In computing, an Identity provider (IdP), also known as Identity Assertion Provider, can:
Contents
- provide identifiers for users looking to interact with a system
- assert to such a system that such an identifier presented by a user is known to the provider
- possibly provide other information about the user that is known to the provider
This may be achieved via an authentication module which verifies a security token that can be accepted as an alternative to repeatedly explicitly authenticating a user within a security realm.
For example: a website, application or service may allow users to log in with the credentials from a social-networking service like Facebook or Twitter; these services will act as Identity providers. The social-networking service verifies that the user is an authorized user and returns information to the website - e.g. username and email address (specific details might vary). This authentication system is called Social login.
Perimeter authentication involves a user being authenticated only once (single sign-on). The user obtains a security token which is then validated by an Identity provider for each system that the user needs to access.
Some Identity Assertion Providers support several security token types - such as SAML, SPNEGO, and X.509.
Sometimes Identity providers can work as proxies for other Identity providers, enabling the creation of trust relationships that can be employed to simplify the management of service providers.
Service provider vs. Identity provider
"Provider" is a generic way of referring to both IdPs (Identity Providers) and SPs (Service Providers). There are overlaps when it comes to defining Identity providers vs. Service Providers. According to the OASIS organization that created SAML, an Identity provider is defined as "A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles."
In this respect, Salesforce defines an Identity provider as a trusted provider that allow users to make use of a single sign-on property to access other websites where a service provider is no more than a website that hosts applications while Ping Identity sees the Service provider as a business-process outsourcing vendor or a SaaS provider who wants to simplify client access to its services and the Identity provider can be an enterprise that manages a large number of user accounts who may need secure Internet access to the Web-based applications or services of customers, employees or business partners.
Service Provider
A service provider is "A role donned by a system entity where the system entity provides services to principals or other system entities", and a Federation is "An association comprising any number of service providers and identity providers."
Identity Provider
In simple terms and as they relate to identity management, an Identity Provider can be described as a Service Provider for storing identity profiles and offering incentives to other SPs with the aim of federating user identities. It should be noted however that Identity Providers can also provide services beyond those related to the storage of identity profiles.