May 12, 2024

What is an IdP (Identity Provider)?

What is an IdP (Identity Provider)?

Table of contents

As a core element of online interactions, our digital identities are at the heart of our lives — both at work and at home. A complex ecosystem of components and protocols is responsible for creating, managing, and using these digital identities — and a critical part of this ecosystem is the identity provider, or IdP.

What is an IdP?

An IdP is a third-party service that issues and manages digital identities. Here’s how it works: A user identity is registered with an IdP. The registration process may involve the collection of personal data, like the user’s name and address. The IdP captures and associates login credentials, including multi-factor authentication (MFA) elements, with the user's identity account. An IdP is part of an identity and access management (IAM) system.

After registration, an IdP can authenticate a user identity at the request of a service provider (SP). At a baseline, an IdP will authenticate a user's login credentials against its database before allowing login. An IdP can act as a centralized service that authenticates people to apps and other services.

Many modern IdPs are cloud-based and are referred to as identity-as-a-service (IDaaS) providers.

It’s important to note that, in order to maintain robust security, an IdP does not store usernames and passwords in cleartext. Instead, IdPs use an approved method that involves encryption.

What is an IdP used for?

An IdP can be used for any entity that can be identified. For example, IdPs are used for: 

Enterprise workers: IdPs are used within an organization to manage the identities of employees and relevant non-employees such as contractors and suppliers. An example of an enterprise IdP is Microsoft Entra ID (formerly Azure Active Directory). 

Consumers: IdPs managing consumer user accounts include social login services like Google. You can extend consumer and social identity providers by integrating them with consumer identity and access management (CIAM) services.

Citizens: Governments often make use of dedicated IdPs. Non-government and commercial vendors may provide these IdPs. An example of a government IdP is CitizenSafe from GBGroup. Citizen IdPs are often integrated with external verification services to check consumer data.

Devices and computers: IdP management of identities can extend to non-human objects like IoT devices. ForgeRock provides an IdP for IoT devices.

Some well-known IdPs

Some of the most common IdPs are also well-known brands, including:

  • Google

  • Apple

  • Microsoft Entra ID

  • LinkedIn

  • GitHub

  • Okta

Benefits of an IDP

Five of the most beneficial uses of an IdP are:

1. User management and registration

An IdP manages your workforce or customers, reducing the need for custom logins. Registration can be automated, and self-service can be built into an IdP, reducing the need for help desks and laborious manual account resets.

2. Password fatigue reduction

An IdP helps to rescue the number of login passwords that employees need. If used with SSO (single sign-on), this number is reduced further, and login across multiple apps is streamlined.

3. Audit and accountability

An IdP keeps track of user logins. This can be a vital tool in managing employees' app use and making insightful decisions about app and data usage and privileges. Centralized account auditability can also help identify insider threats.

4. Control

An IdP can be thought of as a single source of truth, managing and controlling employee (and customer) identities and user authentication.

5. Identity management efficiency

An IdP is a more efficient way to centrally manage your employees or customers. Account management can be performed quickly, and onboarding and offboarding can be managed more effectively.

IdP protocols

Identity protocols SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) are the underlying protocols of most IdPs.

SAML IdP

SAML was one of the first protocols associated with an IdP. A SAML IdP is typically used as part of an SSO service. The SAML IdP issues SAML assertions, such as an XML document, upon request by a SAML service provider (SP).

OIDC IdP

OIDC is built atop OAuth. An OIDC IdP issues an ID token, encapsulating the identity claims in JSON format.

Both SAML and OIDC work to register and manage identities. The two protocols have pros and cons. Some of the major differences include:

  1. SAML is more complex to implement.

  2. OIDC uses JWTs, which are smaller and have lighter-weight processing requirements than the XML documents that SAML uses.

  3. OIDC integrates user consent by default. This can also be achieved using SAML, but it is more complex to set up.

IdP workflow steps

User registers with the IdP: The user must provide unique information, such as an email address. The registration process will capture login credentials based on the security requirements of the IdP service. 

Post-registration: Once the user has registered, the IdP issues an identity, and the user (typically) has access to their account and personal data.

This digital identity can then be used with an SP that is federated with the IdP.

The IDP workflow has three core steps:

  1. Authentication: The user is requested to present their identifying credentials, such as a username and password or MFA.

  2. Verification: The IdP checks these credentials to see whether a user has access to the service.

  3. Authorization: Users are given access to resources based on their authorization level.