Federation Concepts

Federation Concepts: A Complete Guide for SC-900

Why Federation Concepts Are Important

Federation is a foundational concept in modern identity and access management. As organizations increasingly collaborate with external partners, use cloud services, and operate across multiple domains, the need to establish trust relationships between different identity systems becomes critical. Understanding federation is essential for the SC-900 exam because it underpins how Microsoft Entra ID (formerly Azure AD), Microsoft 365, and other cloud services enable seamless and secure access across organizational boundaries.

Without federation, users would need separate credentials for every system they access, leading to password fatigue, security vulnerabilities, and poor user experiences. Federation solves this by allowing organizations to trust each other's identity systems.

What Is Federation?

Federation is a collection of domains that have established trust between them. The level of trust may vary, but typically it includes authentication and almost always includes authorization. Federation allows users authenticated by one organization (the identity provider) to access resources in another organization (the service provider) without needing a separate set of credentials.

Key components of federation include:

• Identity Provider (IdP): The system that creates, maintains, and manages identity information and provides authentication services. For example, Microsoft Entra ID can act as an IdP.

• Service Provider (SP): The system that provides resources or services and relies on the IdP to authenticate users. For example, a SaaS application like Salesforce can act as an SP.

• Trust Relationship: A configured agreement between the IdP and SP that defines how identity information is shared. This trust is typically established through the exchange of certificates and metadata.

• Security Tokens: Federation relies on security tokens (such as SAML tokens, OAuth tokens, or WS-Federation tokens) that contain claims about the user. These tokens are digitally signed to ensure integrity and authenticity.

• Claims: Pieces of information about the user (such as name, email, role, or group membership) that are included in the security token and passed from the IdP to the SP.

How Federation Works

Here is a typical federation flow:

1. A user attempts to access a resource at the service provider (e.g., a partner organization's web application).

2. The service provider recognizes that the user needs to be authenticated and redirects the user to their home identity provider (the organization that manages the user's identity).

3. The user authenticates with their home identity provider using their regular credentials (username, password, MFA, etc.).

4. Upon successful authentication, the identity provider generates a security token containing claims about the user.

5. The security token is sent back to the service provider (either directly or via the user's browser).

6. The service provider validates the token (checks the digital signature, ensures it comes from a trusted IdP, verifies it has not expired).

7. Based on the claims in the token, the service provider grants the user appropriate access to the requested resources.

Federation Protocols

Several protocols are commonly used for federation:

• SAML (Security Assertion Markup Language): An XML-based standard widely used for enterprise single sign-on (SSO). It is commonly used for web browser-based SSO scenarios.

• WS-Federation: A protocol frequently used in Microsoft environments, particularly with Active Directory Federation Services (AD FS).

• OpenID Connect (OIDC): A modern authentication layer built on top of OAuth 2.0. It is widely used for consumer and cloud-based applications.

• OAuth 2.0: Primarily an authorization framework, but it works alongside OIDC to support federated scenarios.

Real-World Examples of Federation

• B2B Collaboration: Organization A uses Microsoft Entra ID, and Organization B uses Google Workspace. Through federation, users from Organization B can access resources in Organization A using their Google credentials.

• Hybrid Identity: An organization federates its on-premises Active Directory with Microsoft Entra ID using AD FS or pass-through authentication, enabling users to use the same credentials for both on-premises and cloud resources.

• Social Identity Federation: A consumer-facing application allows users to sign in with their Google, Facebook, or Microsoft account through federated trust with those social identity providers.

Federation vs. Single Sign-On (SSO)

Federation and SSO are related but distinct concepts:

• SSO refers to the ability to sign in once and access multiple applications without re-entering credentials. SSO can exist within a single organization.

• Federation enables SSO across organizational boundaries. Federation is the mechanism that makes cross-domain SSO possible.

In other words, federation is a broader concept that enables SSO between different organizations or identity domains.

Federation in the Microsoft Ecosystem

Microsoft Entra ID supports federation in several ways:

• Microsoft Entra B2B (Business-to-Business): Allows external users to access your organization's resources using their own identity provider. Supports federation with other Microsoft Entra tenants, Google, Facebook, and SAML/WS-Fed identity providers.

• Microsoft Entra B2C (Business-to-Consumer): Enables consumer-facing applications to federate with social identity providers and custom identity providers.

• AD FS (Active Directory Federation Services): An on-premises federation service that enables federated identity between on-premises Active Directory and cloud services.

• Direct Federation / SAML/WS-Fed IdP Federation: Allows you to set up federation with any external organization that supports SAML 2.0 or WS-Federation protocols.

Key Benefits of Federation

• Improved User Experience: Users only need to remember one set of credentials regardless of how many services they access.

• Enhanced Security: Credentials never leave the home organization. The service provider never sees or stores the user's password.

• Reduced Administrative Overhead: No need to create and manage separate accounts for external users in every system.

• Centralized Identity Management: Identity lifecycle management (creating, updating, disabling accounts) is handled by the home organization.

• Compliance: Organizations maintain control over their own users' identities and can enforce their own security policies.

---

Exam Tips: Answering Questions on Federation Concepts

1. Remember the core definition: Federation is about establishing trust between domains or organizations to enable users from one domain to access resources in another using their home credentials. If a question describes cross-organizational access without separate credentials, federation is likely the answer.

2. Distinguish between federation and SSO: SSO is accessing multiple apps with one sign-in. Federation enables SSO across different organizations or identity domains. If the question mentions crossing organizational boundaries, think federation.

3. Know the roles of IdP and SP: The Identity Provider authenticates the user. The Service Provider hosts the resource. Questions may describe these roles without using the exact terms — be ready to identify them from context.

4. Understand that credentials stay with the IdP: A critical security benefit of federation is that user credentials are never shared with the service provider. If a question asks about where authentication occurs or where credentials are stored, the answer is always the home identity provider.

5. Be familiar with common protocols: Know that SAML, WS-Federation, and OpenID Connect are federation protocols. You do not need deep technical knowledge of each, but understand that they are standards used to exchange identity information between trusted parties.

6. Understand claims and tokens: Federation uses security tokens that contain claims. Claims are statements about the user (name, email, group membership). Questions may ask what information is passed between organizations — the answer is claims within security tokens.

7. Connect federation to Microsoft services: Know that Microsoft Entra B2B collaboration uses federation principles, and that AD FS is a federation service for hybrid environments. If the question involves external guest users or hybrid identity, federation concepts apply.

8. Watch for scenario-based questions: The SC-900 often presents scenarios like: "Organization A wants employees from Organization B to access their SharePoint site without creating new accounts." This is a federation scenario. Look for keywords like "external users," "partner organizations," "trust relationship," and "home credentials."

9. Trust is bidirectional or unidirectional: Federation trust can be one-way or two-way. In many exam scenarios, the trust is one-way — one organization trusts another's IdP. Understand that trust direction matters for determining who can access whose resources.

10. Do not confuse federation with directory synchronization: Directory sync (like Microsoft Entra Connect) copies identity data between directories. Federation establishes trust so that authentication can happen at the home IdP. These are complementary but different concepts. If a question asks about trusting another organization's authentication, the answer is federation, not sync.