TL;DR: IdPs are services that manage entities' digital identities. They help service providers verify the identity of their users and enable SSO to minimize user password fatigue.
What Is an IdP?
An Identity Provider (IdP) is a service that stores and manages digital identities. These identities can belong to human or software entities. You can imagine an identity provider like a social register from Regency-era England containing information about specific individuals, including names, titles, and familial connections. This information could be used to dictate who should be invited to which events in high society or even to verify that someone is who they say they are. Modern IdPs probably won’t help you get invited to any major society events, but they do ensure that access to digital services is limited to the intended audience.
What Do We Mean by Identity?
Digital identity is the mapping of information about an individual to that person or entity. An identity will consist of user information like a username, address, email, etc. A subset of this information is unique and can be used to validate the identity of the entity it’s mapped to. This subset is what makes up a user's identity factors, which can be things like credentials, biometrics, security questions, or device information. These identity factors fit into three categories: knowledge, possession, and inheritance — in other words, something you know, something you have, and something you are.
Why Are IdPs Important?
IdPs are crucial in the modern world because they allow entities to access resources securely while ensuring that only the users who are supposed to access them are able to access them. While service providers (SPs) can — and often do — manage identities, they have to balance that specialized service with their standard offerings. IdPs have the advantage of focusing primarily on managing and securely storing identities; thus, they are better suited to work with things like Single Sign-on (SSO) and Multi-factor Authentication (MFA).
How Do IdPs Work?
IdPs work by allowing users to log in to a variety of service providers using the authentication factors available to them. IdPs often support using existing credentials, like your Google login or a set of credentials set directly with the IdP.
A typical interaction with an IdP might look like this:
- User requests to log in to the SP
- SP redirects the user to the IdP for login
- User enters credentials (or uses other authentication mechanisms)
- IdP validates the user and reports back to the SP
- The user is granted or denied access to the SP’s platform
IdPs also allow SPs to have a high level of control over how they manage access. They can have varied policies depending on the resources being accessed and by whom. These policies and rules are managed by admins, and can be changed and improved upon over time.
What Are the Different Types of IdPs?
You can have different types of identity providers.
Social - Social IdPs are an easy way to validate users with minimal friction, saving the user from creating another password and username combination. An example of a social identity provider is Facebook. Web applications can use Auth0 to leverage a social IdP, allowing users to log in using their Facebook credentials.
Enterprise - Enterprise IdPs are often used for SSO. They allow employees to have a single set of credentials to access the variety of services needed to do their job. Okta is an example of an enterprise IdP, allowing employees to sign into any applications they are authorized to use through a convenient dashboard.
Legal - Legal IdPs are IdPs managed by governments. This is most common in Europe, but is becoming more prevalent elsewhere as well. An example of a legal IdP is Criipto, which offers eIDs for Denmark, Norway, Sweden, and other European countries.
What Are the Benefits of IdPs?
Because IdPs are specialized in managing identity, they typically offer higher security and easier integration with multiple SPs.
There are many additional benefits to using an IdP, including:
- Easier Credential Management: When users have options like SSO, signing in with social or biometric/device-based authentication means one less set of credentials to manage. This leads to less reuse of easy to remember (and easy to guess) passwords — and a secure, seamless experience.
- Automated User Onboarding and Offboarding: With identity managed in one place, it’s easier to grant and revoke permissions at once based on things like group membership.
- Allows SP to Focus on Core Offerings: Dedicated identity management empowers service providers to concentrate on their primary business functions. By partnering with expert IdPs, SPs ensure secure identity management while devoting their resources to what matters most to their customers.
- Better Identity Security: IdPs have significant field experience, are dedicated to identity management, setting industry standards, and focus on protecting user data.
- Increased Telemetry: Identity management is the core product of IdPs, and they treat it as such. An IdP tracks who accessed what and when — which is useful for compliance, audits, and incident response.
- Multiple Ways to Authenticate: Users and SPs can choose the authentication options that work best for them, meaning less friction on sign-up and login.
- Service Agnostic: If you manage multiple service providers, or a user has worked for multiple tech companies, you will likely have run into the same IdPs. This makes onboarding and management easier — and allows you to leverage your existing knowledge.
FAQs
What’s the difference between an IdP and a Single Sign-On (SSO) provider?
While an IdP stores and manages digital identities, SSO is an authentication mechanism that allows a single user identity to access multiple service providers. SSO will still use an IdP to verify the user’s identity, and link it to a collection of applications a user can access. Think of an employee dashboard that allows the employee to use their corporate login to access their HR tools, travel planning, email, and so on.
How do IdPs work with MFAs?
Service providers can define policies for specific resources and user groups. Many IdPs support specifying the requirement for MFA, what MFAs are supported, and the lifespan of the MFA confirmation in these security policies. Most IdPs have their own MFA options, for example Okta Verify.
Can I move users from my custom-built solution to an IdP?
Most IdPs will allow the import of users from external applications, allowing you to up your security and reduce your workload in just a few clicks. In the case of Auth0, we can support automatic migrations, so you can make the switch with little to no impact on your users.
Conclusion
IdPs are a purpose-built solution that helps both SPs and users access resources securely. They allow SPs to manage granular access policies and reduce the mental load of credential management. IdPs are feature-rich identity and access management solutions, and they’re becoming even more crucial in the ever-evolving technical landscape. If you’re interested in learning about the future of IAM, you can read about the identity challenges facing AI-powered applications.