WP What is an Identity Provider (IdP)? | Types & Examples | Imperva

Identity Providers

Data SecurityEssentialsProtocols

What is an Identity Provider (IdP)?

An identity provider (IdP) is a system for creating, managing, and storing digital identities. IdPs are typically made up of three main components:

  • A user identity store
  • An authentication system (with one or more authentication factors)
  • Security protocols to prevent intrusion

IdPs are a core component of enterprise IT infrastructure, allowing organizations to provision, authenticate, and manage user identities. In larger organizations, the task of assigning accounts to users and managing authorization can become very complex, and IdPs make it possible to scale up the number of users, reduce overhead for IT teams, and ensure strong access control.

Identity providers are also increasingly important in provisioning of cloud services. Cloud-based services must grant their users accounts, securely authenticate them, and manage user workflows such as onboarding and account cancellation. IdPs can support these activities as well.

This is part of a series of articles about website security.

Why are IdPs Necessary?

When a user has an account to access an organization’s systems or a cloud service, their digital ID needs to be tracked somewhere. Especially in cloud computing, user identity determines which application functions or data can be accessed. Cloud services need to have a robust way for acquiring new users and authenticating them.

Additionally, user identity records must be stored in a secure manner so that attackers cannot compromise them and use them to impersonate users. Cloud identity providers often take extra precautions to protect user data, but their systems may not be designed to store user data and credentials. They may inadvertently store data in insecure locations, such as servers exposed to the internet. IdPs ensure that user data is properly managed, securely stored, and protected against compromise.

How Do Identity Providers Work?

IdPs use languages such as Security Assertion Markup Language (SAML) and data formats such as Open Authorization (OAuth) to communicate with each other and with other web service providers.

IdPs are responsible for transporting three basic types of messages: an authentication assertion indicating who the requesting device is or what the claiming device is, an attribution assertion that carries all relevant data when making a connection request, and an authorization assertion that records whether a user or requesting device has access to an online resource.

These assertions are typically Extensible Markup Language (XML) documents that contain all the information needed to authenticate the user to the service provider.

Types of Identity Providers

There are two main types of identity management providers:

  • Enterprise identity providers are used for identity and access management (IAM) within an organization.
  • Social-based identity providers maintain identities related to a user’s account with a social network or cloud computing service (for example, a Google or Facebook account).

Identity providers can also be categorized by the protocol they use to communicate with service providers. Examples of identity protocols include SAML, a standard language for single sign on (SSO), OpenID Connect (OIDC), and WS-Federation.

What Are the Security Benefits of Using an Identity Provider?

When users need to login to multiple platforms and manage separate credentials for each platform or application, they can experience password fatigue. Password fatigue leads to mistakes or reuse of the same credentials on multiple platforms, which can pose a security risk to your systems.

Using an identity provider offers the following security benefits:

  • One set of login credentials is required to log in to all services, making it possible to enforce strong authentication policies.
  • Users can enable 2FA or Adaptive MFA for additional security, and don’t need to do so for each service separately.
  • Assigning and managing access rights to users at scale according to roles reduces the risk of unauthorized access, and makes it possible to apply consistent security policies to all users across all devices.
  • Visibility into access control activity, in the form of audit reports, user authentication logs, and resource access requests and usage logs.
  • All access requests and events are tracked through auditing, making it easier to maintain and manage regulatory compliance.

Considerations When Choosing a Digital Identity Provider

Consistent Customer Support

When relying on an identity provider, 24/7 customer support is important to improve accessibility and prevent security breaches. Unresponsive customer support can make it difficult to fix access problems, and can impact productivity for employees and customers. When you suspect a security incident, you must have access to immediate support from the IdP.

High Assurance IdP

High-assurance digital identity providers ensure that when users register new accounts, they are identified with a high standard suitable for both government and major public-sector institutions. Every time the IdP grants access to an account, it can provide guarantees that the digital ID meets these standards. This can be achieved through smart devices with embedded biometrics, strong passwords, QR codes, and other techniques.

Strong Authentication

Choose an IdP that provides multi-factor authentication (MFA). A good IdP solution goes beyond passwords, providing users several convenient options for users to identify themselves, such as push notifications, one-time passwords, and biometric identification.

Global Coverage

It is important to select an IdP solution with global coverage. This will ensure that employees, customers, or third parties needing to access your services can do so from anywhere in the world. Global IdPs can also assist with the legal and compliance aspects of personal data storage and user authentication in different countries.

Imperva Data Security

Imperva Data Security Fabric protects all data workloads in hybrid multicloud environments with a modern and simplified approach to security and compliance automation.  Imperva DSF flexible architecture supports a wide range of data repositories and clouds, ensuring security controls and policies are applied consistently everywhere.