To get access somewhere, usually, you must provide that service with your name and password.

In ancient times people were supposed to have a unique user account name and passwords for every service. They might have one, but they needed to log in every time they access new service. Every service was developing its own authentication engine. In the best-case scenario, it was using an open-source solution. It was times of total mess and misconfiguration. Development of the robust authentication engine is a big deal.

Later, people developed Single-Sign-On (SSO) solutions. That works within company boundaries, within a trusted environment. Practically, it is when a service does not need to have its own authentication engine, but it relies on some central solution - identity provider. That solution was once correctly deployed, configured, and every service relies on it. Now application developers have one less problem, no need to deal with the own authentication engine. But what should a web-site do sitting in the wild internet?

Services outside the trusted network did not have that luxury of not developing their own authentication engine until now. The solution for them is Federated Identity Management (FIM). You have seen it many times when you register somewhere when Google or Facebook are given as login options. What is happening is that service builds a trusted relationship with that big company and leverages its authentication engine. Scientifically saying Federated Identity Management is about building trust between identity system in an untrusted environment. On the ground, that means more security with less headache for developers.

The downside is that you share with big company information about the resources you are interested in.

When using federated access, be careful of not giving too many permissions to a service. The first time a service asks for grants to read your data from Google, Facebook or from another identity provider. Some services are abusing this opportunity and request full access, whereas only email or user name is enough.