Comparing Federation and Web Access Management for Single Sign-on

This content compares Federation and Web Access Management (WAM) approaches for implementing single sign-on.
This content compares Federation and Web Access Management (WAM) approaches for implementing single sign-on.
Advantages of Federation and Web Access Management
Federation and web access management (WAM) offer different benefits for single sign-on. Determining when to use federation or WAM single sign-on is dependent on your deployment.
Federation allows you to expand on your WAM capabilities; it does not replace those capabilities.
Federation has the following advantages:
  • Many applications can handle federation directly out-of-the-box, such as SAP, SharePoint, WebLogic. These applications accept assertions.
  • A direct connection to a centralized server is unnecessary. A federation request always goes through the asserting party to get the generated assertion. After a user gains access to content on one server, the user returns to the federation hub and gets redirected to the next server. Only if the user session times out at the hub does the user have to reauthenticate.
  • Two models of
    federation. Partnership federation is business-centric, emphasizing relationships with partners. Legacy federation is protocol-centric and more customizable to the protocol specification.
These advantages make federated partnerships better for an environment where sites are remote, inaccessible, or under third-party control.
WAM single sign-on has the following advantages:
  • Transactions are faster because there are fewer browser redirects.
  • SiteMinder
    provides centralized authorization and auditing.
  • Direct links can exist from one web server to another in a network without the user going through a centralized hub for assertion generation.
  • SiteMinder
    offers timeout management.
  • Applications are independent of a remotely initiated transaction.
These advantages make WAM single sign-on better suited to an environment with sites that are under your control, such as internal data centers.
Deployments that Favor Federation
Federation is advantageous in networks where your company does not control the server. For example, a third party owns the web server and does not allow you to install a web agent on the server. Also, when a remote server is in a location where there is a high network latency between the web agent and Policy Server. When you have no control over the target server, a SAML assertion is an ideal way to pass identity information.
The partners in a federated network follow the specific standards for the protocol used in communications. The common standards make the generating and consuming of assertions universal. The result is that the vendor at the asserting or relying party is not important nor is the remote location of each vendor.
Finally, federation is a good solution when timeouts are not a major concern, and obtaining identity information is the goal. External authorization checking is not a focus of federation.
Deployments that Favor Web Access Management
WAM single sign-on works best in an environment where you have control over each website. Having
in the same data center as the website or other internal single sign-on environments are good deployments for web access management. Controlling over each website is also important for auditing your network performance and monitoring timeout issues.
WAM single sign-on lets you integrate with an application by way of a WAM session. WAM implementations also reduce some of the performance issues inherent with federation. For example, a transaction that is initiated by an asserting party can require several redirects after a user selects a link to make a request.