There is a lot of confusion on the net between SSO and Identity Federation. Both concepts may look the same to the end users, but they are different. Today many authentication products implement both, further increasing the confusion. Here I’ll try to explain the difference as I see it.
Identify Federation (sometimes referred as Federation or Federated Identity) allows the end users to use the same set of credentials to obtain access to multiple resources. This gives an advantage to the software systems that utilize Identify Federation, both from security and usability perspective – the end users do not have to maintain multiple sets of credentials. Yet, the users have to provide their credentials to each one of the participating resources. Typically Identify Federation system are based on single credentials store, but other implementation methods (for example, password synchronization) may also be used.
SSO (Single Sign On) allows the end users to provide their credentials once and obtain access to multiple resources. The key point of the concept is that the users are not prompted for their credentials anew on access to participating resources until the active session is terminated. The participating resources are typically related, but still remain independent. Specifically, each system may have own authorization system, providing system-specific roles to the end users. The practical implementation of the supporting software system remains out of scope for the concept definition.