Identity provider

An Identity Provider (IdP), also known as Identity Assertion Provider, is responsible for (a) providing identifiers for users looking to interact with a system, and (b) asserting to such a system that such an identifier presented by a user is known to the provider, and (c) possibly providing other information about the user that is known to the provider. This may be achieved via an authentication module which verifies a security token that can be accepted as an alternative to repeatedly explicitly authenticating a user within a security realm.

An example of this could be where a website allows users to log in with Facebook credentials and Facebook acts as an identity provider. Facebook verifies that the user is an authorized user and returns information to the website - e.g. username and email address (specific details might vary). Similarly, if a site allows login with Google or Twitter credentials then Google and Twitter act as identity providers.

In perimeter authentication, a user needs to be authenticated only once (single sign-on). The user obtains a security token which is then validated by an Identity Assertion Provider for each system that the user needs to access.[1]

Some Identity Assertion Providers support several security token types - such as SAML, SPNEGO, and X.509.

Service provider vs. identity provider

"Provider" is a generic way of referring to both IdPs (Identity Providers) and SPs (Service Providers). There are overlaps when it comes to defining Identity providers vs. Service Providers. According to the OASIS organization that created SAML, an Identity provider is defined as "A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles."

A service provider is "A role donned by a system entity where the system entity provides services to principals or other system entities", and a Federation is "An association comprising any number of service providers and identity providers."

In simple terms and as they relate to identity management, an Identity Provider can be described as a Service Provider for storing identity profiles and offering incentives to other SPs with the aim of federating user identities. It should be noted however that Identity Providers can also provide services beyond those related to the storage of identity profiles.[2]

References

  1. "Identity Assertion Providers".
  2. "Service Providers, Identity Providers, & Security Token Services explained".

See also