SSO vs federation.
Single sign-on (SSO) is the user-facing outcome: authenticate once, then access many applications without logging in again. Federation is the underlying trust mechanism that makes SSO work across organizational or security-domain boundaries — one identity provider asserts identity to many service providers that trust it. SSO is the experience; federation is the plumbing.
SSO vs Federation.
| Dimension | SSO | Federation |
|---|---|---|
| What it is | A user experience | A trust relationship |
| Scope | Can be within one domain | Spans security / org domains |
| Mechanism | Shared session / token | IdP ↔ SP trust via SAML or OIDC |
| Example | Log into the intranet, all internal apps open | Use your corporate IdP to log into a third-party SaaS |
| Standards | Often built on federation | SAML 2.0, OIDC, WS-Federation |
How they relate
All federation enables SSO, but not all SSO requires federation. You can have SSO inside a single application suite using a shared session, with no cross-domain trust involved. Federation specifically addresses the harder case: letting an identity from one security domain (your corporate IdP) be trusted by another (a SaaS vendor). The IdP authenticates the user and issues a signed assertion (SAML) or token (OIDC); the service provider trusts that assertion because it trusts the IdP.
In modern enterprises the two are almost always combined: the corporate IdP (Okta, Entra, Ping) federates to dozens of SaaS apps, and the result the employee experiences is SSO — one login, every app open.
When to use each.
You are talking about SSO when…
- The concern is the login experience — fewer prompts, one credential.
- You are measuring login friction or session lifetime.
You are talking about federation when…
- You are establishing trust between an IdP and a service provider.
- You are configuring SAML metadata or OIDC client registration across domains.
Common questions.
Is SSO the same as federation?+
No. SSO is the user experience of authenticating once to reach many apps. Federation is the cross-domain trust mechanism (via SAML or OIDC) that makes SSO possible across organizational boundaries. Federation enables SSO, but simple same-domain SSO does not require federation.
Does federation use SAML or OIDC?+
Both. SAML 2.0 is the mature enterprise federation standard (XML assertions); OIDC is the modern JSON-based equivalent and the default for new builds. Many enterprises run both simultaneously during migration.
The whole picture, in one place.
This explainer is part of our complete guide to IAM — authentication, authorization, governance, privileged access, the standards, and how to run a program.