The Burden of Federated Authentication

Authentication vs Authorization  If you’ve ever had the pleasure to hear me rant on web access management then you know I like to stress the difference between authentication and authorization.  Authentication is the process of verifying a user’s identity while authorization is the process of determining the level of access the user possesses for any given application and/or resource; one does not imply the other. So why bring up a topic that has been discussed to death in many forums around the Internet? Federated authentication…

In my years as a developer and sys admin it was common place to either write or include a publicly available authentication framework and based upon group membership allow or disallow access to certain application functionality. These frameworks made it easy to quickly deploy applications without the need to “recreate the wheel” over and over again. However, what we gained in deployment speed we lost in code maintenance and software patching over time.  This ultimately lead to security issues, such as phishing attacks, because the end-user had:

  1. too many usernames/passwords
  2. too many application login points

Ultimately the user could no longer, well didn’t care to, keep track of these and resorted to less secure mechanisms for storing passwords as well as entering their extensive list of passwords on any site that resembled one of our applications. So in early 2005 we started to use Shibboleth and Jasig Central Authentication Services (CAS) for federated authentication and single sing-on. Shibboleth and CAS addressed my issues by:

  1. reducing the number of username/password combinations as well as login entry points to 1
  2. allowed non-employees access to our websites without the need to maintain their identity in our authentication database - commonly know as federated authentication

While the paradigm of federated authentication caught on in higher education over a decade ago enterprise environments were slow to adopt until now. With the explosion of Software-as-a-Service offerings, such as Salesforce and Office 365, enterprises are quickly deploying federated authentication services with little to no understanding of what the snake oil, or IAM, vendor has sold them. Too often, I sit in meetings regarding issues a customer is having with their IAM solution because of two issues:

  1. Customer did not understand the difference between authentication and authorization
  2. IAM vendor promised that multi-factor authentication capabilities would integration easily with .

So lets take a look at these issues.

Federated authentication protocols, like SAML, have made it easier for users to consume and/or modify data inside web applications without the need to maintain a local persona of that user. Now from an application perspective this feature might have marginal gain but from a security perspective it allows you to eliminate a substantial amount of risk. The concern I stress to my customers is that while federated authentication reduces the risk of managing and maintaining that user's persona it does not alleviate the risk of unauthorized access. This is because authentication in a federated world does not imply authorization.

So what are the challenges of this in a federated application? Lets assume we have a user Alice accessing App1. First, App1 has the responsibility of consuming Alice’s authentication assertion, sent by the SAML IdP, as well as authorizing that Alice has access to the application. From a security point of view this can be very dangerous.

  • What if Alice's credentials were stollen and the malicious actor now has access to sensitive information.
  • What if App1 has not been patched in several years, which never happens in the real world, and is vulnerable to authentication and/or authorization attacks.

Ideally we want to remove the initial authorization functionality from the web application like we have done for authentication. This can be achieved by leveraging a web access management solution that also operates as an authentication proxy. So what is web access management (WAM)? It's a proxy that controls access to web applications based upon contextual authentication and provides a least privilege model for authorization. So back to our concern:

  • What if Alice's credentials are compromised?
    • The WAM can look at the full content of Alice's connection and request to App1.  If the WAM notices something out of the ordinary, say Alice normally access App1 from within the USA but this request is coming from China, then the WAM could request that the IdP perform multi-factor authentication.
  • What if App1 may have known vulnerabilities and exploits?
    • The WAM only allows authenticated and authorized users access to App1 so we can reduce our threat vectors; typical in this use case we would combine a web authentication management and web application firewall together to fully alleviate this risk.

Okay, so if your still reading then what is my point - that with the growing adoption of federated authentication in enterprises we are relying too heavily upon identity providers to secure access to our applications. Only a handful of Identity vendors on the market provide both authentication and web access management capabilities. The vendors that do not posses WAM functionality leave the authorization to the application, which in our current security landscape can be a risky bet.

Now, unless you’ve been under a rock for the past 5 years you know I’m a big advocate of F5’s Access Policy Manager. APM is the tool I use over and over again to help my customers resolve their federated authentication burdens. Oh, and did I mention APM works with every major MFA vendor on the market! So you can easily add 2nd factor authentication to services such as Office 365 - even free solutions like Google Authenticator.

Published May 24, 2016
Version 1.0

Was this article helpful?


  • Are there any SAML (public) SPs that "provide" the username (saml: subject) to the IdP and alleviate the user's experience (no need to enter the username twice: on the SP and IdP)? Would be keen to know some. Thanks.
  • John, yes that is a painpoint I see as well when you hit a home-realm-discovery page on an SP. I don't have a list of SaaS SPs that currently support this but I'll see if we can put one together.
  • Graham_Alderson's avatar
    Historic F5 Account
    I’ve never seen it done inside the SAML AuthN request unfortunately, though there may be something out there and would be interested if anyone knows of one. Part of the reason is unfortunately very few IdP’s would have the capability of leveraging the identity information even if it were sent by the SP. Office 365 did it outside the SAML AuthN request by including the email address entered as part of their referer header. It was only there for a few months though and may have been an accidental feature that happened as a result of changes to their javascript based redirects around that time. Obviously leveraging something like that outside the SAML request is difficult to impossible in most IdPs, but only took about 10 minutes to do with an iRule and VPE on Big-IP. Even though it won't work for O365 anymore perhaps there are other solutions it could be leveraged for, I'll publish it on DevCentral.
  • Graham: I'm amazed by the lack of support of that functionality (subject in AuthNRequest) by the big players in SaaS landscape. SAML implemented that way improves the user experiences but only by a half (password entered once, username entered twice). I'm in touch with to get more information about why not supporting that functionality. If anyone knows a SaaS service that implements it, I would be glad to hear from them.
  • Hi, From my side, I'm using persistent cookies that contains the email address. So that, when reaching the IDP discovery process, the system read the email information directly from the cookie value. Thus, the user just set it's login information once on the IDP. It's not a silver bullet but help a lot in the user experience
  • found out in the SAML-core spec allows the Subject element, while the WebSSO Profile doesn't (MUST NOT). In a few forums, some argued that the people behind the specs wanted to avoid too much binding between the SP and IdP. User's experience suffers and nothing seems to go much around about SAML 2.1..