In a user access management system, an Identity Provider (IDP) can be used to provide end-user authentication, forwarding credentials to back-end web servers to provide a single sign-on experience. In this way, users provide their access credentials, such as a username and password, only once. However, passing the actual credentials over a wired or wireless connection (even when accomplished using a secure sockets layer) is generally considered poor practice, because the user's password may be directly exposed to nefarious monitoring devices.
In some cases, such as when an access management IDP operates as a Service Provider (SP), receiving end-user authentication from another IDP in the form of a token, a password is not generally provided to the SP. This means that there is no password to send to back-end servers that might request this credential for access to their applications. Thus, the end-user password is sometimes not available in situations when a federated identity is used for authentication.