What is Federation?
Throughout this wiki space, a SAML entity (or just entity for short) refers to either a SAML Service Provider or a SAML Identity Provider. A SAML entity exhibits metadata (sometimes called entity metadata)As a prerequisite to interoperation, Identity Providers and Service Providers share each other's metadata, which minimally includes the their keys and endpoints of the named entity.Two SAML entities come to trust each other (in a technical sense) by securely sharing each other’s metadataservice endpoints. This is called federation (lowercase “f”)often called federation. How that metadata is shared determines whether the federation is considered bilateral or multilateral.
Bilateral Federation
Outside of higher education, the most common form of federation is bilateral, that is, two entities an IdP and an SP share metadata via some ad hoc method such as email or a protected web app (i.e., an HTML form). The transmission of metadata via email is inherently insecure and error prone. Using a partner’s web app to submit metadata is potentially more secure than email but deficient in other ways. Indeed, both techniques have significant security, usability, interoperability, and scaling issues. The bottom line is: avoid bilateral federation whenever possibleCombined with a contract, bilateral federation enables trusted interoperation between one IdP and one SP.
Multilateral Federation
Multilateral federation usually implies a trusted 3rd party that securely registers and reliably publishes all entity metadata. Such a trusted 3rd party is called a Federation (uppercase “F”). The primary function of a Federation, then, is metadata registration, and hence the term metadata registrarWhen combined with a common set of policies, multilateral federation enables trusted interoperation between all Identity Providers and all Service Providers.