What is an identity provider?
An identity provider (IdP) is a system component that provides an end user or internet-connected device with a single set of login credentials that ensures the entity is who or what it says it is across multiple platforms, applications and networks.
For example, when a third-party website prompts end users to log in with their Google Account, Google Sign-In is the identity provider.
A single, consistent identity usable across platforms, applications and networks is called a federated identity. An IdP's job is to maintain the federated identity by protecting registered credentials and making them available to disparate directory services through translation services. If the IdP provides endpoint authentication services or user authentication services, it may also be referred to as an authentication as a service (AaaS) provider.
An identity provider serves the same basic function as a directory service, like Microsoft's Active Directory (AD). Its use enables information security (infosec) administrators to organize and manage the identity of end users, digital devices and network resources and to interact safely and securely over a proprietary network. Network resources can include anything from software applications and the databases that support them to physical devices in the internet of things (IoT), like phones, printers, sensors and actuators.
How do identity providers work?
An IdP is responsible for sending three basic types of messages:
- An authentication assertion that shows the requesting device is who or what it claims to be.
- An attribution assertion that passes along all relevant data when a connection request is made.
- An authorization assertion that documents whether the user or requesting device was granted access to the online resource or not.
These assertions are Extensible Markup Language (XML) documents that contain all the necessary information to verify users to a service provider.
Security benefits of using an identity provider
Using an identity provider is convenient for users because it means they no longer must remember multiple logins.
From the service provider's point of view, this approach can be more secure for the following reasons:
- The IdP provides a central audit trail of all access events, which makes it easier to prove who is accessing what resources and when.
- The IdP saves users the hassle of creating and maintaining multiple usernames and passwords with single sign-on (SSO). Maintaining and reentering multiple passwords is known aspassword fatigue. Password fatigue is a safety hazard and an inconvenience. The more times users must log in or remember a new password by writing it somewhere, for example, the more opportunities they give attackers to steal that password. It's the equivalent of carrying a passport, identification card and birth certificate around at all times.
- The service provider doesn't have to be concerned about protecting personally identifiable information (PII) because that becomes the IdP's responsibility.
Types of identity providers
The two main types of identity management providers are enterprise-based and social-based. An enterprise identity provider can be used in a corporate enterprise for identity and access management (IAM) or in personal computing to authenticate users for online activities that take place behind a registration wall, such as online shopping and access to subscription-based content.
Identity providers can also be categorized by the languages they use for communication with service providers.
SAML is a language better suited to corporate interests because it provides more control, enabling corporations to make their SSO logins more secure. SSO is an important aspect of identity as a service (IDaaS) and AaaS.
Popular identity providers
Popular companies that offer IdP services include the following:
- Amazon Web Services (AWS)
Popular IdPs for enterprise/corporate use include the following:
Risk of using an IdP
The downside of using an IdP is that sensitive information is still being handed over to a third party, albeit a reliable one. There is always the risk that the identity provider could be hacked or lose control over the information it possesses through poor data hygiene.
Blockchain is one solution that might mitigate this issue. Whereas conventional IdPs federate and centralize identity, an IdP that uses blockchain would take advantage of the way blockchain stores information. This approach would enable users to have a single identity, just like SSO and IDaaS, yet still be in full control of their credentials instead of handing them off to a third-party provider.
Identity providers vs. service providers
When talking about IdPs, the service provider is the entity that maintains the digital resource that a user is trying to access. The identity provider delivers authentication credentials to the service provider at the user's request. This distinction can be confusing because, technically, an identity provider is also a service provider.