Read as

Last updated: April 29, 2026

SAML 2.0 vs OIDC, SP-/IdP-initiated flows, SCIM provisioning, group-claim mapping, step-up auth, conditional access. Real-world rollout sequence and operational gotchas.

A Gurugram BPO had 187 SaaS applications, each with its own login. Helpdesk got 280 password-reset tickets a month. Worse, when an employee left, the offboarding checklist had 187 boxes — most of them ticked without verification. The CIO mandated SSO via Okta. Twelve months later: 1 set of credentials, 12 password-reset tickets a month, deprovisioning automated for 142 of the 187 apps. Federation is the keystone of modern IAM. This module covers SAML, OIDC, and the practical operational realities.

What federation actually does

Federation lets one identity provider (IdP) authenticate users to many service providers (SPs). The user signs in once at the IdP; the IdP issues a signed assertion that the SP trusts; the SP grants access. Two main protocols:

SAML 2.0 — XML-based, browser POST/Redirect bindings, dominant in enterprise SaaS
OIDC (OpenID Connect) — JSON / JWT on top of OAuth 2.0, dominant in modern web/mobile apps

DPDP Act in your stack?

Get a DPDP gap assessment

Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.

Book DPDP scoping call Replies in 4 working hrs · India-only · Senior consultants

Federation — SAML, OIDC, SCIM in Production

What federation actually does

Get a DPDP gap assessment

Other modules in this track

Identity and Access Management Programme

Privileged Access Management

Passwordless and FIDO2 Rollout