# Federation

Federation lets OpenIAM trust identities from another system. Users sign in with their home identity provider and OpenIAM accepts that authentication instead of managing a separate password.

For example, a company uses Microsoft Entra ID as its corporate IdP:

* The user signs in with Entra ID.
* OpenIAM trusts that sign-in.
* The user gets access to OpenIAM and connected apps.

OpenIAM supports two federation roles:

* **Service Provider (SP)** — OpenIAM delegates authentication to an external IdP.
* **Identity Provider (IdP)** — OpenIAM authenticates users and provides identity to other systems.

Each role fits a different integration model.

***

## OpenIAM as a Service Provider (SP)

Use this mode when you already have a central IdP — such as Microsoft Entra ID — and you want OpenIAM to rely on that system for sign-in. Authentication policies, MFA, and conditional access stay centralized in the external IdP.

<figure><img src="/files/XEmzHXsGUNXcS47kH5oT" alt=""><figcaption></figcaption></figure>

**Authentication flow:**

{% stepper %}
{% step %}

#### The user opens OpenIAM.

{% endstep %}

{% step %}

#### OpenIAM redirects the user to the external IdP.

{% endstep %}

{% step %}

#### The IdP authenticates the user.

{% endstep %}

{% step %}

#### The IdP sends the assertion or token back to OpenIAM.

{% endstep %}

{% step %}

#### OpenIAM grants access.

{% endstep %}
{% endstepper %}

See [Integrating OpenIAM as your SP](/federation/integrating-openiam-as-your-sp.md) for setup details.

***

## OpenIAM as an Identity Provider (IdP)

Use this mode when you want OpenIAM to act as the central sign-in service for your applications. This works well when authentication and access governance live in the same platform.

<figure><img src="/files/ZNQRHjvyoRPRStzJKYxJ" alt=""><figcaption></figcaption></figure>

**Authentication flow:**

{% stepper %}
{% step %}

#### The user opens an application.

{% endstep %}

{% step %}

#### The application redirects the user to OpenIAM.

{% endstep %}

{% step %}

#### OpenIAM authenticates the user.

{% endstep %}

{% step %}

#### OpenIAM sends the token or assertion to the application.

{% endstep %}

{% step %}

#### The application grants access.

{% endstep %}
{% endstepper %}

See [Integrating OpenIAM as your IdP](/federation/integrating-openiam-as-your-idp.md) for setup details.

***

## Choosing the Right SSO Model

<table><thead><tr><th width="453.33331298828125">Scenario</th><th>Recommended model</th></tr></thead><tbody><tr><td>You already have a corporate IdP (e.g. Entra ID, Okta)</td><td>OpenIAM as SP</td></tr><tr><td>You want OpenIAM to be the SSO hub for your apps</td><td>OpenIAM as IdP</td></tr><tr><td>Your application supports SAML, OAuth, or OIDC</td><td>Federation protocols</td></tr><tr><td>Your application does not support modern identity protocols</td><td>Reverse proxy (rProxy)</td></tr></tbody></table>

For protocol selection:

* **SAML 2.0** — enterprise SSO integrations between systems.
* **OAuth 2.0** — delegated authorization and API access.
* **OIDC** — when the application needs user authentication on top of OAuth 2.0.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/federation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.