What is an Identity Provider (idP)?
An identity provider (IdP) is a system that creates, stores, and manages digital identities. The IdP can either directly authenticate the user or can provide authentication services to third-party service providers (apps, websites, or other digital services).
Simply put, an IdP offers user authentication as-a-service. For example, you can use your Google account credentials to log in to Spotify. Here your Google Sign-In is the IdP and Spotify is the service provider (SP). Any website that requires a login, for example, uses an IdP to authenticate users. A password or other authentication factor may be used to authenticate the user.
From an IdP perspective, a user is known as a principal. A principal can be a human or a machine. An IdP can authenticate any entity, including devices. The purpose of an IdP is to track these entities and know where and how to retrieve the principal identities that determine whether a person or device can access sensitive data.
What is an IdP workflow?
An IdP enables a user’s identity to facilitate access to all their resources, from email to company file management systems.
An IdP workflow involves three key steps:
- Request: The user is requested to enter some form of identity, such as a username and password or biometric authentication.
- Verification: The IdP checks to determine if the user has access, and what they have access to.
- Unlocking: The user is given access to the specific resources to which they are authorized.
What is a service provider (SP) and how does it work with an IdP?
A service provider is the entity that provides the service being accessed, whereas an IdP is the entity that creates, stores, and manages identities as well as the ability to authenticate a user.
Both SPs and IdPs are part of federated identity management (FIM), where users are allowed to use the same verification method to access different resources. FIM is achieved through standard protocols like SAML, OAuth, OpenID Connect (OIDC), and SCIM.
The IdP establishes a trusted relationship with an SP by sharing identities and authenticating users across domains. For example, when a user attempts to access any third-party apps (SPs), the request is sent to an IdP like Entrust Identity as a Service (IDaaS). The IdP authenticates the user identity and indicates the SP using a SAML assertion that the user is verified and has permission to access the service.
What are the benefits of having an IdP?
There are several benefits, including:
- Stronger authentication: An IdP can provide tools and solutions that ensure secure access across apps, websites, and other digital platforms such as risk-based adaptive multi-factor authentication (MFA).
- Simplified user management: Another solution most IdPs provide is single sign-on (SSO), which saves users the hassle of creating and maintaining multiple usernames and passwords.
- Bring Your Own Identity (BYOI): With BYOI, users can access services with identity credentials that they already have (e.g., Google, Outlook, etc.) instead of creating new ones. This further improves the efficiency of onboarding and managing users while still maintaining a high level of security.
- Better visibility: An IdP will maintain a central audit trail of all access events, thereby making it easier to prove who is accessing what resources and when.
- Reduces identity management burden: The SP does not need to manage user identities as it becomes the IdP’s responsibility.
Types of Identity Providers (IdP)
There are two primary types of identity providers: Security Assertion Markup Language (SAML) and Single-Sign On (SSO).
SAML is an XML based markup language used for authentication via identity federation. SAML is a ubiquitous protocol that is supported by various service provider applications such as Office 365, Salesforce, Webex, ADP, and Zoom.
SSO is an access management function that enables users to log in with a single set of identity credentials to multiple accounts, software, systems, and resources. For example, when an employee enters their credentials to login to their workstation they are also authenticated to access their apps, resources and cloud-based software.
Use Cases for Identity Providers (IdP)
Identity providers (IdP) can help solve several administration headaches that businesses face. With an identity service provider, long lists of usernames and passwords are virtually eliminated, administration is simplified and there’s a detailed paper trail of access attempts, should an issue arise.
Most consumers are familiar with apps that give them the option of logging in by tapping a button that connects that account to the user’s Facebook or Google account. The concept is similar in the business world, with a few added benefits. First, compliance is simplified with an audit trail of all access events. Second, businesses can reduce IT costs by upwards of 20% by reducing helpdesk time for password resets.
Is Entrust IDaaS the right IdP solution for your business needs?
Yes. Entrust Identity as a Service (IDaaS) is a cloud-based identity and access management (IAM) solution that includes multi-factor authentication (MFA), credential-based passwordless access, and single sign-on (SSO). Offering an exhaustive set of IAM capabilities, IDaaS is the right IdP to maximize your protection with its Zero Trust approach to security.
What is identity and access management?
Identity and access management (IAM) is a framework of security policies and technologies that ensures that the right entities can gain access to the right resources at the right time.
An entity can be a person or a device. Resources include applications, networks, infrastructure, and data. IAM can apply to workforce, consumer, and citizen use cases.
IAM is based on the premise of establishing and maintaining trusted digital identities. With IAM, organizations are able to authenticate and authorize entities to grant secure access to the right resources. As well, trust is maintained over time with adaptive risk-based authentication that provides a step-up challenge when conditions warrant.