Identity Provider (IdP)
A trusted service that authenticates users, manages their identities, and issues security tokens or assertions to relying applications.
Description
An Identity Provider (IdP) is a centralized service responsible for authenticating users and issuing identity assertions (tokens or statements) to applications (service providers or relying parties) that trust it. The IdP manages user credentials, authentication policies (MFA requirements, password policies), user profiles, and group/role assignments. By centralizing identity management, the IdP eliminates the need for each application to implement its own authentication system, reducing security risk and administrative overhead.
IdPs communicate with applications using standard protocols: SAML 2.0 (issuing XML assertions), OpenID Connect (issuing JWT ID tokens and access tokens), and WS-Federation (common in Microsoft environments). Commercial IdPs include Okta, Auth0 (Okta), Azure AD (Microsoft Entra ID), OneLogin, and Ping Identity. Open-source alternatives include Keycloak, Authentik, Authelia, and Ory. Cloud providers offer their own: AWS Cognito, Google Cloud Identity, and Firebase Auth.
Choosing and integrating an IdP involves evaluating protocol support, user directory features (provisioning, groups, custom attributes), authentication capabilities (MFA, adaptive auth, passwordless), developer experience (SDKs, documentation, APIs), compliance certifications (SOC 2, HIPAA, FedRAMP), scalability, and cost. The IdP becomes a critical dependency -- plan for high availability, disaster recovery, and migration. Implement your application's authentication layer against standard protocols (OIDC, SAML) rather than IdP-specific APIs to maintain provider portability. Use SCIM for automated user provisioning and deprovisioning from the IdP to your application.
Prompt Snippet
Integrate with an IdP (Keycloak, Auth0, or Okta) using OpenID Connect as the primary protocol and SAML 2.0 for enterprise customers. Abstract the IdP integration behind an AuthProvider interface with methods like authenticate(), getUser(), refreshToken(), and logout(). Configure the IdP to issue JWTs with custom claims (roles, permissions, org_id) via claim mappings or post-login hooks. Implement SCIM 2.0 endpoints (/scim/v2/Users, /scim/v2/Groups) for automated user provisioning from the IdP. Store the IdP's JWKS URI in configuration and refresh the key set periodically (every 6 hours) with fallback to on-demand refresh on signature verification failure.
Tags
Related Terms
SSO (Single Sign-On)
An authentication scheme that allows users to authenticate once and gain access to multiple independent applications without re-entering credentials.
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that enables clients to verify the identity of the end-user and obtain basic profile information.
SAML
An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider, widely used in enterprise SSO.
Claims-Based Identity
An identity model where user attributes and permissions are expressed as claims -- name-value pairs -- embedded in tokens or assertions, enabling decoupled and portable identity.
LDAP Integration
Integration with LDAP directory services to authenticate users and retrieve organizational attributes like groups, departments, and roles from a centralized directory.
Social Login (OAuth Providers)
Authentication via third-party identity providers like Google, GitHub, or Apple using OAuth 2.0/OIDC, allowing users to sign in with existing accounts.