Federated identity (FID) is a generic term for establishing a person's digital identity by delegating to a trusted 3rd party as opposed to a centralized domain of trust. It refers to where the user stores their credentials.
The trusted 3rd party is the identity provider (IdP). When accessing a new service, you have probably been presented with Sign in with Facebook or Sign in with Google as an alternative to creating a new user account.
For you as a user, this means that you can use your existing account to sign in to multiple services - fewer passwords to remember.
For you as an administrator, this means that you can set up a SuperOffice account simply by linking it to the federated ID.
Federated identity is related to single sign-on (SSO), however, SSO only pertains to the authentication part of federated identity management.
How does it work?
When the user signs in to a service, instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials. The user never provides credentials directly to anyone except for the identity provider.
Which identity providers do you support?
Today we support 2 different 3rd-party identity providers:
- Basic, Business and Enterprise of G Suite subscriptions include this
Microsoft Azure AD (AAD)
- Many of Office365 / Microsoft 365 subscriptions include this
- Azure AD Premium P1 or higher.
For other identity providers who supports OpenID Connect/OAuth 2.0., please give your feedback, and we will look into adding support for it.
Other ways of achieving this can be to use:
- Microsoft Hybrid Identity: able to connect local AD
- Google Cloud Directory Sync: sync from other system to Google
Do I set it for all or for individual users?
The use of IDP as the authentication method is enabled/registered per domain name.
Users who have a SuperOffice username corresponding to this domain name will be automatically redirected to identity provider when logging in.
To be able to authenticate with your identity provider, your SuperOffice username needs to match your User Pricipal Name (UPN) at your identity provider.
Whether users sign in with a password or via a federated sign-in service depends on 2 things:
If you answer yes to both questions, the federated identity is used. Otherwise, SuperID falls back to password-based sign-in.
Some user can have federated sign-in, and some password - depenidng on the domain-part of their SuperOffice username:
Why should I use federated IDs?
It is easier for the user to sign in and it increases the security of your identity management solution.
Simplified sign-in: uses your existing Microsoft or Google credentials. No SuperOffice password required.
Automatic sign-in if you have an active browser session (if supported by the IdP!)
Multi-factor authentication (MFA) / Two-factor authentication (2FA) / Two-step verification (if supported by the IdP!)
Leaner identity management in the SuperOffice Admin client: entering the federated ID (UPN) will save you from typing in details.