Two models for who you are
Identity is the record that says who a user is. The first design question is where that record lives.
In a centralized model one directory owns every account. Every application asks that single source whether a login is valid. It is simple to reason about and easy to revoke an account everywhere at once.
In a federated model many separate directories exist and they trust each other. A user from one organization can sign in to another organization's app because the two sides agreed on a trust relationship and a shared protocol.
Tradeoffs
- Centralized is simpler but becomes a single point of failure and a hard place to onboard outside partners.
- Federated scales across companies and lets each side keep control of its own users, but trust must be carefully configured and audited.
Where each fits
- A single product with internal users leans centralized.
- A marketplace, partner network, or enterprise SSO leans federated.
Key idea
Centralized identity puts every account in one directory while federated identity lets independent directories trust each other across boundaries.