets you "Sign in with Google" at a third-party site. Google is the IdP. The site is the RP (Relying Party — OIDC's word for SP). Google has previously registered the site and issued it a client ID, and the site has pre-configured Google's public keys. The plumbing is identical to enterprise SSO; only the parties differ.

SAML vs OIDC — the two protocols you will actually meet

Federation is implemented by two main standards. They solve the same problem with very different tools.

Protocol A

SAML 2.0

OASIS standard, ratified 2005. XML-based.

The enterprise default for two decades. Big, ceremonious, designed in an era when XML was thought to be the future of everything. The assertion is an XML document, signed with XML-DSig.

<saml:Assertion> <saml:Issuer>sso.northgate.edu</saml:Issuer> <saml:Subject> <saml:NameID>alex@northgate.edu</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="..." NotOnOrAfter="..."> <saml:AudienceRestriction> <saml:Audience>brightspace.northgate.edu</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> ...signature... </saml:Assertion>
✓ Mature, ubiquitous in enterprise (Workday, Salesforce, Brightspace, ...)
! Verbose XML; XML signature wrapping attacks are a recurring CVE class; awful for mobile/SPA apps
Protocol B

OpenID Connect (OIDC)

OpenID Foundation, finalized 2014. JSON-based. Layered on OAuth 2.0.

The modern default for consumer "Sign in with Google/Apple/Microsoft." Compact, JSON-based, friendly to JavaScript and mobile. The assertion is a JWT.

{ "iss": "https://accounts.google.com", "sub": "12345678901234567890", "aud": "my-app-client-id.apps.googleusercontent.com", "exp": 1730000000, "iat": 1729996400, "email": "alex@northgate.edu", "email_verified": true, "name": "Alex Johnson" }
✓ Compact JSON; native fit for mobile and SPAs; built on OAuth 2.0
! Inherits OAuth's complexity (grant types, scopes, redirect_uri pitfalls)

Practical rule: if it's enterprise software older than ~2018, it's SAML. If it's consumer or modern SaaS, it's OIDC. Most large IdPs (Okta, Microsoft Entra, Google) speak both.

The trust relationship — what's actually pre-arranged

Federation only works because each pair of (IdP, SP) has done paperwork in advance. The browser doesn't bring strangers together; it carries messages between parties that already know each other.

What gets exchanged at federation setup time

item 1The IdP's public signing key. The SP will verify every assertion against this. If the key changes, federation breaks until it's rotated.
item 2The SP's ACS URL (Assertion Consumer Service) — the exact URL the IdP should send signed assertions to. Anything else, the IdP refuses.
item 3The SP's entity ID (SAML) or client ID (OIDC) — a stable identifier the IdP includes in the assertion's audience field.
item 4An attribute mapping. The IdP knows the user as uid=alex,ou=Faculty; the SP wants email and full_name. The two sides agree on how to translate.
item 5In SAML: an SP metadata XML file shared with the IdP. In OIDC: a client registration at the IdP (manual or via dynamic registration).

Most federation outages and most federation breaches come from these five items being wrong, expired, leaked, or never reviewed. The XML or JSON looks unchanging; the trust assumptions inside it absolutely are not.

SP-initiated vs IdP-initiated flows

StyleWhere the user startsWhat happensNotes
SP-initiatedAt the SP (e.g. brightspace.northgate.edu)SP redirects user to IdP with a request, user authenticates, IdP returns the user to the SP with an assertion.The normal path. Both SAML and OIDC support it.
IdP-initiatedAt the IdP's portal (a tile gallery of available apps)IdP generates an unsolicited assertion and POSTs it to the SP's ACS.SAML-only. Discouraged because there is no request the assertion is answering — some CSRF-like attacks become possible.

"Sign in with Google" — what's really happening

You click the button. In the next ~2 seconds:

  • The site (the OIDC relying party) redirects your browser to accounts.google.com with parameters: client_id, redirect_uri, scope=openid email profile, state, nonce, response_type=code.
  • Google checks: is this client_id pre-registered? Is this redirect_uri on the allowed list for it? If yes, prompts you to log in (or recognizes your active Google session).
  • You consent: "Allow My-App to see your email and name?" (only on first use, usually).
  • Google redirects you back to the site's redirect_uri with a short-lived code parameter.
  • The site exchanges that code at Google's token endpoint (server-to-server, with the site's secret) for an ID Token (a JWT identifying you) and an access token.
  • The site verifies the ID Token's signature against Google's published JWKS, checks iss/aud/exp/nonce, and creates its own session for you.

The "complicated" part — the code-for-token exchange — is OAuth 2.0's Authorization Code grant. OIDC layers identity claims on top of it. See the OAuth page for what each grant type does and when to pick it; see the JWT page for what's inside the ID Token.

The attack surface every federation has

  • Stolen IdP signing key. The Golden SAML attack: compromise the on-prem ADFS signing key, then mint tokens as anyone, forever. Used in the SolarWinds incident (2020). Mitigation: rotate keys regularly, keep them in HSMs, monitor for unexpected token issuance.
  • SAML XML signature wrapping (XSW). The assertion is signed, but XML parsers and signature verifiers disagree on what they're looking at. Attacker wraps a forged assertion around a real signature. Recurring CVE class — libraries are still getting it wrong.
  • OIDC misconfigured redirect_uri. Open redirects + wildcard redirect_uri allowlists let attackers steal tokens during the OIDC flow. See the OAuth page.
  • JWT validation bugs. The relying party accepts alg: none, fails to verify the signature, doesn't check audience or expiry, or accepts any algorithm including ones the IdP doesn't use. The next page (JWT) and the lab are about exactly this.
  • Account takeover at the IdP cascades everywhere. Phishable MFA on a Google account that's used for "Sign in with Google" everywhere takes every downstream account with it. Same lesson as enterprise SSO, with a broader blast radius.
  • Stale federations. Companies merge, split, get acquired. SP entries at the IdP outlive the relationships they document. Aging federation metadata is a real risk class.