Subscribe to the Non-Human & AI Identity Journal
Authentication, Authorisation & Trust

Federated login

← Back to Glossary
By NHI Mgmt Group Updated July 6, 2026 Domain: Authentication, Authorisation & Trust

An authentication model that lets a user sign in with an external identity provider while the service retains central control over access policy and auditability. For insurers, it is useful for broker and partner access, but only if revocation, logging, and entitlement scope remain under governance.

Expanded Definition

Federated login is an authentication pattern where an external identity provider asserts who the user is, while the relying service keeps control over authorization, session policy, and audit evidence. In practice, it is usually implemented with SAML, OpenID Connect, or OAuth-based flows, and the exact trust boundary varies across vendors and architectures. For NHI Management Group, the important distinction is that federation solves login delegation, not access governance: a federation event still needs local entitlement mapping, revocation logic, and logging that survives provider-side changes.

That distinction matters because federated login is often treated as a shortcut to “single sign-on,” when it is really a trust relationship that must be explicitly bounded. Guidance from the NIST Cybersecurity Framework 2.0 reinforces that identity proofing, access control, and monitoring remain separate security outcomes even when authentication is outsourced. The most common misapplication is assuming federation automatically grants secure access, which occurs when teams accept provider assertions without validating scopes, revocation, and downstream authorization.

Examples and Use Cases

Implementing federated login rigorously often introduces trust-boundary and lifecycle complexity, requiring organisations to weigh simpler user onboarding against tighter control of partner access and deprovisioning.

  • A broker portal lets external agents sign in with their own enterprise identity provider, while the insurer maps each assertion to a narrowly scoped local role.
  • A SaaS customer admin console uses federation for enterprise tenants, but still requires local session logging, step-up controls, and tenant-specific authorization checks.
  • A B2B API gateway accepts federated workforce identities for tooling access, then enforces entitlement scoping before any service account can be created or used.
  • An insurer replaces shared contractor passwords with federation, but keeps revocation tied to contract end dates and access reviews.
  • NHI Mgmt Group’s Ultimate Guide to NHIs shows why federated access must still be governed like any other identity dependency, especially where third parties are involved.

Standards bodies generally describe the protocol mechanics more clearly than the governance model, so implementations should also align with identity assurance expectations in NIST Cybersecurity Framework 2.0 and the provider’s own audit requirements.

Why It Matters in NHI Security

Federated login becomes security-relevant when it is used to extend access to brokers, vendors, or machine-operated workflows that are not fully controlled by the service owner. NHI Mgmt Group research shows that 92% of organisations expose NHIs to third parties, which makes delegated trust a common path for overbroad access if local governance is weak. The same pattern can hide risky entitlements behind a convenient sign-in experience, especially when teams fail to separate authentication trust from authorization scope.

That is why federation should be evaluated alongside access reviews, secret governance, and offboarding, not as a standalone IAM feature. The operational risk is not the external identity provider itself, but the gap between provider assertions and the service’s own enforcement of least privilege. NHI Mgmt Group’s Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0 both point to the same operational truth: identity trust must be paired with continuous monitoring and disciplined revocation.

Organisations typically encounter the consequences only after a partner account remains active after offboarding, at which point federated login becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Federation changes how identities are authenticated and trusted across boundaries.
NIST CSF 2.0PR.AC-4Least-privilege access must still be enforced after federated authentication succeeds.
OWASP Non-Human Identity Top 10NHI-01Federated access often expands third-party identity exposure and trust boundaries.

Verify federated identities before granting access and keep trust relationships documented and monitored.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org