Identity Federation
Connect your applications with enterprise identity providers using OAuth 2.0 and OpenID Connect
What is Identity Federation?
Identity federation enables organizations to establish trusted relationships between different authentication systems, allowing users to access multiple applications across organizational boundaries without managing separate credentials for each system.
Visual Guard supports identity federation through industry-standard protocols, enabling your applications to leverage external identity providers while maintaining centralized authorization and access control. This approach separates authentication (verifying who the user is) from authorization (determining what they can do), providing both security and flexibility.
Key Benefits
- Leverage existing identity infrastructure
Use Azure AD, Google Workspace, or other enterprise IdPs - Reduce authentication complexity
Delegate authentication to specialized providers - Enable B2B scenarios
Allow partners to use their own credentials - Standards-based integration
OAuth 2.0 and OpenID Connect compatibility
Federation Protocols
Visual Guard implements modern, standards-based protocols for secure identity federation
OAuth 2.0
Authorization framework that enables applications to obtain limited access to user resources without exposing credentials.
Key Characteristics
- Industry-standard authorization protocol
- Token-based access delegation
- Separation of resource owner and client
- Multiple grant types for different scenarios
- Widely supported by identity providers
Use Cases
- API authorization and access control
- Third-party application integration
- Service-to-service authentication
- Mobile and native application security
OpenID Connect (OIDC)
Authentication layer built on top of OAuth 2.0 that provides user identity verification and profile information.
Key Characteristics
- Extends OAuth 2.0 for authentication
- Standardized user identity claims
- JSON Web Token (JWT) based
- UserInfo endpoint for profile data
- Discovery and dynamic registration
Use Cases
- Single Sign-On across web applications
- User authentication with external IdPs
- Social login integration
- Mobile and SPA authentication
OAuth 2.0 vs OpenID Connect
OAuth 2.0 answers the question: "What can this application do on behalf of the user?"
OpenID Connect answers the question: "Who is this user?"
In practice, they work together: OIDC handles authentication and provides user identity, while OAuth 2.0 manages authorization and resource access. Visual Guard uses both protocols to provide comprehensive identity federation capabilities.
VG Identity Server as Federation Hub
VG Identity Server acts as a central authentication broker, bridging external identity providers with your applications while maintaining centralized authorization control.
When implementing identity federation, authentication and authorization become distinct concerns. External identity providers (Azure AD, Google Workspace, Okta) handle the authentication process—verifying who the user is. VG Identity Server then enriches this identity with application-specific permissions, roles, and business rules before granting access to resources.
Core Capabilities
- OpenID Connect Provider
Full OIDC protocol support - OAuth 2.0 Authorization Server
Token issuance and management - Claims Enrichment
Add VG permissions to external claims - Multi-IdP Support
Connect multiple identity providers
How Identity Federation Works
1. Authentication Request
User attempts to access an application protected by Visual Guard
2. IdP Redirect
VG Identity Server redirects to the configured external identity provider
3. External Authentication
User authenticates with their identity provider (Azure AD, Google, etc.)
4. Token & Authorization
VG Identity Server issues JWT tokens enriched with Visual Guard permissions
Supported Identity Providers
Visual Guard integrates with leading enterprise identity providers through standard OpenID Connect and OAuth 2.0 protocols
Microsoft Entra ID
Native integration with Microsoft's cloud identity platform (formerly Azure AD).
- Azure AD B2C for customer scenarios
- Multi-tenant Azure AD configurations
- Conditional access policy support
- Seamless integration with Microsoft 365
- Support for hybrid AD + Entra ID scenarios
Google Workspace
Authenticate users with their Google corporate accounts.
- Google Workspace domain authentication
- Gmail account support for B2C scenarios
- Group membership synchronization
- Seamless integration with Google services
- Mobile-friendly authentication flows
Enterprise IdPs
Support for specialized enterprise identity platforms.
- Okta: Enterprise identity management
- Auth0: Developer-friendly authentication
- Ping Identity: Complex enterprise scenarios
- Custom OIDC providers: Any compliant IdP
- Social providers: LinkedIn, Facebook, etc.
Standards-Based Compatibility
Because Visual Guard implements standard OAuth 2.0 and OpenID Connect protocols, any compliant identity provider can be integrated without custom development. This includes:
- Corporate identity platforms implementing OIDC/OAuth 2.0
- Industry-specific identity providers (healthcare, finance, government)
- Custom-built identity solutions following standard protocols
- Regional identity platforms with local compliance requirements
Identity Federation Use Cases
B2B Partner Integration
Organizations frequently need to grant access to external partners, suppliers, or contractors without creating and managing separate accounts.
Scenario: A manufacturing company provides access to its supply chain management application for multiple supplier organizations.
- Each supplier authenticates using their own corporate identity provider
- Visual Guard maps external identities to appropriate roles and permissions
- Suppliers access only the data and functions relevant to their relationship
- No credential management burden for the manufacturing company
- Audit trails maintain clear identity attribution
Multi-Tenant SaaS Applications
SaaS providers need to support customers who want to use their existing corporate identity providers rather than creating new accounts.
Scenario: A project management SaaS platform used by multiple enterprise customers.
- Each customer organization configures their preferred IdP (Azure AD, Okta, Google)
- Users authenticate through their corporate credentials
- Visual Guard ensures tenant isolation and appropriate authorization
- Consistent permission model across all customers
- Customers maintain control over their identity lifecycle
Hybrid Environment Modernization
Organizations transitioning from on-premises infrastructure to cloud services need authentication that works in both environments.
Scenario: A company with legacy PowerBuilder applications and new web applications.
- Legacy applications use Windows/Active Directory authentication
- Modern web applications integrate with Azure AD via OpenID Connect
- VG Identity Server provides unified authentication brokering
- Gradual migration path without disrupting existing systems
- Consistent authorization policies across all applications
Acquired Company Integration
Mergers and acquisitions often result in multiple identity systems that need to coexist during integration periods.
Scenario: A parent company acquires a subsidiary with different IT infrastructure.
- Both organizations maintain their existing identity providers temporarily
- Visual Guard federates both identity sources
- Users from both organizations access shared applications
- Unified authorization layer despite separate authentication
- Flexible integration timeline based on business priorities
Technical Implementation
Token-Based Authentication
Visual Guard uses JSON Web Tokens (JWT) as the primary mechanism for transmitting authentication and authorization information. JWTs are stateless, cryptographically signed, and contain claims about the user's identity and permissions.
Token Structure
- Header: Token type and signing algorithm
- Payload: Claims about the user (identity, roles, permissions, expiration)
- Signature: Cryptographic signature ensuring token integrity
Token Lifecycle
- Issuance: VG Identity Server creates tokens after successful authentication
- Validation: Applications verify token signatures and check expiration
- Refresh: Long-lived refresh tokens enable seamless session extension
- Revocation: Centralized control for invalidating compromised tokens
Security Features
- HTTPS enforcement
All token exchanges over encrypted channels - Short-lived access tokens
Typically 15-60 minutes - Secure refresh mechanism
Long-lived tokens with strict handling - PKCE support
Protection for public clients (SPAs, mobile) - Token binding
Prevent token theft scenarios
Claims Enrichment
A key capability of Visual Guard's federation implementation is the ability to enrich external identity claims with application-specific authorization information.
External Claims
Identity information from the external IdP:
- User identifier
- Email address
- Display name
- Group memberships
- Organization attributes
VG Enrichment
Visual Guard adds authorization claims:
- Application roles
- Granular permissions
- Resource access rights
- Business unit associations
- Custom attributes
Application Token
Final token contains both:
- Who the user is (IdP)
- What they can do (VG)
- Where they can access (VG)
- When access expires
- How to refresh
Application Platform Support
Identity federation through Visual Guard supports modern application architectures and development frameworks
Web Applications
- ASP.NET Core & Blazor: Native middleware integration with claim-based authorization
- Single Page Applications: Angular, React, Vue.js using authorization code flow with PKCE
- Server-side frameworks: Java (Spring), PHP, Python with standard OIDC libraries
- Legacy web apps: Can be retrofitted with federation support through VG SDKs
APIs & Services
- RESTful APIs: JWT bearer token authentication for stateless security
- Microservices: Independent token validation with public key verification
- GraphQL APIs: Context-based authorization using token claims
- Legacy services: Can integrate through authentication proxies or adapters
Mobile Applications
- Native mobile apps: iOS and Android with OAuth 2.0 authorization code flow
- Hybrid apps: Cordova, Ionic, React Native with standard OIDC libraries
- Secure storage: Platform-specific mechanisms for token persistence
- Biometric integration: Native biometrics combined with federated identity
Desktop Applications
- PowerBuilder: Modern authentication for legacy applications via VG integration
- .NET (WinForms, WPF): Full OIDC support with native Windows integration options
- Electron apps: Web-based desktop apps using standard OAuth flows
- Hybrid scenarios: Bridge Windows authentication with cloud identity providers
Why Identity Federation with Visual Guard
Reduce Credential Management
Leverage existing identity providers instead of managing separate credentials. Reduce password fatigue and support costs.
Enable Business Flexibility
Rapidly onboard partners, customers, or acquired organizations without complex identity integration projects.
Maintain Authorization Control
Delegate authentication to external providers while keeping centralized control over what users can access.
Standards Compliance
Implementation based on OAuth 2.0 and OpenID Connect ensures compatibility and future-proofs your architecture.