The PicketLink subsystem allows you to configure and deploy identity providers (IDP) and service providers (SP), which are grouped together in a federation.
A federation can be understood as a circle of trust from which applications share common configurations, such as certificates and SAML-specific configurations. Each participating domain is trusted to accurately document the processes used to identify a user, the type of authentication system used, and any policies associated with the resulting authentication credentials.
Each federation has one IDP and many SPs.