Do I need a federated Identity Server for SSO if I'm a small service provider application?

Question

Say I'm a small application (www.example.com) and I'm integrating with a much larger enterprise (www.acme.com).

In this scenario I am the service provider and they are the Identity provider.Their request is that I integrate into their auth ecosystem using SSO (specifically SAML 2.0).

For the standard IdP-initiated flow, users will sign in on their end and they will POST an XML assertion to my application, which will then verify the user and sign them in to my application (i.e. set a browser session).

The enterprise uses PingFederate as their identity server, and they are curious what implementation my application uses. At this time I have none.

If my application is a single monolith (e.g. a small Ruby on Rails app), do I even need a federated server? Ultimately they are just looking for a place to POST SAML data to, so I can set up an endpoint and go from there right?
What are some general benefits of a federated server? Why wouldn't every service provider application (small and large) just set up an endpoint to ingest SAML data and call it a day?

Thanks!

Ian Ian · Accepted Answer · 2017-06-03T16:02:50

You don't necessarily need a Federation server. However, if you decide in the future to divide/expand your application into micro-services or integrate your service with other 3rd Parties, a server will allow you to scale without disrupting your current customers (great CX) and not have to manage separate security endpoints.

Do I need a federated Identity Server for SSO if I'm a small service provider application?

2 Answers