Version 5.x has been out of support since December 13, 2022, and this corresponding section of the documentation is no longer maintained. We strongly recommend upgrading to a supported version.
Federation means that your IdentityServer offers authentication methods that use external authentication providers.
If you offer a number of these external authentication methods, often the term Federation Gateway is used to describe this architectural approach.
Generally, this architecture allows shielding your client applications from the complexities of your authentication workflows and business requirements that go along with them.
Your clients only need to trust the gateway, and the gateway coordinates all the communication and trust relationships with the external providers. This might involve switching between different protocols, token types, claim types etc. Also the gateway can make sure that all claims and identities that ultimately arrive at the client applications are trustworthy and in a format that the client expects.
There are a number of scenarios where this approach is commonly used.
Maybe your users should have multiple options how they can sign-in/up, e.g.
If you are building on-premise products, you have to integrate with a multitude of customer authentication systems. Maintaining variations of your business software for each product you have to integrate with, makes your software hard to maintain.
With a federation gateway, you only need to adapt to these external systems at the gateway level, all of your business applications are shielded from the technical details.
It’s very common to offer federation with your customers’ authentication systems in SaaS scenarios. This way your customers get single-sign-on to your applications without having to explicitly create accounts in your identity system.
IdentityServer leverages the ASP.NET Core authentication infrastructure for communicating with external providers. This means that every authentication system that is supported by ASP.NET Core, can also be used in the context of IdentityServer. This includes support for commercial providers like Google, GitHub or LinkedIn (and many more) as well as any OpenID Connect, SAML2p or WS-Federation based systems.
See the Integrating with External Providers section for more details.
The process of selecting the “best” authentication workflow for a user (especially when you have multiple authentication methods) is called Home Realm Discovery (or HRD for short).
Since users are typically anonymous when they arrive at the gateway, you need some sort of hint to optimize the login workflow, e.g.
Every system is slightly different. Always start with the desired user experience, and then choose from the above options (or combinations) to implement the required flow.