Choosing Between Siloed and Federated Identities
When onboarding new students, faculty or staff, a university might issue a username and password to each of them upon arrival. That username and password are attached to some internal identifier, and that’s linked — directly or indirectly — to the entire spectrum of information that the university has about the person. In identity and access management, this is usually called a “siloed identity.”
Even if the university has a single sign-on solution and a single set of credentials for every university system, the university still owns and controls that digital identity. The user has no real authority over his or her identifying data because they don’t know what is being shared or with whom. Siloed identity systems are the most common on the internet, which is why everyone needs a password vault to hold the hundreds or thousands of usernames and passwords, a different one for every service.
RELATED: What do higher education institutions need to know about zero trust?
Federated identity, a common alternative to siloed identity, uses third parties to issue credentials and protocols such as Security Assertion Markup Language (SAML) to handle authentication and credential verification. If, for example, you’re offered the option to “login with Google” on a certain website, you’re seeing federated identity at work. With these types of identity services, the application or system you’re logging in to trusts the third-party service, called the Identity Provider (IdP).
Although federated identity keeps your password vault from growing, it doesn’t give you control over your digital identity. If it’s Google that’s issuing the credentials, then Google controls everything: the personal data attached to those credentials along with everything else. If Google is offline, you can’t log in. If Google decides for some reason not to verify you, you can’t log in. If you forget your password and you can’t convince Google it’s you, you can’t log in. Federated identity might be convenient, but it takes privacy and security control of identity out of the user’s hands.