What Is an Identity Provider? Benefits of IdPs

Javed Shah

Identity providers are a seamless way to authenticate your users and also maintain security on your enterprise network.

What is an identity provider? An identity provider is a service that verifies, stores, and manages digital identities. In business, IdPs help assign authorization to users so they can access certain areas while making sure all the sensitive information stays secure.

How Do Identity Providers Work?

An identity provider handles digital identities, storing information related to these identities—including key identifying information and login credentials.

In the context of identity provision and management, a “user” need not be a human user. Rather, a user is an entity that connects to a system to access or provide data, use resources, or execute commands.

The purpose of an identity provider is much like that of a secure guest list: the provider stores user information, including their login credentials, and their partners or clients can access these identities for authentication and authorization as a service.

Outside of their actual clients, however, an IdP doesn’t provide user information to other companies. Instead, these companies can use the identities stored by an IdP to authenticate users without disclosing that information. They do this through three different messaging types:

  • Authentication Assertion: The IdP guarantees that users are who they say they are by comparing their credentials against their records. This process does not involve the sharing of user information.
  • Attribution Assertion: A request for user information. This assertion does involve the sharing of user information.
  • Authorization Assertion: A request to show that the user has the right permissions to access an online resource.

These assertions are one of the important tasks that IdPs perform, so much so that the National Institute of Standards and Technology includes an entire section of their documentation on identity federation on how IdPs secure their assertion practices.
IdPs will communicate with other online services through protocols like the Security Assertion Markup Language (SAML) or Open Authorization (OAuth).

Identity providers are flexible because they can mediate authentication requests across multiple participating service providers.

What Are the Different Types of Identity Provider Protocols?

One of the most critical aspects of providing identity support for enterprise clients and consumers is ensuring there is a secure and reliable standard between them. These protocols help providers streamline communication between all parties without the unauthorized disclosure of information.

There are a few types of identity protocols, each serving a particular purpose:

  • IndiAuth: This decentralized model uses OAuth 2.0, which provides authentications via URL and authorization tokens for resource access. One of the important facets of IndiAuth is that it allows users to link their identity to different providers, including their own site or a third-party endpoint.
  • OpenID: OpenID Connect creates an identity layer on top of the OAuth protocol to support the release of authentication tokens using JSON structures and using RESTful HTTP APIs.
  • SAML: This domain model positions an IdP as an authentication authority that can authenticate users as part of a single sign-on profile.

What Is the Relationship Between an Identity Provider, Single Sign-On, and Federated Authentication?

When we’re talking about identity providers, there are often a lot of conversations around how users sign in to separate services. It isn’t necessarily the case, for example, that someone using an identity provider can sign in to all their accounts simultaneously. Several different technologies and services go into that process.

Generally speaking, there are a few technologies that need to be defined when discussing cross-platform authentication:

  • Federated Identity: Federated identity is an agreement by several parties to allow their users to access resources with a shared set of credentials. An organization using a third-party identity management service can be said to be federating their identity management.
  • Single Sign-On: SSO is a subset of federated identity. Federation refers to the practice of organizations supporting cross-platform authentication through a single identity. SSO does the same thing but only in a limited domain, like a cross-section of services under the same company umbrella.

Different identity management types support these authentication schemes. For example, an IdM using SAML can serve as the basis for an SSO workflow for authentication. A user may attempt to log in to a local HR application with a username and password, and that request is transmitted to an IdP via SAML for verification. The IdP compares the credentials against their records, creates a SAML authentication response, and authenticates the user.

What Problems Do Identity Providers Solve?

IdPs provide a critical level of support for organizations who do not want or cannot afford to field their local identity management solution. These providers can offer more focused and targeted solutions that hit customer pain points better than out-of-the-box software installed on local systems.

Some of the major issues that IdPs solve include the following:

  • Proper Authentication and Authorization: if your organization has any level of flexible or open account management needs (for example, temporary or quest access), then an identity provider can streamline the onboarding and offloading processes as necessary. This reduces friction between you and your people without bringing in a lot of overhead.
  • Security: Authentication is a critical part of security, and identity management also requires a high level of security. Providers dedicated to identity management can also dedicate resources to proper security measures that protect identity information. This, in turn, can provide peace of mind to you, your stakeholders, and your customers.
  • Compliance: Enterprises in regulated industries face security and privacy regulations, many of which add a whole new layer of work to your existing operational capacity. Dedicated IdPs can help you outsource compliance by handling specialty security needs under frameworks like HIPAA, SOC 2, or PCI DSS.
  • Innovation Management: Updating, upgrading, and configuring new technology is a full-time job, and one you probably aren’t keen on shouldering. IdPs do the job for you and wrap the costs into your premiums.

Decentralized, Secure Identity Management with 1Kosmos

Enterprise identity management is at the top of most chief information security officers’ priority lists. You want something that can provide strong authentication, strong anti-hacking capabilities, and powerful usability, so your employees don’t have to juggle passwords and risk your organization’s security.

1Kosmos BlockID is such a service. With decentralized identity managed on a secure, private blockchain, working hand-in-hand with compliant identity verification, liveness proofing, and biometrics, you get the best of security, compliance, and usable interfaces.

With 1Kosmos, you get the following benefits:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and validation.
  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
  • Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

Learn everything you want to know about identity management and ID as a service with our webinar, Trends in IDAAS: Secure Workforce Access with Strong Identity Proofing. When you’re done with that, sign up for the 1Kosmos email newsletter for product updates.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.