Federation Needs a Backbone

By Frank Briguglio |

July 14, 2025

Identity Security has become the engine behind seamless access. It connects users from different domains, agencies or organizations and lets them move between systems with a single set of credentials. That’s powerful—but it’s also risky when left ungoverned.

Let’s get one thing straight: federation is about access. It answers the question, “Can this person log in?” But it stops short of answering what really matters: “Should they still have access?” “To what?” “For how long?” That’s where governance steps in—and why it must be the foundation under every federated architecture.

The Upside of Federation

Federation simplifies identity. It creates a trust bridge between Identity Providers (IdPs) and Service Providers (SPs). Users authenticate once—via their home IdP like Azure AD or Okta—and access multiple applications without managing new credentials for each.

Benefits include:

  • Single Sign-On (SSO) across domains
  • Centralized control of user authentication
  • Protocol interoperability via standards like SAML, OIDC and WS-Fed

And federation hubs—broker trust between many IdPs and SPs—make it scalable. Instead of dozens of custom integrations, each system plugs into the hub. Clean, efficient and fast. But fast access can become fast failure if you don’t govern it!

Access Governance: The Difference Between Access and Control

Federation gets someone in the door. Governance makes sure they belong there—and ensures they leave when they’re supposed to.

Identity Governance manages the full identity lifecycle: onboarding, role changes, access reviews and deprovisioning. It enforces least privilege, flags risky combinations of access (SoD conflicts) and supports audits and compliance frameworks like NIST, SOX or RMF.

Federation can tell you who authenticated. Governance can tell you:

  • Whether that person should have access
  • What access they have across systems
  • Whether that access aligns with policy
  • How that access changes over time

Together, federation and governance form a complete identity security model. Separately, one is fast—and one is safe.

What Happens Without Governance?

An ungoverned federation hub is a highway with no speed limits, no offramps and no cameras. You’re enabling access at scale without oversight.

Here are the risks:

  • Overprovisioned access – Federation alone doesn’t enforce least privilege.
  • Access creep – Users retain access after job changes or departures.
  • Orphaned accounts – No lifecycle hooks to clean up stale identities.
  • Lack of visibility – No way to see what users can do after logging in.
  • No audit trail – Makes compliance reporting a nightmare.
  • Increased insider threat – Privileged access can persist unchecked.
  • Policy misalignment – SAML or OIDC assertions may carry outdated or unverified attributes.

These risks aren’t theoretical. In Federal and defense sectors, unmanaged federation could mean exposing sensitive systems to users who are no longer cleared, or who’ve quietly shifted roles without access being reviewed.

Governance in Action: SailPoint’s Role

SailPoint is not a federation provider. It’s a governance platform that sits on top of your federation layer, giving you full control over identity lifecycles, policies and risk.

SailPoint integrates with both upstream IdPs and downstream apps accessed via the federation hub. It handles:

  • Identity aggregation and normalization
  • Automated provisioning/deprovisioning
  • Policy enforcement (least privilege, SoD, etc.)
  • Access reviews and certifications
  • Risk scoring and contextual enforcement
  • Audit trails and compliance reporting

This governance layer makes sure your federated access is secure, justified and auditable. It aligns your identity strategy with Zero Trust principles—not just who gets in, but why, how and for how long.

Why Governance Must Come First

It’s tempting to view governance as a bolt-on. Something to “get to later” once federation is up and running. That’s dangerous thinking.

Governance is not optional. It’s the foundation.

Without it, every benefit of federation can turn into a vulnerability. That seamless access? Now it’s frictionless exposure. That fast onboarding? Now it’s risky overreach. And every shortcut you take early on becomes technical debt—if not a breach—down the road.

Real-World Example: Federation in Federal Environments

Take the U.S. Department of Defense. Their Enterprise Federation Hub allows identity brokering across agencies, contractors and civilian orgs. It’s fast and powerful—but governance is what makes it secure.

SailPoint is used alongside this hub to:

  • Enforce ABAC using enriched attributes
  • Automate provisioning to systems like ServiceNow and SAP
  • Conduct quarterly access certifications
  • Supply audit logs for compliance frameworks like FIAR and RMF

Without this layer, the Federation Hub would be a sprawling access point with no brakes, no logs and no cleanup.

Bottom Line

Federation gives you the scale. Governance gives you the safety.

One gets people in. The other makes sure they belong.

If you’re building a federated identity ecosystem—whether in the enterprise or in a multi-agency Government context—start with governance. Don’t wait for audit findings or security incidents to add it later. By then, it’s already too late.

Federation needs a backbone. Governance is it.





Frank Briguglio

Federal CTO, SailPoint

Frank Briguglio, CISSP, serves currently serves as the Federal CTO at SailPoint. Mr. Briguglio is a recognized cybersecurity and identity security thought leader and seasoned cybersecurity professional with more than 28 years of experience in identity, credentialing and access management. He has extensive knowledge of U.S. Government Security and Compliance Standards, and hands on experience in designing, implementing and managing identity and security solutions.


See More by This Contributor

Related Articles