An Identity Provider (IDP) is a digital service that creates and manages a user’s digital identity and identity attributes associated with it. IDPs authenticate users to third-party services providers (like websites, web applications, etc.) using these identities.
IDP allows users to bring their own identities to their workspace and enables them to sign up/ login into a web service or application using an existing set of credentials in place of creating new credentials for the service or application.
A popular example of an Identity Provider that most of us are familiar with is Google. “Sign-up using Google” or “Login using Google” option is an example of Google acting as an Identity Provider for the service we are signing in or logging in into. This way users can access the service and its resources using their Google ID.
Some of the other popular IDPs are AWS (Amazon Web services), Microsoft, Instagram, Facebook etc.
What is a User Identity?
User Identity is a digital entity used to identify users in a web service or a Genric IT Environment. IT has quantifiable factors that a computer can use to verify to identify the user and authenticate his access requests. These factors can also be referred to as authentication factors and can be categorized into one of the following:
Knowledge Factor: Something the user knows, Username, password
Possession Factor: Something users have, Smartphone, One-time passwords, etc.
Inheritance factor: Something unique to users like Fingerprint, retina Scan, voice, etc.
How does Identity Provider work?
Identity providers (IDPs) Communicate with Service providers using Languages like SAML, OAuth to send XML Assertions to Authenticate and authorize users. These XML Assertions send by IDPs can be broadly divided into 3 types:
Authentication Assertion – Asserts user identity, whether the user is what they claim to be
Attribute Assertion – Pass user identity attributes for connecting
Authorization Assertion – Asserts resources access to users, what resources and service a user have access to.
What is the need for an Identity Provider?
To determine user access to sensitive data and log their activity digital identities should be tracked, cloud services need to identify users. Cloud Services can identify the user either by
- Direct authentication – validating the username and password with the stored identities with them, or by
- Indirect authentication – validating an assertion (authentication decision) about the User’s identity as presented by an identity provider
According to several studies, more than 80% of users feel bothered when they are prompted to create a new account on websites as it requires them to share their personal data. This notion can impact the user experience and their interaction with your services.
Identity Providers help prevent attackers from impersonating users by storing user identities in a secure manner adding to security. Identity providers allow users to log on across multiple platforms and applications using an existing Identity (this is known as SSO) and adds to the user experience.
What are the security benefits of using an Identity Provider?
Typically, users logins into multiple platforms, and managing separate credentials for each platform or application can cause password fatigue. Password fatigue often leads to poor or same credentials being reused across multiple platforms, and this can present a security risk to the system.
- Identity providers have a strong authentication policy that allows users to have secure credentials as users need only 1 set of login credentials for logging into all configured services.
- Users can enable 2FA or Adaptive MFA for added security.
- Allocation and management of Access privileges to user groups reduces the risk of attackers gaining access to critical systems
- IDP allows authorized users to access audit reports to view user authentication logs and identify resource access requests and usage.
- Makes it easy for Enterprises to maintain and manage compliance as all access requests and events are tracked in audits – Enterprise SSO
- Enforcement of same security policies across all operating platforms and devices for the users allows management of securities measure quick and easy.
Enforcement of the same security policies across all operating platforms and devices for the users allows the management of securities measure quick and easy.
In the event of a set of credentials getting compromised, it can lead to unauthorized access to user accounts on other platforms and may result in an information breach. An estimated 81% of data breaches are due to poor password security or stolen credentials.
Using an identity provider reduces the risk of a data breach caused due to password fatigue or compromised identity, adds additional security measures, and makes the task of user identity access management and privileges management easy.
How Identity providers help users better manage their accounts?
Identity providers allow users to switch between multiple applications without being prompted for signing in to each application, hence reducing password fatigue or the need to remember login credentials of each of the applications.
Let’s take an example:
Let’s say Adam needs to log in into 5 of his companies’ in-house applications hosted on different platforms for his work. Assuming the company uses SSO service, Adam’s login experience will be as follows:
- Adam navigates to one of his 5 applications and clicks on the “Login button”
- The application redirects Adam to the Identity Provider for authentication.
- As Adam has not already logged in to the Identity provider, IDP prompts him to log in.
- Adams enters the valid login credentials and is signed in to the application.
- Now, on switching to any of the rest of the 4 applications, Adam will be automatically signed into them without being prompted for login credentials.
Thus, Adam can access all of his office applications, without being prompted for login-in for each application, by using a single set of credentials.
Setting up an Identity provider…