Identity Providers - Centralized Authentication Services

About 2 min read

An Identity Provider (IdP) is a service responsible for centrally managing users' authentication information and proving to other services that "this user is who they claim to be." From Okta and Microsoft Entra ID (formerly Azure AD) deployed by enterprises to consumer-facing Google accounts and Apple IDs, IdPs form the core of modern authentication infrastructure regardless of scale. Without an IdP, users would have to create and manage a separate account for each service, leading to password fatigue and increased security risks.

The Relationship Between IdP and SP

The IdP is the party that provides authentication, while the SP (Service Provider) is the party that receives it. When a user accesses an SP, the SP delegates authentication to the IdP, and the IdP returns the result of its identity verification (an assertion) to the SP. This mechanism enables single sign-on (SSO), in which a user can use multiple SPs by logging in to the IdP just once.

Major IdP Services

The Role of the IdP in SAML and OIDC

There are two main protocols used for the IdP to convey authentication results to the SP: SAML and OpenID Connect (OIDC). SAML is XML-based and geared toward enterprises, while OIDC is JSON/JWT-based and suited to modern web and mobile apps. In both protocols, the IdP's role is "verifying the user's identity and issuing the authentication result," but the data format and communication method differ.

The Risk of the IdP Becoming a Single Point of Failure

Centralizing authentication in an IdP contributes to greater convenience and security, but it carries the risk of a single point of failure (SPOF): if the IdP itself goes down, users can no longer log in to any of the connected services. In the 2023 Okta breach, customer session tokens were stolen via the support system, affecting many companies. When selecting an IdP, you must carefully evaluate its availability SLA, incident response structure, and the availability of backup authentication methods. Our startup security checklist also explains key points for choosing an IdP.

Federation and Directory Services

Federation is a mechanism by which different organizations trust each other's authentication information. For example, allowing a user authenticated by a partner company's IdP to access your own SP falls into this category. Directory services (such as Active Directory and LDAP) are databases that store user information within an organization, and the IdP references this directory to perform authentication. IAM (Identity and Access Management) is a broader concept that includes not only authentication but also authorization (managing access permissions).

Common Misconceptions

There is a misconception that "deploying an IdP makes your security airtight," but an IdP merely centralizes the gateway to authentication. If the IdP account itself is not protected by multi-factor authentication (MFA), then once it is breached, every service is put at risk. When deploying an IdP, it is essential to simultaneously make MFA mandatory, configure conditional access policies, and establish log monitoring. Check our article on OAuth permission risks for precautions when integrating with an IdP as well.authentication security books on Amazon are also a helpful reference.

Real-World Use Cases

"At our company of 500 employees, we deployed Okta as our IdP once our SaaS count exceeded 40. Individual logins to each service became unnecessary, and the effort spent on account management during onboarding and offboarding was cut by 80%. Because we can instantly revoke a departing employee's access on the IdP side, operating our corporate password policy has become dramatically easier as well."