Federation refers to technologies that enable Single Sign-On (SSO).
Federation allows the establishment of a trust between multiple domains, which can be used for authentication and authorization. The parties involved in federation are the Identity Provider (IdP) and Service Provider (SP). The IdP will perform the authentication and share the authentication information to the SP. There are two flows in federation – an IdP-initiated flow and a SP-initiated flow.
Users are authenticated by DTCC when they initially access MyDTCC. Federation is an alternative authentication method. When using federation, a user authenticates with their organization’s identity verification system (such as via Multi-Factor Authentication, or MFA) and then the browser is redirected to the DTCC website. The DTCC website recognizes the user. In other words, the user has been signed onto DTCC’s system using SSO based on the user’s authentication on the client organization systems.
Using SAML federation has many advantages, both for the client organization and DTCC.
- Since their users’ credentials (password) are housed within their directories, client organizations can apply their policies to these artifacts, such as periodic rotation of passwords.
- When a user leaves the client organization, deactivating a user within their directory removes the capability to issue SAML tokens (SAML assertions), effectively removing the user's access to DTCC applications
- A client organization using SAML federation can tie SAML token issuance to their SSO system, making access to DTCC applications transparent while keeping control of who can access DTCC applications
- With SAML federation, there is no need for a user to have a DTCC specific password. This is both more convenient and reduces risk of password compromise.